“When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use Predrag Klasnja 1 , Sunny Consolvo 2 , Jaeyeon Jung 2 , Benjamin M. Greenstein 2 , Louis LeGrand 2 , Pauline Powledge 2 , & David Wetherall 2 1 Information School & DUB Group University of Washington Seattle, WA 98195, USA klasnja@u.washington.edu 2 Intel Research Seattle Seattle, WA 98105, USA [sunny.consolvo, jaeyeon.jung, benjamin.m.greenstein, louis.l.legrand, pauline.s.powledge, david.wetherall]@intel.com ABSTRACT Increasingly, users access online services such as email, e- commerce, and social networking sites via 802.11-based wireless networks. As they do so, they expose a range of personal information such as their names, email addresses, and ZIP codes to anyone within broadcast range of the network. This paper presents results from an exploratory study that examined how users from the general public understand Wi-Fi, what their concerns are related to Wi-Fi use, and which practices they follow to counter perceived threats. Our results reveal that while users understand the practical details of Wi-Fi use reasonably well, they lack understanding of important privacy risks. In addition, users employ incomplete protective practices which results in a false sense of security and lack of concern while on Wi-Fi. Based on our results, we outline opportunities for technology to help address these problems. Author Keywords Privacy, security, Wi-Fi, wireless networks, user study. ACM Classification Keywords H.5.2 User Interfaces; K.4.0 (Computers and Society): General; H.1.2 Software Psychology INTRODUCTION Hundreds of millions of people use the Web for work, to look for information, romance, connect with friends and family, shop, and bank. Applications like to-do lists and word processors, which were traditionally standalone, now have popular online counterparts that enable users to access them from anywhere. Scores of new online services, such as social networking sites, have revolutionized how people stay in touch. Facebook, for example, has over 60 million active users and 65 billion page views per month [17]. Increasingly, when people go online, they do so wirelessly. With the proliferation of 802.11-based wireless networks (Wi-Fi), people can access the Internet from offices, cafés, hotels, airports, and even laundromats. Wigle.net, an online database of user-reported wireless networks, lists over 16 million networks worldwide [1], and that is likely a small fraction of the total number of Wi-Fi networks in use. The trend toward doing more on wireless networks, however, comes at the price of diminished privacy [2]. First, to receive service, Web sites often require the user to provide personal data such as her name, age, ZIP code, or personal preferences. Many sites share this information with advertisers and other third parties. Additionally, as a recent study found, many services transmit such personal information without encryption (i.e., “in the clear”) [13]. A majority of the large Web-based email services, for example, encrypt the login process, but not the contents of email messages. Anyone along the path between the user and the service’s data center could intercept this information, opening users to privacy and security risks. Second, the broadcast nature of Wi-Fi means that anyone within range of the network can receive and potentially read transmissions intended for any other device on the network. In addition, since anyone can set up a Wi-Fi network and name it whatever she wants, this raises the possibility of malicious access points spoofing legitimate services (e.g., “T-Mobile Hotspot”) which can capture all transmissions from unsuspecting users who connect to them. Combining these factors—accessing online services over Wi-Fi—magnifies the risks. Transmissions of unencrypted personal information becomes visible to anyone within range of the network, making it much easier to track users, aggregate information over time and possibly engage in identity theft. While standard Wi-Fi security mechanisms such as WEP and WPA help, Wigle reports that less than half of the Wi-Fi networks in their database use any kind of encryption [1]. Even these security systems can be bypassed, allowing eavesdropping of users’ transmissions. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CHI 2009, April 4–9, 2009, Boston, MA, USA. Copyright 2009 ACM 978-1-60558-246-7/08/04…$5.00