Evan Schuman: The data dangers of free public Wi-Fi

New York City is asking vendors to take over the city’s almost-universally abandoned pay phones (a transparent, glass-enclosed structure on street corners was probably never a good choice for Superman’s changing room anyway) and use them to deliver free Wi-Fi to residents. What’s not to love?

The problem is that among the 60 vendors that attended a meeting with the hope of offering such a service were data brokers, including a funky company called Google.

In terms of who may do this deal, things are quite preliminary. No one has yet bid, and the city is likely to take some time reviewing and negotiating before a winner is selected. But it’s not too soon to note some problems, such as the criteria the city has set and the stunningly little regard shown for information security and privacy. In a 69-page request for proposals (RFP), plus 15 lengthy addenda, there is not one mention of privacy or security limitations.

Now, a network of some 7,302 pay phones turned into Wi-Fi stations, connecting into free data communication for all, is an inherently good thing. Such an effort would be extremely attractive, convenient — and deadly to confidential communications and intellectual property. And the more it’s seen as free and convenient, the more your employees will be tempted to use it and the more vulnerable your data becomes.

Let’s look at what the city is proposing, based on its RFP. “The installation, operation, and maintenance of as many as 10,000 Public Communications Structures providing advertising, Wi-Fi, and phone services in all five boroughs,” it says. It goes on, “The Wi-Fi service must be provided 24 hours a day, 7 days a week and must provide a signal strong enough to reach a minimum of 85 feet across a busy street. The Wi-Fi hotspots should work together as a network. A user should be able to log in once and stay connected while within 85 feet of any hotspot. The user’s device should be allowed to automatically re-connect after a connection has been severed and the user comes within the range of one of the network’s hotspots.”

This is not limited to pay phone Wi-Fi stations. The city has spoken of integrating these systems with existing Wi-Fi systems that are associated with taxis, subways and New York’s Citi Bike program (https://www.citibikenyc.com/).

So far, so good. The proposal stresses that the service must be free to everyone, and it provides restrictions on what services can be sold via that network and that no one can be required to be a customer of any vendor to use the network.

But there are no restrictions about how data can be used. The Wi-Fi vendor will know where our phones are, what they are being used for, when we are doing them and potentially the content of unprotected transmissions. (Note to IT departments: If you’re not requiring a VPN for all mobile business communications, now is a good time to rethink that decision. That said, even a VPN won’t hide your people’s travels via geolocation data.)

If a vendor is interested in advertising and selling personal/business information, what better opportunity could there be than to be the on-the-street Wi-Fi provider in the nation’s largest city? As Bloomberg has reported, Google “already provides wireless access in Mountain View and New York’s Chelsea neighborhood.”

In the city’s own Q&A, it asked, “Will the City permit the awarded proposer to do data mining and push advertising from the Wi-Fi while sharing the revenue with the city?” and then it answered, “We will consider proposals in that regard.”

Ah, the always-beloved revenue sharing. Far from being inclined to protect users’ data and information, the Big Apple is thinking of how it could let players data-mine away and then get a cut of the money.

From the city’s perspective, allowing data mining is almost risk-free. With information capture and analytics happening in so many places today, it would be almost impossible to trace the loss of business information to a city Wi-Fi incident.

(Apple, by the way, is offering a very different way of handling MAC address signals in iOS 8, one that might slightly lessen the security risk of such public Wi-Fi networks, but only for iOS devices that are properly using the new security function.)

That is why it is critical for IT leaders to take a stand now. Do not for a moment think that if this works in NYC it won’t quickly be mimicked by every other major U.S. city. European and Canadian elected officials are much better at protecting the private data of their citizens and businesses, but in the U.S., it’s up to business leaders to insist on limits.

You could issue orders that employees should only use the company’s Wi-Fi, but why go out of your way to again prove the remarkable limits of your power? Your only viable option is to try and protect your company’s data as much as you can. The best way to do that right now is to get your people to lobby cities that they must insist on data protections — with extremely serious consequences, something that will far outweigh the lucrative financial gains of harvesting the data anyway — before these plans are launched. There’s time to do it. Data brokers are praying that you won’t bother.

Evan Schuman has covered IT issues for a lot longer than he’ll ever admit. The founding editor of retail technology site StorefrontBacktalk, he’s been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.

Read more about network security in Computerworld’s Network Security Topic Center.