Skip to content

Newspaper Column

PCPD in Media

"Privacy Risks of Public Wi-Fi and Public USB Charging"-- Privacy Commissioner's article contribution at Hong Kong Lawyer (April 2020)

Free public Wi-Fi will save mobile data usage for internet users; public USB charging station is undoubtedly a lifesaver for those whose mobile devices are out of battery. When you enjoy the convenience of free Wi-Fi and public charging service, are you fully aware of the potential risks to your personal data privacy?

Data security constitutes a significant part in Personal Data (Privacy) Ordinance (PDPO), and is underpinned by Data Protection Principle 4 (Data Security Principle) in Schedule 1 to the PDPO, which requires that data users should take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. While organisations and enterprises are statutorily required to ensure security of the personal data entrusted to them, data subjects themselves should be vigilant about the potential privacy risks associated with different information technology applications, in the same way as they would guard against loss of their other personal property.

The free public Wi-Fi is usually an open Wi-Fi network allowing the general public to establish internet connection conveniently without authentication. In other words, anyone including malicious hackers could access the same unencrypted Wi-Fi network, posing risks to personal data security of the Wi-Fi users.

The privacy risks of public Wi-Fi

A common type of security risk is known as evil twin. As a form of cyber-attack, a ‘fake’ and malicious Wi-Fi hotspot that appears to be a genuine and legitimate access point is created by cybercriminals to lure Wi-Fi users to connect their electronic devices to the counterfeit Wi-Fi hotspot. As a result, cybercriminals can access Wi-Fi users’ internet traffic, intercept their communication information such as text messages or emails etc., and steal their personal information. For example, hackers can set up a counterfeit Wi-Fi network on the beach adjacent to a hotel with a name similar to the Wi-Fi network provided by the hotel. Once you connect to the counterfeit Wi-Fi access point, your data can be read, stolen or manipulated.

Without encrypted Wi-Fi networks, personal information sent between users’ mobile devices and the Wi-Fi routers is no longer transmitted in the form of “secret code”. Other users in the same Wi-Fi network may intercept your communication information. An insecure Wi-Fi hotspot may also serve as a medium for cybercriminals to distribute malwares or allow virus or worms travelling from other infected devices to users’ portable devices. Cybercriminals could then capture Wi-Fi users’ sensitive data such as contacts, passwords and personal account information etc., and even lock the portable device, leading to a system crash.

Practical tips for using public Wi-Fi

Although public Wi-Fi is not as secure as a private (home) one, the precautions below could improve personal data security when connecting to public Wi-Fi hotspots: -

  • check to ensure the authenticity of the public Wi-Fi;
  • turn off Wi-Fi service when it is not in use;
  • “forget” public Wi-Fi after use to avoid future automatic connection;
  • use a Virtual Private Network (VPN) to prevent hackers from reading or accessing any data by creating a privacy network through encrypting traffic between the mobile devices and the internet;
  • use a Secure Sockets Layer (https://) when accessing websites so that sensitive information such as e-banking accounts, emails and social networking accounts etc. could be encrypted without being intercepted;
  • ensure that mobile phones or other portable devices are protected by firewall and anti-malware software;
  • apply available software updates to mobile or other portable devices to address security vulnerabilities; and
  • avoid transmitting sensitive personal data via public Wi-Fi.

We also see a growing number of public USB charging stations available in public places such as airports, railway stations, shopping malls and cafes. Some of these charging services can also be acquired upon payment of a fee. However, users of public USB charging ports or services should be aware of the risk of “juice jacking” when charging their mobile phones.

The privacy risks of public USB charging

“Juice jacking” is a form of cyber-attack whereby a hacker sets up fake charging kiosks in public venues to initiate attacks to mobile devices. There are two common types of “juice jacking”. The first type is known as “data theft”, which involves stealing sensitive data from mobile devices via fake charging kiosks. The second type refers to malware installation - kiosks would be programmed to install malwares onto the connected mobile devices for collecting different types of personal data continuously and even gaining control of the mobile devices remotely after disconnection.

Practical tips for using public charging

To protect mobile devices, and eventually personal data stored in the devices, from “juice jacking”, there are some practical tips that users of public charging may adopt: -

  • verify the power source and charge the mobile devices by using an AC power outlet directly (as opposed to USB);
  • bring your own charging-only cables to prevent data transmission from or to the public charging stations; and
  • use your own portable power banks instead of charging mobile devices through public charging stations.

As we enjoy the convenience brought about by “smart” initiatives to our daily lives, it is vital to be vigilant about our own data privacy and the potential privacy risks, which could lead to misuse of your personal data for committing illegal acts such as fraud.