(…and if there’s a problem, you did agree to the Terms of Service!)
You’ll notice every wi-fi hotspot you use asks you to agree to terms of service. These always include the caveat that the network may allow others to see the traffic you’re sending across it. No one hesitates to accept.
My lifestyle has me using public wi-fi to access the internet, always. I’ve long had an interest in computers, networks, and how they function. Network access is something I’ve done troubleshooting on with regularity. Not so much recently. I mention it by way of establishing a little credibility. At any rate that brings me to the point of this post.
Virtual Private Networks (VPNs) are a reliable, well-established way to keep your web browsing secure from outside observers. Back in 2010 or so VPNs were becoming increasingly prevalent as free and subscription services. Wanting to preserve my personal information while using wide-open public networks, I began making use of these services. They were great, initially. It wasn’t long before they became unusable. This followed a pattern.
At first, arriving at my regular wi-fi hotspots, I’d log in, join my VPN service, and it’d work. Everything went smoothly. It’d function perfectly, for a day or so. Soon enough, they’d fail to connect, making the network unusable. Without the VPN, access worked perfectly. Free or paid VPN, it made no difference.
This pattern spread to every public wi-fi spot. From Starbuck’s to Wendy’s, McDonald’s to A&W, before long every ‘free’ wi-fi offered to the public was unusable as soon as a VPN was engaged.
Every company offering publicly available internet was blocking access to the basic tools available to mitigate the very threat they were warning their users of.
The implications are clear enough. While there has yet to be a scandal (fingers crossed!), the business model offering free services to the public in exchange for rights to profit from their data is widespread, commonplace. Companies offering public wi-fi are collecting all network traffic, for profit. Without getting into the far flung regions of this subject, I’d point out what that entails. Your email address. Your banking details. All of your passwords. Your secret, flirty messages to your online fantasy affair. It’s all being collected and sorted, stored and used as data to model your behaviour.
Frighteningly, everything you’re using in the cloud, including any truly private, legally protected information you might access while working from your local coffee shop is also potentially being stored. All information you send and receive across one of these networks is being collected, recorded, collated and sold. Your personality, interests, economic status, sexuality, and private life are becoming the intellectual property of strangers, organizations who will use that information to extract maximum value from you, for the duration of your life.
Modern-day standards have been implemented to protect internet users from the threat of unauthorized traffic monitoring. Providers are side-stepping those standards, illegally accessing, collecting and profiting from your activity while denying you the power of self-protection. In a nearly Kafkaesque turn, any counter argument can be slapped down with reference to the terms of the agreement you entered into. In a world which increasingly demands access to networks as precondition to everyday living, this is a dangerous foundation to build upon.
Many aspects of this are troubling, though it is when looking at projected social futures the current state of affairs seem most ominous. Imagine your value being estimated at birth, the statistically probable limits of your economic value being projected based on generations of data and models — tried, tested, and deployed for profit and harmony in our technological future. ‘Dystopian’ hasn’t enough room in it to carry all of the hell that world would be.
The impetus for my posting this was the recent experience I had at my local library branch. My computer was hacked.
As part of my tech routine I format and reinstall my OS multiple times a year. I recently did just this. More than 24 hours passed between the format and my next sign-on at the library. Completely fresh install.
I’m familiar with the moods of the TPL network, including how often it requires a new sign-on — multiple times per day, no matter what.
When I connected to the library hotspot, it hit the internet, right away. No sign-in page, no terms of service. This was unusual. Based on evidence, I believe my laptop was being compromised, hacked.
After verifying I was indeed on the internet, I went about looking at the volume of traffic to and from my computer. That effort proved unnecessary. Next thing that happened was a segmentation fault in a privileged part of my OS. A segmentation fault is a form of program crash. Hackers will often use a specific sort of attack which results in a segmentation fault. The attack causes the system to execute code the attacker has crafted to gain privileges, breaking security so they can install software allowing them reliable access in future. In terms of seriousness, it’s many levels above monitoring traffic and collecting information.
What I am alleging here is that the administrators managing that network not only collect and sell user data, but, as with my example, have no qualms about installing software to illegally monitor patrons computer-based activity.
If you need help putting this kind of attack into context, I refer you to the Pegasus revelations. Pegasus is a formalized system of mobile phone hacking which has been connected to assassinations and kidnappings enacted around the world targeting journalists, activists, and uncooperative royals. Kidnapped, harassed, killed — phones compromised using commercially available Pegasus technology figure prominently in facilitating surveillance leading to violence and disappearances. Traces of Pegasus have been found on mobile phones all over the planet, indicating the widespread use of monitoring as a norm.
The power to illegally access private communications devices is not limited to those perceived as a threat to authoritarian governments. Identifiable data linked to an individual is key to profits for a broad range of businesses operating today. What purpose the Toronto Public Library would have for infiltrating and monitoring a patron’s laptop is something I couldn’t speculate on. Nor would I point to the close cooperation in harassment, gaslighting, and psychological abuse between GARDA Security (employed here in the library) and the City of Toronto as a possible basis for this specific incident.
Remember, the library is a public service institution. It’s a not-for-profit operation. It’s not a cog in the machine of a multi-national corporation. It’s an institution dedicated to public service. What part of that, I ask you, is represented by hacking the computers and personal data of the public? Next they’ll be finding security cameras hidden in public bathrooms. Uhhmmmm… they wouldn’t, would they?