Despite increasing coverage of cases where personal information is stolen, often en masse from large companies, as well as new legislation attempting to limit how much personally identifying information (PII) companies collect to just what they actually need, I am still encountering places that are clearly asking more than they need, and providing no information about how they will protect the information they collect.
Public Wi-Fi Logins
This one I see regularly because of its intersection with my job, but even without that I would have cause to question why I am being asked for some of the information that amenity Wi-Fi portals request. Of course, the companies running these portals are relying on the fact that most people will not even realize the risks and will blindly provide the information to get online.
In a meeting with a technology executive I was shocked to learn that this person had never considered giving a fake email address to the captive portals that often block access to the internet in Wi-Fi hotspots. Or, for that matter, even a throw away “spam” email address. If a person working in the tech space hadn’t thought to do that, how can we reasonably expect others to do so?
An email address is just the tip of the iceberg however. Some portals ask for much, much more. Social media login has become a popular option and, until the furore surrounding the personal data stolen during the 2016 elections in the UK and US using a Facebook app, these portals could also have gained more information about a Wi-Fi user than perhaps that user realized. Even now, after the amount of “private data” made available to third party applications was restricted, providing your social media identity could give them access to a wealth of personal information just from the things you post or like publicly.
Just as bad in my mind are the portals that ask for a mobile phone number and insist on sending an access code via that number. While there are services that can provide a temporary mobile number for cases like this, even fewer people will think to use one.
There really is no reason at all why I should need to provide any of this information just to use the Wi-Fi in a coffee shop, supermarket or train.
GDPR
I was hoping that the recent introduction of the European GDPR would stop some of these portals overstepping their bounds, but it does not seem to have changed much. Some of the service companies behind these portals have provided GDPR portals allowing users to see the data being collected on them, and, in theory at least, delete it. Others have done nothing other than email out new privacy policy documents.
The most relevant clause in my mind, is recital 39, which says (emphasis added by me):
The specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
Since many amenity Wi-Fi networks work just fine without asking users for any personal data at all, it seems very clear that there is no need to ask a user for their mobile number, their social media identity or even their name. At the very least, doing so should be optional.
Driving License
Another common abuse I see is people asking not just to see a driving license, but to actually swipe it or scan it. A few years ago, our local school district asked to make a photocopy of my driving license. Before we had even confirmed that our kid was going to be attending one of their schools (and, as it turns out, he did not end up going to one of their schools). I was not going to be driving for the school, and had they needed to verify I was who I said I was they could have simply looked at it.
Other places have also been asking to scan or swipe my license, reading all the electronic content. Everywhere from Target stores to our kids’ doctor’s office. When questioned about their policies for protecting this personal information, detecting breaches and notifying people, they often have nothing at all in place. The doctor’s office was even more confused: they pointed out that patient data is protected by HIPPA, which, while true, would not cover my driving license since I was not the patient.
Mandatory Surveys
Another one that I’ve noticed, both in amenity Wi-Fi locations and in other places, is (sometimes) innocuous looking surveys that ask for personal information.
Most recently, we received one from a public school that was asking for information about housing as well as household financial information. None of that is required to provide elementary school education. We’re not applying for any kind of financial aid, so there really is no reason for them to have all this personal information. Even worse, it is being stored by a third party (Aeries Software in this case), and I can find no information about how secure their hosted service. No evidence of any security audits or penetration testing. No information about how they detect intrusions, or even whether they can. No information about whether they can detect theft of data.
These surveys are marked as required in order to continue to the more important information contained in the portal. Since I refuse to complete them, right now the portal may contain inaccurate contact or medical information, but I have no way to even see that information.
Protect Your Information
Even the best protected servers in the world can be broken into. Large corporations have been broken into and had financial information stolen (typically credit card numbers which the attackers can sell in bulk on the black market, but other data is also of interest). While having your credit card number stolen is annoying, thanks to the protection offered by the banks behind them it should not be more than that (the same may not be true of debit cards – check with your bank). Having your identity stolen (think social security number, driving license number, passport number), is much harder to recover from, so be more protective of that data.
Not giving anybody data they do not need is the best way of limiting the risk that your data will be stolen. I hope most people will pause before giving out their SSN, but I suspect they do not pause as much when it comes to driving license or passport numbers.
If somewhere asks to keep a copy of your driving license, or passport, ask why they need to keep a copy, and how long they will keep it and how they protect. Have an alternative email you can provide to places that ask for an email address unnecessarily (for amenity Wi-Fi locations, I would recommend using something from Mailinator, but only do that for places that will not be emailing personal information as anybody can read what is sent there). Mailinator also has shared mobile numbers for places that want a mobile number (you can check for text messages on those numbers from their website, so they work well for places that SMS an access code).