Municipal WiFi is Coming, and Why Privacy Advocates Should Care
By: Graham Longford
July 25, 2006
At a press conference in March of this year, Toronto Hydro Telecom (THT) announced an ambitious plan to turn Toronto into the largest Wi-Fi (wireless fidelity) internet ‘hot-zone’ in North America. Flanked by Mayor David Miller, THT’s CEO David Dobbin called the availability of Wi-Fi in public spaces, and the ubiquitous, mobile connectivity that it enables, “the new benchmark for urban living.” Miller called the announcement “a historic moment in Toronto’s development as a world-class city.” THT’s announcement vaults Toronto to the forefront of municipal WiFi deployments in North America, alongside “muni WiFi” pioneers like Philadelphia, San Francisco, and Fredericton.
On its face, the case for deploying municipal WiFi systems is a compelling one. Advocates claim that city-wide WiFi schemes promote economic development and tourism, attract and retain skilled workers and investment, increase the efficiency of municipal services, improve emergency response and public safety, and narrow the digital divide. It is for reasons like these that hundreds of municipalities in North America, Europe and Asia are implementing or planning WiFi systems.
Yet, despite its allure, municipal WiFi is controversial, particularly in the U.S.. Private sector critics argue that municipalities have no business providing internet service to citizens. Muni WiFi services, they claim, duplicate and unfairly compete against private telecommunications services. Public health advocates, meanwhile, have weighed in with concerns regarding the dangers of electro-magnetic radiation emitted by wireless devices. Largely absent from the debate so far, however, have been arguments about the privacy risks of such systems. As major WiFi deployments like Toronto’s are rolled out across Canada and the rest of North America, surveillance and privacy scholars, activists and policy makers must become engaged in order to ensure that such systems are implemented in a manner that is transparent, accountable and as respectful of user rights, including privacy, as possible.
The following offers an overview of the THT WiFi plan and a preliminary analysis of its privacy implications. As THT’s service has yet to be deployed, some of this is unavoidably speculative. We can extrapolate, however, from the experience of other municipalities, including San Francisco and Fredericton, which will also be discussed. I conclude by reviewing a set of guidelines for enhancing the privacy of muni WiFi systems proposed by privacy advocates such as EPIC and EFF, and call for the development of THT’s WiFi system in conformity with them.
One zone, no strings attached?
THT’s WiFi plan, which it has dubbed “One zone, no strings attached,” plan envisions a wireless “cloud” covering the entire city (630km square) with ubiquitous internet connectivity within 3 years. The first phase of the rollout is under way, with THT promising to cover a 6 square kilometre area in the downtown core by the end of 2006. From a technical standpoint, the THT network will use license-exempt wireless spectrum (the same spectrum used for household devices like garage door-openers and baby monitors). Bandwidth will be supplied through THT’s existing 450km fibre-optic network, which it uses to monitor Toronto’s electricity grid. THT claims that its WiFi internet service will be up to ten times faster than existing broadband services in the city. The THT plan also relies on mounting WiFi equipment onto many of the city’s 18,000 street lights, which are owned by THT’s parent company Toronto Hydro. Under THT’s plan, every 7th street light in the city will be equipped with a WiFi device, bathing the city in wireless connectivity (Hamilton, 2006; Toronto Hydro Telecom, 2006).
While THT is a subsidiary of municipally-owned Toronto Hydro Corporation, its WiFi business model is unambiguously commercial and revenue-oriented. THT will offer its WiFi service free of charge for the first six months of operation, to be followed by the introduction of tiered service plans available on a prepaid or subscription basis at market competitive rates. THT plans to market the service to downtown businesses, workers, restaurant and hotel patrons, and university students (Toronto Hydro Telecom, 2006). Whether or not it will eventually target the broader residential broadband market in the city remains unclear.
Until THT’s WiFi network is deployed and its terms of service made public, it is difficult to comment on its privacy implications in detail. We know enough about its business model already, however, to raise some red flags. First, the THT system will require users to create accounts and authenticate. While this need not entail divulging personally identifying information, it certainly facilitates user data collection and session-to-session tracking, which could eventually be tied to personal information. Since THT also intends to sell the system on a subscription basis, it will most certainly collect and retain users’ banking and/or credit card information, thus enabling user data to be tied to individuals.
Secondly, THT has made it very clear that the main purpose of the system is to maximize revenue for its parent company, Toronto Hydro Corporation. With this in mind, THT will most certainly examine the revenue potential of the user data that it collects. Major web properties will no doubt line up to gain access to THT’s user data. Furthermore, THT may also be tempted by the prospect of generating additional revenue by selling ad space with its service; indeed location-sensitive advertising is a major component of many muni wifi business models, including San Francisco’s (Chester, 2006). Location-based advertising is dependent upon combining user data with location information in order to customize ads and services to a user’s geographic location. Such a combination can also be used to reveal an individual’s location, as well as patterns of movement through the network coverage area.
Finally, and alarmingly THT’s Dobbin recently speculated on the feasibility of integrating CCTV surveillance cameras into the system, mounting camera units on city street light poles and transmitting images to police via the THT WiFi network (Granatstein, 2006).
What does THT’s plan mean for the privacy rights of Torontonians and visitors to the city, as thousands (if not more) flock to the service? Fortunately, we do not need to wait for THT to deploy its system fully in order to grasp the potential implications for user privacy. The experience of municipalities that are farther down the road to deployment is instructive.
Google’s San Francisco WiFi deployment
In the spring of 2006, a partnership between Google and Earthlink was awarded a contract to develop a WiFi network for the City of San Francisco, beating out 4 other bids. The Google/Earthlink plan involves providing tiered internet access services, including a free low-speed service provided by Google and a paid high-speed service provided by Earthlink. The provision of each service is to be supported by a different business model. The free, low speed (300 Kbps) service offered by Google will be financially supported by online advertisements streamed to users of the network and tailored to their location, habits and preferences as tracked by Google. Earthlink’s premium, high speed (1 Mgps) service will cost users approximately $20 per month, and be free of advertising.
San Francisco’s proposed WiFi network has been scrutinized by privacy advocates. EPIC, EFF and the ACLU recently prepared a privacy analysis of the 5 competing bids for the contract, looking at the provisions made in each for the collection, use and retention of user data (EPIC, 2006). Four out of five, including Google/Earthlink’s, were found to be privacy-invasive. Only the proposal submitted by SF Metro Connect, a non-profit community network, passed muster. Analysis of the Google-Earthlink bid showed that the collection, commercialization, sharing of user data would be the default setting for the system. Google’s free service will be accessed via a location-aware captive portal page and user sign-in, thus allowing persistent tracking across sessions. Along with collecting user email addresses and usernames, Google intends to collect, analyze and commercialize user location information in order to customize advertising and other location-based services that users will see and have access to. Google’s concession to privacy concerns includes an “opt-out” provision for those who do not wish to access location-specific advertising and services or have their information shared with third parties, thus making information collection and sharing the default setting of the system. Additional concerns were raised about how Google will respond to requests for user information by law enforcement officials, including Google’s policy of not informing users when such requests have been made.
All told, the Google/Earthlink proposal was judged by the EPIC/EFF/ACLU study to be one of the most privacy-invasive of the 5 proposals for the San Francisco system. Google’s model for a free, ad-supported WiFi service has been the subject of intense scrutiny by the press and other municipalities, although rarely in relation to its privacy implications. Should it prove to be commercially viable, the Google model may well be replicated in hundreds of municipalities across the U.S., and possibly Canada, a prospect that should concern us.
Setting, applying, and advocating a standard for privacy-protective municipal WiFi systems
Part of the problem with the San Francisco deployment, according to the privacy advocates, is that the City set no minimum standards for privacy protection in its initial Request For Proposals. What might such a set of standards look like? The EPIC/EFF/ACLU privacy analysis document proposes a “Gold Standard” for privacy-protective municipal WiFi systems. The fundamental principle of a privacy-protective system is that “where information needs to be collected, it should only be used for operational purposes and deleted after it is no longer needed” (EPIC, 2006). Practically speaking, a “Gold Standard” muni WiFi system should:
• allow access without "signing in"; sign-in procedures often require personal information that enables tracking;
• offer a level of access that is free, since fee-based systems (e.g. subscription services) enable the identification of users through credit card or bank account information, unless provision for cash payment is made; and,
• forego offering targeted advertising and other customized electronic services based on user identity, location or surfing behaviour; such services may be offered, but on an “opt-in” basis requiring the user’s explicit consent..
For more detailed information on the EPIC/EFF/ACLU “Gold Standard,” including recommendations for data storage and retention practices, see EPIC, 2006.
Applying this Gold Standard to THT’s WiFi model is difficult of course, given that the service has yet to be rolled out. Based on what we know so far, however, it is highly unlikely that it will meet the standard. THT’s insistence on the use of log-ins and paid subscriber accounts ensures the collection of information beyond what is minimally and technically necessary to operate and permit access to the system, and creates the conditions for the persistent tracking of user behaviour tied to personally identifying information. The latter will also allow THT to construct commercially valuable user data profiles that it will be tempted to exploit by selling them to third parties. Only the adoption of an explicit “opt-in” policy for the collection and sharing of such data would mitigate the privacy risks posed by such a move.
The fact that THT has yet to roll out its system presents an opportunity to intervene, however, just as it is developing its policies and terms of service. The need for intervention is urgent, given that many other municipalities in the country are watching to see if the THT model provides a viable blueprint for other deployments. Any influence that privacy advocates have in shaping the THT model may well have ripple effects across the country. But the points of leverage from which to influence THT – be they city politicians, City hall committees, or Toronto Hydro itself - need to be identified, and pressure brought to bear. The privacy risks of muni WiFi need to be identified and articulated, along with best privacy practices. And as we think about best practices, we would do well to recall and revive interest in Canada’s homegrown model of muni WiFi – the Fredericton e-Zone – which has been eclipsed by the recent hype associated with the deployments in Philadelphia, San Francisco and, now, Toronto. Fred e-Zone has been operating successfully as a free municipal WiFi service in the New Brunswick capital since 2003, and without using authentication procedures, log-ins or collecting personal information. As the muni WiFi wave begins to roll across this country, we would do well to study the “Fred e-Zone” experiment closely, to better understand what has enabled it to succeed despite its admirably minimalist approach to user data collection.
Chester, Jeff (2006) “Google’s Wi-Fi Privacy Ploy,” The Nation, March 24, (http://www.thenation.com/doc/20060410/chester).
EPIC (2006) A Privacy Analysis of the Six Proposals for San Francisco Municipal Broadband, http://www.epic.org/privacy/internet/sfan4306.html
Granatstein, Rob (2006) “Network could be invitation to big brother,” Torontosun.com, July 15, 2006, (http://torontosun.com/News/TorontoAndGTA/2006/07/15/1685800-sun.html).
Hamilton, Tyler (2006) “Downtown goes wireless,” Toronto Star, March 8, 2006.
Toronto Hydro Telecom (2006) “One Zone, no strings attached,” (www.thtelecom.ca).
Graham Longford is a Postdoctoral Research Fellow in Community Informatics
Co-Investigator, Community Wireless Infrastructure Research Project (CWIRP)
Faculty of Information Studies
University of Toronto