ISP’s Wi-Fi weakness highlights privacy and security shortfalls as GDPR approaches

Having been involved in GDPR preparation work for clients, I’ve become more conscious of how other people and organisations access my data. That brings me to how I first noticed one way our privacy could be at risk without us realising.

It was quite by chance I even noticed. I had left my house and forgot to turn my phone’s Wi-Fi network connection off and my data back on. Walking down the street and browsing my phone (obstacles be damned), I suddenly noticed I’d connected to a Wi-Fi network. Turns out it was some random network in one of the houses I happened to be walking past.

How did this happen? Because my ISP provides customers with an option for giving visiting guests free Wi-Fi for up to five devices. They don’t need to be authenticated on your network; they just have to be a customer of the same ISP already. (I hadnt known about that option until recently, probably due to my own lack of research and not reading the documents my ISP sent me.)

Security fail

Because I work in the information security industry, I’m usually more sensitive to, and aware of, what technologies I use. (Just not in this case.) So, I was a bit miffed that this got past me so easily without my ISP drawing more attention to it.

While connected to that random network, I had no clue who was managing it, who could intercept my traffic, or what else they could do with the data. What if I was logging in to my bank, or downloading sensitive data? What if I sit on Wireshark on my neighbour’s Guest network when I know they are having a party or have people over?

More worryingly, it’s not possible to disable this “feature” on your router manually. You have to log in  to your ISP account with that ISP and ask them to deactivate it. This then stops you from being able to connect to others’ networks, as well as them connecting to yours. Deactivation can take “up to” 72 hours.

Putting privacy first

My ISP has an “opt out” policy for its Wi-Fi sharing feature. I don’t know about you, but for me to opt out of something, I need to be made aware of it properly. Other customers of the same ISP complained on Twitter they weren’t aware of these terms and conditions. When an ISP enables a feature giving random people I don’t know access to my network, without me having input over the controls in place to protect both my and my guests’ data, it really needs to consider having an “opt in” policy instead.

There are two sides to the privacy debate. Many of us want to live in a future where we are all connected. Some want that “Smart City” utopia with a free flow of useful information. But we also want to know when this occurs – and that we have consented to sharing our information. With GDPR fast approaching, it’s never been more important to know who has access to your data and who they share it with.  Let’s head towards utopia by all means – provided we keep our fundamental rights to privacy intact along the way.

Leave a Reply

Your email address will not be published. Required fields are marked *