1

““When I am on Wi-Fi, When I am on Wi-Fi, I am Fearless:”I am Fearless:”

Privacy Concerns & Practices in Everyday Wi-Fi Use

Predrag Klasnja, Sunny Consolvo, Jaeyeon Jung, Benjamin M. Greenstein,

Louis LeGrand, Pauline Powledge, & David Wetherall

Information School & DUB Group, Intel Research Seattle

Presented by PierreElie Fauché

KAIST, CS540 May 14, 2009

2

OutlineOutline

Introduction

Exploratory study

Results

Discussion

3

IntroductionIntroduction

4

Use of Internet todayUse of Internet today

Hundreds of millions of people

Work, look for information, shopping, communicate with friends & family, romance

Standalone applications have their online counterparts

Social networks

5

Access to the Internet Access to the Internet todaytoday

Proliferation of 802.11 wireless networks

- offices, cafés, hotels, airports, homes, streets

- Wigle.net: about 17 million hot-spots

Proliferation of Wi-Fi capable devices

- notebooks, netbooks, UMPCs, smartphones, game consoles...

6

Wi-Fi has a cost: Wi-Fi has a cost: privacyprivacy

Many services transmit personal data without encryption

Broadcast nature of Wi-Fi technology: information is visible to everyone

Solutions to secure Wi-Fi (WEP, WPA) are not widely used and not 100% reliable

Hot-spot spoofing

Tracking user, information aggregation, identity theft

7

Purpose of the studyPurpose of the study

Understand...

- how aware people are of possible risks

- measures they take to protect themselves

8

OutlineOutline

Introduction

Exploratory study

Results

Discussion

9

Exploratory studyExploratory study

10

ProceduresProcedures

Three components:

- initial in-person session

- 4 weeks of Wi-Fi use

- final in-person session

11

Initial in-person Initial in-person sessionsession

Background questionnaire about basic Internet uses- where? when? what activities? wireless at

home?

Diagrams: how well they understand Wi-Fi- 2 diagrams to point out differences between

two common internet tasks: Google search and bank account checking

- 1 diagram about Wi-Fi network boundaries

Installation of study software- Requires personal information

Procedures

12

4 weeks of Wi-Fi use4 weeks of Wi-Fi useParticipants use their laptops as they were used to

While on the Internet, they fill in experience sampling questionnaires- where are you? what are you doing? is it

important?

Study software...- logged details about used applications,

online activities and wireless networks used- inspect wether any personal data is

transmitted in the clear

Procedures

13

Final in-person sessionFinal in-person sessionLast interview covered topics avoided in the initial session- risks associated to Wi-Fi use (network

snooping, malicious APs...)- concerns about using Wi-Fi- how they chose which network to connect to

Confrontation with security leaks- personal data sent unencrypted; on which

sites, how frequently- were participants aware of such possible leaks?

How do they feel?

Procedures

14

ParticipantsParticipants

11 frequent Wi-Fi users, from 19 to 63 years-old

Must not have special technology knowledge

Represented various professions, with various levels of education

All used Wi-Fi at home and most used it at work

15

AnalysisAnalysis

This study focuses on interviews and diagrams to analyse:- participants’ privacy and security concerns- understanding of privacy and security risks

associated with Wi-Fi- strategies employed to protect themselves

Logging data was analyzed for first order statistics

16

OutlineOutline

Introduction

Exploratory study

Results

Discussion

17

ResultsResults

18

Overview of Wi-Fi useOverview of Wi-Fi use

Participants engaged in various online activities using a wide range of online applications

Connected to multiple, often unencrypted networks

All participants went to their most frequently visited web sites from nearly all networks

19

Application TypesApplication TypesOverview of Wi-Fi use

20

Encryption of Encryption of networksnetworks

Overview of Wi-Fi use

21

Participants connected to networks sometimes already used many other users

Open Wi-Fi networksOpen Wi-Fi networksOverview of Wi-Fi use

22

Understanding of Wi-FiUnderstanding of Wi-Fi

Participants’ understanding of Wi-Fi analyzed with interviews and diagrams

Good understanding of how to use Wi-Fi,

But very limited comprehension of how it works and its inherent threats

23

How to use?How to use?

Participants are frequent Wi-Fi users, therefore they have a quite good practical knowledge

They are aware of factors affecting Wi-Fi such as netword’s range, signal strength and signal propagation

Understanding of Wi-Fi

24

How to use?How to use?

Participants drew the boundary of the café’s network on diagram 3

All participants drew a network that extended beyond the café itself

They understand that Wi-Fi networks often extend beyond the physical boundary of the location that is providing it

Understanding of Wi-Fi

Network’s range

25

How to use?How to use?

With diagram 3, participants were asked about the ability to access the café’s network from other places, inside and outside the shopping center

Responses showed a good understanding of elements perturbating the signal

- distance

- obstacles

Understanding of Wi-Fi

Signal strength and propagation

26

How to use?How to use?

Signal strength is the main criterion to choose which network to connect to

Majority preferred free networks

Some were willing to pay for “a good signal”

Understanding of Wi-Fi

Network selection

27

How it works?How it works?

Participants had little Wi-Fi and networking knowledge

- 3 knew that WEP and WPA are encryption types

- 5 knew partly what an IP address is

- almost every participant knew what is a router

Diagrams 1 and 2: search on http://www.google.com and account checking on https://bankofamerica.com

Participants are asked to highlight any people/computer/device they thought may be able to see their search terms or account balance

Understanding of Wi-Fi

28

How it works?How it works?Understanding of Wi-Fi

Diagrams 1 from 2 participants

29

How it works?How it works?Understanding of Wi-Fi

Results:

Broadcast nature of Wi-Fi is only understood by a few participants

The role of SSL encryption is poorly understood

30

Threat modelsThreat modelsThe previously seen poor understanding of how Wi-Fi works have consequences on threats perceived by the participants

Main threat: hackers breaking into their computers

- Considered as the main risk by 10 participants

- But probability of such an attack was seen very low as it was supposed to require very high computing skills

Privacy threat: someone looking over the shoulder

- shared by 9 participants

Understanding of Wi-Fi

31

Privacy & security Privacy & security concernsconcerns

Financial and personally identifiable information

- Most prevalent concern about using Wi-Fi - often the only concern

- Fear of identity theft or financial damage was everyone’s main source of preoccupation

32

Privacy & security Privacy & security concernsconcerns

Impression management

- Maintain an image for others and not being misunderstood also dictates Wi-Fi behavior

- Participants did not connect to networks with strange SSIDs not fearing the network itself, but the impression it would give

- Applications used when on Wi-Fi are restricted not to be too personal

33

Privacy & security Privacy & security concernsconcerns

Consideration for others

- Participants showed concern in not offending others or not putting them at risk by exposure: courtesy

- They restrained their applications in order not to expose confidential information about their relatives

- Concerns linked to physical intrusions, not from the network itself

34

Privacy & security Privacy & security concernsconcerns

Practices to handle these concerns

No online purchases or banking from public places

Trust in the web sites

- Some participants think these web sites as being 100% secure

- Look for indications on webpages, rely upon the “secured questions”

Hiding the screen from others

- by either tilting the screen or taking a seat against the wall

Security software

- Firewalls and antivirus alleviate their primary concerns

False sense of safety

35

RisksRisks

Participants were not aware of major risks implied by using Wi-Fi because of their limited understanding of how it works

Two major source of concern:

- malicious access points

- visibility of unencrypted information

36

Malicious access Malicious access pointspoints

Such possible access points never came to mind for most participants

They trust that the names accurately reflect the network provider

Only one participant was aware that malicious AP could exist after having doubts about one

Majority of participants connect to network with the best signal strength

Risks

37

Unencrypted Unencrypted informationinformation

Only 4 participants knew that information transmitted over Wi-Fi could be potentially visible to others (diagrams)

After knowing which data was transmitted in the clear:

- 4 participants were not surprised

- other 7 had no idea that their web pages could have been seen

- They “just don’t think about that”

Understanding of this risk generally does not translate into sharp awareness

Risks

38

In-the-moment In-the-moment awarenessawareness

Practices giving a sense of security + lack of understanding

majority of participants absolutely don’t think about privacy and security when using Wi-Fi

When using Wi-Fi:- security and privacy risks are not found

acceptable;- they are simply not considered

Risks

39

Personal exposurePersonal exposureFor some pieces of information, the number of times the information was transmitted during the study was quite high (over 1000 times)

Confronted to this list, new concerns emerged

Information aggregation

information considered as harmless was seen differently

participants thought about usual activities becoming sources of information leaks

Exposing other people’s information

participants realized that beyond exposing themselves, they were exposing others’ information by simply reading an email

that concern became more problematic than personal exposure

40

OutlineOutline

Introduction

Exploratory study

Results

Discussion

41

DiscussionDiscussion

42

DiscussionDiscussionThreats implied by using Wi-Fi are important

Consequences range from minor distress to serious problems

Users generally don’t think about these issues

they adopt practices for threats they are aware of and feel safe

Once threats are explained to users, they are willing to be more careful and to change their habits

Technology has a role to play in two ways:

help users improve their awareness

develop infrastructural solutions that improve Wi-Fi protocols

43

Future workFuture work

End-User awareness tool

Show users how their own data is being broadcasted using Wi-Fi

Effective strategy for motivating privacy and security conscious behavior

Important design challenge:

- make risk visible

- without creating paranoia or inundating user with information

44

Future workFuture workInfrastuctural solutions

Improve security of 802.11 protocols

Some work intend to eliminate all unencrypted communication

- such system needs to be incorporated into wireless standards and to be widely deployed

- could take years before becoming common

Meanwhile, solutions like the previously mentioned one can help users dealing with security and privacy threats.

45

ThanksThanks