Slashdot Mirror
Google Wi-Fi Kiosks in New York Promise No Privacy, 'Can Collect Anything' (observer.com)
Here's the thing about those wi-fi kiosks replacing New York City's public payphones. They're owned by Google/Alphabet company Sidewalk Labs, they're covered with ads, and if you read the privacy policy on its web site, "it's not that one." An anonymous Slashdot reader quotes an article from the Observer:
Columbia professor Benjamin Read got a big laugh at this weekend's Hackers on Planet Earth XI conference in Manhattan when he pointed out that the privacy policy on LinkNYC's website only applies to the website itself, not to the actual network of kiosks.
The web page points out that it has two separate privacy policies in an easily-missed section near the top, and for their real-world kiosks, "They essentially have a privacy policy that says, 'we can collect anything and do anything' and that sets the outer bound'," says New York Civil Liberties Union attorney Mariko Hirose.
The Observer reports that the policy "promises not to use facial recognition... however, nothing stops the company from retracting that guarantee. In fact, Hirose said that she's been told by the company that the kiosk's cameras haven't even been turned on yet, but it is also under no obligation to tell the public when the cameras go live." The article concludes that in general the public's sole line of defense is popular outrage, and that privacy policies "have been constructed primarily to guard companies against liability and discourage users from reading closely."
The web page points out that it has two separate privacy policies in an easily-missed section near the top, and for their real-world kiosks, "They essentially have a privacy policy that says, 'we can collect anything and do anything' and that sets the outer bound'," says New York Civil Liberties Union attorney Mariko Hirose.
The Observer reports that the policy "promises not to use facial recognition... however, nothing stops the company from retracting that guarantee. In fact, Hirose said that she's been told by the company that the kiosk's cameras haven't even been turned on yet, but it is also under no obligation to tell the public when the cameras go live." The article concludes that in general the public's sole line of defense is popular outrage, and that privacy policies "have been constructed primarily to guard companies against liability and discourage users from reading closely."
I went to use one of these and it wanted to install an iOS configuration profile on my phone.
These profiles can configure your phone on a fairly deep level, doing things like adding proxies, restricting functionality, and so on.
I hit cancel and just continued to use my data plan. Screw that.
A regular public WiFi, that you can connect to without installing profiles, etc... is indeed unencrypted. But most services that matter these days use SSL so it's not an issue.
But if you have to install a profile, it can do things like set proxies, install SSL client certificates and so on. It can spy on you VERY deeply. You're actually better off connecting to unencrypted open WiFi than one of these.
There is a site called Dark Patterns, mentioned by our friends at Ars, detailing this kind of 'small print designed for people to miss'. Understandable, but wrong.
John_Chalisque