pith. sign in

arxiv: 1907.02142 · v1 · pith:B4XRPYHOnew · submitted 2019-07-03 · 💻 cs.CR · cs.CY

On Privacy Risks of Public WiFi Captive Portals

Suzan Ali , Tousif Osman , Mohammad Mannan , Amr Youssef This is my paper

Pith reviewed 2026-05-25 09:45 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords public wificaptive portalsprivacyweb trackingcookiessocial logindata collection
0
0 comments X

The pith

Public WiFi captive portals collect personal data and install tracking cookies that last for years.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper measures the behavior of captive portals at 67 public WiFi hotspots. It shows that many portals gather names, emails, and other details through Facebook or Google logins and registration forms. Persistent third-party cookies are placed on most sites, allowing continued tracking of browsing activity long after the user disconnects. Some portals also send user and device data to external domains, at times over unencrypted links and before any privacy policy is accepted.

Core claim

Measurement of 67 unique public WiFi hotspots reveals that captive portals collect privacy-sensitive personal data via social login and registration forms, deploy persistent third-party tracking cookies capable of following users for up to 20 years, and in several cases share collected information with third-party domains, sometimes before users accept the hotspot's terms.

What carries the argument

Examination of data flows, cookies, and third-party domains loaded by captive portal landing pages.

If this is right

  • Most hotspots place persistent third-party tracking cookies on visitors.
  • These cookies can be used to follow browsing behavior for years after the user leaves the network.
  • Several hotspots transmit personal and device identifiers to third-party domains, sometimes over HTTP.
  • Tracking and data collection can begin before users accept any privacy or terms-of-service policies.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same tracking domains may link activity across multiple unrelated hotspots.
  • Users who avoid social logins on portals may still face device-level tracking via cookies.
  • The findings suggest public WiFi operators could reduce exposure by limiting third-party scripts before consent.

Load-bearing premise

The 67 Montreal hotspots are representative of public WiFi networks in general.

What would settle it

A study of a similar number of public WiFi hotspots that finds no persistent third-party cookies or personal data collection through social logins would falsify the central claim.

Figures

Figures reproduced from arXiv: 1907.02142 by Amr Youssef, Mohammad Mannan, Suzan Ali, Tousif Osman.

Figure 1
Figure 1. Figure 1: CPInspector components Capturing traffic. We use Wireshark [47] to capture all traffic between the instrumented browser and the hotspot access point. We filter out traffic gen￾erated by normal activities such as anti-virus scanning and Windows updates. Moreover, since some captive portals adopt TLS for communication, we rely on the SSLKEYLOGFILE [20] to decrypt the TLS traffic; we then use Tshark [46] to e… view at source ↗
Figure 2
Figure 2. Figure 2: We noticed that the hotspots that use the same third-party captive portal [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 2
Figure 2. Figure 2: Unique number of third-parties on captive portals (top 20). For example, Hvmans Cafe hosts a total of 34 tracking domains, including 7 known trackers. Note that for all reported tracking/domain statistics, we accumulate the distinct trackers as observed in all the datasets collected for a given hotspot. For list of evaluated hotspots see [PITH_FULL_IMAGE:figures/full_fig_p010_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Unique number of third-parties on landing pages (top 20) (25.4%) hotspots for less than 6 months. Place Montreal Trust saves the user’s full name in a first-party cookie valid for five years; this cookie is transmitted via HTTP. Finally, we analyzed hotspots that create persistent cookies before explicit consent from the user, we found 26 (38.8%) hotspots create cookies that are valid for periods varying f… view at source ↗
Figure 4
Figure 4. Figure 4: Number of third-party cookies on captive portals (top 20). Note that for all reported cookies/domain statistics, we accumulate the distinct cookies as observed in all the datasets collected for a given hotspot. 8 6 3 3 2 2 2 2 2 2 1 1 1 1 1 1 1 4 6 5 1 1 1 1 1 1 1 2 1 12 12 5 4 3 3 3 3 3 2 2 2 2 2 1 1 1 1 1 1 Unique # Cookies Duration < 180 days Duration between 180 days and 5 years Duration > 5 years [PI… view at source ↗
Figure 5
Figure 5. Figure 5: Number of first-party cookies on captive portals (top 20) ple ten-year valid first-party cookies, but their names suggest a relationship with Optimizely [32]. Indeed, JavaScript from optimizely.com creates these cookies, although Optimizely states that they do not create third-party cookies [33]. We also analyzed the first-party cookies on landing pages; see [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Unique number of fingerprinting APIs on captive portals (top 20). Note that for all fingerprinting statistics, we accumulate the distinct APIs as observed in all the datasets collected for a given hotspot. 4.3 Device and Browser Fingerprinting We analyzed fingerprinting attempts in captive portals and landing pages. We use Don’t FingerPrint Me (DFPM [22]) for detecting known fingerprinting tech￾niques, inc… view at source ↗
Figure 7
Figure 7. Figure 7: Unique number of fingerprinting APIs on landing pages (top 20) Home Depot host the same JavaScript that collects 42 attributes, including 34 Navigator, six Screen, and two Canvas APIs. Laura has a script from PerimeterX that collects 27 attributes, including 21 Navigator and 6 Screen APIs; manual analysis of the source code reveals WebGL and Canvas fingerprinting. 5 CPInspector on Android In contrast to Wi… view at source ↗
Figure 8
Figure 8. Figure 8: Number of cookies stored on the Android captive portal app [PITH_FULL_IMAGE:figures/full_fig_p014_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Number of third-party cookies on landing pages (top 20) [PITH_FULL_IMAGE:figures/full_fig_p020_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Number of first-party cookies on landing pages (top 20) [PITH_FULL_IMAGE:figures/full_fig_p021_10.png] view at source ↗
read the original abstract

Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed some light on the web tracking and data collection behaviors of these hotspots. Our study reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot's privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user's browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper reports results from a measurement study of 67 public WiFi captive portals in Montreal, documenting collection of personal data via social logins (e.g., Facebook/Google) and registration forms, tracking activities before policy acceptance, widespread use of persistent third-party cookies (with lifetimes up to 20 years), and explicit sharing of user/device data with third-party domains, sometimes over HTTP.

Significance. If the measurements are reproducible and the attribution to portals is clean, the work supplies concrete empirical evidence of privacy risks in everyday public WiFi infrastructure. Such observational data can inform users, operators, and policy discussions; the direct measurement approach (rather than modeling) is a positive feature.

major comments (3)
  1. [§3 (Measurement Methodology)] §3 (Measurement Methodology): The paper provides no description of browser isolation, clean profiles, network capture filters, or exclusion rules used to attribute observed forms, cookies, and data flows specifically to the captive portal pages rather than the measurement device, extensions, prior state, or concurrent traffic. This attribution step is load-bearing for all prevalence claims.
  2. [§2 (Hotspot Selection and Dataset)] §2 (Hotspot Selection and Dataset): No selection criteria, sampling frame, or comparison to a broader population of public WiFi hotspots is given for the 67 Montreal sites. Without this, the representativeness assumption required to generalize the reported rates of social login use, pre-acceptance tracking, and third-party cookie persistence cannot be evaluated.
  3. [Results section (cookie lifetime analysis)] Results section (cookie lifetime analysis): The claim that cookies 'can be used to follow the user's browsing behavior long after the user leaves the hotspots, e.g., up to 20 years' is presented without the raw expiration-date extraction method, confirmation that the domains are third-party trackers set by the portal, or handling of session vs. persistent classification.
minor comments (2)
  1. [Abstract] Abstract: The phrasing 'most hotspots' and 'several hotspots' would benefit from the exact counts or percentages from the 67-site dataset for precision.
  2. [Throughout] Throughout: Some tables or figures summarizing tracker domains and data-sharing endpoints lack legends clarifying whether entries reflect first-party or third-party origins.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback on our measurement study. We address each major comment below and will revise the manuscript accordingly to improve methodological transparency and analysis details.

read point-by-point responses

  1. Referee: §3 (Measurement Methodology): The paper provides no description of browser isolation, clean profiles, network capture filters, or exclusion rules used to attribute observed forms, cookies, and data flows specifically to the captive portal pages rather than the measurement device, extensions, prior state, or concurrent traffic. This attribution step is load-bearing for all prevalence claims.

    Authors: We agree that the current manuscript lacks sufficient detail on the measurement environment and attribution process. In the revised version, Section 3 will be expanded to describe the use of fresh browser profiles with no extensions or prior state, the network monitoring tools applied, and the specific rules (e.g., domain matching and timing) used to attribute traffic, forms, and cookies to the captive portal pages. revision: yes

  2. Referee: §2 (Hotspot Selection and Dataset): No selection criteria, sampling frame, or comparison to a broader population of public WiFi hotspots is given for the 67 Montreal sites. Without this, the representativeness assumption required to generalize the reported rates of social login use, pre-acceptance tracking, and third-party cookie persistence cannot be evaluated.

    Authors: The 67 sites represent a convenience sample of accessible public WiFi locations visited in Montreal. We will add an explicit description of the selection approach (public venues such as cafes, libraries, and transit areas) and a limitations paragraph noting that the sample is not statistically representative of all hotspots in Montreal or elsewhere. No broader population data was collected, so formal sampling-frame comparisons cannot be added. revision: partial

  3. Referee: Results section (cookie lifetime analysis): The claim that cookies 'can be used to follow the user's browsing behavior long after the user leaves the hotspots, e.g., up to 20 years' is presented without the raw expiration-date extraction method, confirmation that the domains are third-party trackers set by the portal, or handling of session vs. persistent classification.

    Authors: Cookie expiration values were parsed directly from Set-Cookie response headers observed during portal visits. The revised results section will document the extraction procedure, confirm third-party status by comparing cookie domains against each portal's primary domain, and state the classification rule (persistent if the expiration date or Max-Age exceeds one day). The 20-year maximum is taken from the longest observed expiration in the collected data. revision: yes

Circularity Check

0 steps flagged

Empirical measurement study with no derivation chain

full rationale

This paper is a direct empirical measurement study of 67 Montreal WiFi hotspots, reporting observed trackers, cookies, social logins, and data flows from captive portals. It contains no equations, first-principles derivations, predictions, fitted parameters, or self-citation chains that could reduce to inputs by construction. All load-bearing claims rest on raw observations rather than any of the enumerated circularity patterns (self-definitional, fitted-input-as-prediction, uniqueness theorems, etc.). External validity questions about sample representativeness are separate from circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an empirical measurement study. No mathematical derivations, fitted parameters, or new postulated entities are introduced.

pith-pipeline@v0.9.0 · 5743 in / 1145 out tokens · 25051 ms · 2026-05-25T09:45:22.370751+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

47 extracted references · 47 canonical work pages

  1. [1]

    In: ACM CCS’13

    Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., G¨ urses, S., Piessens, F., Preneel, B.: FPDetective: Dusting the web for fingerprinters. In: ACM CCS’13. Berlin, Germany (Nov 2013)

    work page 2013

  2. [2]

    Adobe.com: Adobe experiance cloud: Device Co-op privacy control, https:// cross-device-privacy.adobe.com

    work page

  3. [3]

    ACM Transaction on Internet Technology 18(4), 52:1–52:22 (Aug 2018)

    Binns, R., Zhao, J., Kleek, M.V., Shadbolt, N.: Measuring third-party tracker power across web and mobile. ACM Transaction on Internet Technology 18(4), 52:1–52:22 (Aug 2018)

    work page 2018

  4. [4]

    In: Proceedings on Privacy Enhancing Technologies (PETS)

    Brookman, J., Rouge, P., Alva, A., Yeung, C.: Cross-device tracking: Measurement and disclosures. In: Proceedings on Privacy Enhancing Technologies (PETS). Min- neapolis, MN, USA (Jul 2017)

    work page 2017

  5. [5]

    Proceedings of the IEEE105(8), 1476–1510 (2017)

    Bujlow, T., Carela-Espa˜ nol, V., Sole-Pareta, J., Barlet-Ros, P.: A survey on web tracking: Mechanisms, implications, and defenses. Proceedings of the IEEE105(8), 1476–1510 (2017)

    work page 2017

  6. [6]

    Buysellads: https://www.buysellads.com

    work page

  7. [7]

    In: 2013 Proceedings IEEE INFOCOM

    Cheng, N., Wang, X.O., Cheng, W., Mohapatra, P., Seneviratne, A.: Characterizing privacy leakage of public wifi networks for users on travel. In: 2013 Proceedings IEEE INFOCOM. Turin, Italy (Apr 2013)

    work page 2013

  8. [8]

    Crunchbase: https://about.crunchbase.com

    work page

  9. [9]

    Datavalet.com: Datavalet managed WiFi solutions, https://datavalet.com

    work page

  10. [10]

    EasyList: https://easylist.to

    work page

  11. [11]

    Eckersley, P.: How unique is your web browser? In: International Symposium on Privacy Enhancing Technologies Symposium (2010)

    work page 2010

  12. [12]

    EFF.org: Privacy badger, https://www.eff.org/privacybadger

    work page

  13. [13]

    Elifantiev, O.: NodeJS module to compare two DOM-trees, https://github.com/ Olegas/dom-compare

    work page

  14. [14]

    In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

    Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria (Oct 2016)

    work page 2016

  15. [15]

    Eyeo GmbH: Adblock Plus, https://adblockplus.org

    work page

  16. [16]

    In: TheWebConf (WWW’18)

    G´ omez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In: TheWebConf (WWW’18). Lyon, France (Apr 2018)

    work page 2018

  17. [17]

    com/https/overview?hl=en

    Google: HTTPS encryption on the web, https://transparencyreport.google. com/https/overview?hl=en

    work page

  18. [18]

    Google.com: Google AdSense, https://www.google.com/adsense/start

    work page

  19. [19]

    Google.com: Google Tag Manager, https://tagmanager.google.com

    work page

  20. [20]

    https://wiki

    Harris, G.: Secure Socket Layer (SSL), wiki post (Dec 20, 2018). https://wiki. wireshark.org/SSL

    work page 2018

  21. [21]

    Hoovers: http://www.hoovers.com

    work page

  22. [22]

    Ali et al

    Klafter, R.: Don’t FingerPrint Me, https://github.com/freethenation/DFPM 18 S. Ali et al

    work page

  23. [23]

    In: SIGCHI’09

    Klasnja, P., Consolvo, S., Jung, J., Greenstein, B.M., LeGrand, L., Powledge, P., Wetherall, D.: When I am on Wi-Fi, I am fearless: privacy concerns & practices in everyday Wi-Fi use. In: SIGCHI’09. Boston, MA, USA (Apr 2009)

    work page 2009

  24. [24]

    In: Network and Distributed System Security Symposium (NDSS’19)

    Klein, A., Pinkas, B.: DNS cache-based user tracking. In: Network and Distributed System Security Symposium (NDSS’19). San Diego, CA, USA (Feb 2019)

    work page 2019

  25. [25]

    In: IEEE Symposium on Security and Privacy (SP)

    Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: Diverting mod- ern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP). San Jose, CA, USA (2016)

    work page 2016

  26. [26]

    In: NDSS’19

    Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczy´ nski, M., Joosen, W.: Tranco: A research-oriented top sites ranking hardened against manipulation. In: NDSS’19. San Diego, CA, USA (Feb 2019)

    work page 2019

  27. [27]

    does yours?, news article (Mar

    Medium.com: My hotel WiFi injects ads. does yours?, news article (Mar. 25, 2016). https://medium.com/@nicklum/ my-hotel-WiFi-injects-ads-does-yours-6356710fa180

    work page 2016

  28. [28]

    13, 2019)

    Microsoft.com: Basic profile fields, online documentation (Feb. 13, 2019). https://docs.microsoft.com/en-us/linkedin/shared/references/v2/ profile/basic-profile

    work page 2019

  29. [29]

    Pro- ceedings of W2SP pp

    Mowery, K., Shacham, H.: Pixel perfect: Fingerprinting canvas in HTML5. Pro- ceedings of W2SP pp. 1–12 (2012)

    work page 2012

  30. [30]

    In: 2013 IEEE Symposium on Security and Privacy

    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy. Berkeley, CA, USA (May 2013)

    work page 2013

  31. [31]

    In: Data Privacy Management, and Security Assurance, pp

    Olejnik, L., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Data Privacy Management, and Security Assurance, pp. 254–263. Springer (2015)

    work page 2015

  32. [32]

    Optimizely: https://www.optimizely.com/

    work page

  33. [33]

    20, 2019)

    Optimizely: Guidlines of cookies and localstorage in the Optimizely snippet, techni- cal article (Mar. 20, 2019). https://help.optimizely.com/Set_Up_Optimizely/ Cookies_and_localStorage_in_the_Optimizely_snippet

    work page 2019

  34. [34]

    PANOPTICLICK: Panopticlick website, https://panopticlick.eff.org/

    work page

  35. [35]

    09, 2014)

    PCWorld.com: Comcast’s open WiFi hotspots inject ads into your browser, news article (Sep. 09, 2014). https://www.pcworld.com/article/2604422/ comcasts-open-wi-fi-hotspots-inject-ads-into-your-browser.html

    work page arXiv 2014

  36. [36]

    https://pypi.org/project/whois

    Pypi.org: Python WHOIS library, version: 0.7. https://pypi.org/project/whois

    work page

  37. [37]

    In: NSDI’08

    Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web tripwires. In: NSDI’08. San Francisco, CA, USA (2008)

    work page 2008

  38. [38]

    In: ACM CCS’18

    Sanchez-Rola, I., Santos, I., Balzarotti, D.: Clock around the clock: Time-based device fingerprinting. In: ACM CCS’18. Toronto, Canada (Oct 2018)

    work page 2018

  39. [39]

    Seleniumhq.org: Selenium automates browsers, https://www.seleniumhq.org

    work page

  40. [40]

    In: Privacy, Security and Trust (PST’18)

    Sombatruang, N., Kadobayashi, Y., Sasse, M.A., Baddeley, M., Miyamoto, D.: The continued risks of unsecured public WiFi and why users keep using it: Evidence from Japan. In: Privacy, Security and Trust (PST’18). Belfast, UK (Aug 2018)

    work page 2018

  41. [41]

    https://www.symantec.com/content/dam/symantec/docs/ reports/2017-norton-wifi-risk-report-global-results-summary-en.pdf

    Symantec: Norton WiFi risk report: Summary of global results, tech re- port (May 5, 2017). https://www.symantec.com/content/dam/symantec/docs/ reports/2017-norton-wifi-risk-report-global-results-summary-en.pdf

    work page 2017

  42. [42]

    Taboola: Content discovery and native advertising platform, Taboola.com

    work page

  43. [43]

    In: Network and Distributed System Security Symposium (NDSS’18) (2018)

    Tsirantonakis, G., Ilia, P., Ioannidis, S., Athanasopoulos, E., Polychronakis, M.: A large-scale analysis of content modification by open HTTP proxies. In: Network and Distributed System Security Symposium (NDSS’18) (2018)

    work page 2018

  44. [44]

    Valve: Fingerprintjs by Valve, https://valve.github.io/fingerprintjs/ On Privacy Risks of Public WiFi Captive Portals 19

    work page

  45. [45]

    25, 2015) http://webpolicy.org/2015/08/25/ att-hotspots-now-with-advertising-injection

    Webpolicy.org: AT&T hotspots: Now with advertising injection, news article (Aug. 25, 2015) http://webpolicy.org/2015/08/25/ att-hotspots-now-with-advertising-injection

    work page 2015

  46. [46]

    Wireshark.org: Tshark - Dump and Analyze Network Traffic, online documentation (Mar. 2019). https://www.wireshark.org/docs/man-pages/tshark.html

    work page 2019

  47. [47]

    Ali et al

    Wireshark.org: Wireshark network analyzer, https://www.wireshark.org 20 S. Ali et al. Appendix Table 3. Sample of variations of the same third-party domain. Third-Party Request-URL Blacklisted https://www.google-analytics.com/r/collect?v=&v=&a=&t=&s=1&dl=&ul=&de=&dt= &sd=&sr=&vp=&je=&u=&jid=&gjid=&cid=&tid=&gid=&r=1&gtm=&cd1= &cd64= &cd65= &did= &z= Yes h...

    work page