India

Experts Worried Over India’s Plan for Public WiFi Hotspots

By Aishwarya Jagani

A plan approved last month to set up a national network of public WiFi hotspots throughout India has raised widespread concerns from privacy and cybersecurity experts.

“I have no doubt that government agencies are also going to have full access (to this data), which could breach citizens’ data privacy — and this can be considered a risk to data security,” Viney Kumar, a New Delhi cybersecurity expert, told Digital Privacy News.

“While this is a great initiative, there are many risks associated with it,” he added. “If this isn’t rolled out in a planned, phased and secured manner then this may turn out to be a disaster as well.”

Eric Cole, a cybersecurity consultant and CEO at Secure Anchor Consulting in Ashburn, Va., said: “The biggest challenge with public WiFi is that it, by default, is typically unencrypted.”

“So, that means anything that you do over that network, anybody that’s within that vicinity — in the coffee shop, in the restaurant, or anywhere else — could potentially intercept or get that information.”

“While this is a great initiative, there are many risks associated with it.”

Viney Kumar, New Delhi cybersecurity expert.

But Indian Minister of Communications Ravi Shankar Prasad told reporters after a Cabinet briefing last month: “It is a decision that will unleash a massive wave of WiFi connectivity in the country.”

In fact, Prime Minister Narendra Modi tweeted the same day that the new effort would “revolutionize the tech world and significantly improve WiFi availability across the length and breadth of India.”

How It Works

Approved Dec. 9 by the Union Cabinet of India, the Prime Minister’s WiFi Access Network Interface (PM-WANI) comes as India faces internet penetration at under 50%, according to Statista.com.

Application registrations began earlier this month.

The network would consist of public data offices (PDOs), named after the public call office, which operates coin-operated pay phones in India.

Each WiFi hotspot, which could be located in shops and other commercial establishments, would be called a PDO.

“There is a risk because, even when your payload is encrypted, they still know what website you’re going to.”

Eric Cole, Secure Anchor Consulting, Ashburn, Va.

In first announcing the initiative, Modi’s government said that it would “enable our small shopkeepers to provide Wi-Fi service.

“This will boost incomes as well as ensure our youth gets seamless internet connectivity,” officials said. “It will also strengthen our Digital India mission.”

However, privacy and cybersecurity experts were concerned about the lack of security these networks would provide. 

Besides public WiFi networks being extremely vulnerable to hacking, experts have raised concerns over the possibility of the government or WiFi providers collecting user data.

Many Security Risks

Nothing one does on a public WiFi network is secure, as users face the risk of being “eavesdropped upon,” being hacked or having sensitive personal information like passwords and bank-account data stolen.

“There are a few risks associated with public WiFi,” Alex Hamerstone, GRC practice lead at the TrustedSec cybersecurity firm in Cleveland, Ohio, told Digital Privacy News.

“It is a decision that will unleash a massive wave of WiFi connectivity in the country.”

Minister of Communications Ravi Shankar Prasad.

“One risk is what is called a ‘man-in-the-middle-attack,’ where a hacker is able to sit between your computer or device and the website you are accessing and see what you are sending,” he said. 

“While there are ways to prevent this, even on public WiFi, this is still a large risk.”

“There is also the possibility of fake WiFi hotspots,” Hamerstone continued. “A hacker can set up a WiFi network with a name that seems like it is a free WiFi network — and then be able to eavesdrop on you while you are connected to it.

“It can be difficult to know if you are connecting to a real or fake WiFi network, especially if the fake one is named to trick you into thinking it is the real one.”

“Another issue is that public WiFi networks may not be maintained and secured as well as the one at your home or office,” he said.

“Often, businesses offer free WiFi as a courtesy to their patrons — and want to do it for the lowest price possible — and, as such, don’t go to a lot of effort to make sure these networks are secured properly,” Hamerstone said. 

Surveillance Potential

Privacy experts also said PM-WANI could be vulnerable to government surveillance, as the network would lay bare the internet activities of millions of Indian citizens. 

The network will “revolutionize the tech world and significantly improve WiFi availability across the length and breadth of India.”

Prime Minister Narendra Modi on Twitter.

“This could allow the government additional visibility into what users are doing, as the government will have control over how these networks are set up,” Hamerstone told Digital Privacy News.

“It is important however to note,” he cautioned, “that governments already have many ways to collect information on the usage habits of users — so people need to consider if this additional method of possible data-collection will make a large difference.”

Anchor Consulting’s Cole noted that not even fully encrypted data is protected from government surveillance.

“There is a risk because, even when your payload is encrypted, they still know what website you’re going to,” he told Digital Privacy News.

“If I go to Amazon, or I go to another site that is public, the content is encrypted with a VPN — but you still know the websites that I am going to.”

Cole added that many newer devices come with WiFi and geolocate — “so, from a tracking and monitoring perspective, that could be a security risk.”

Lack of Awareness

Experts agreed that Indian online users were not well-informed on the privacy and security risks associated with using public WiFi.

“Public WiFi networks may not be maintained and secured as well as the one at your home or office.”

Alex Hamerstone, TrustedSec cybersecurity firm, Cleveland.

“There is really a lack of awareness even in identifying whether the WiFi is secured or not secured,” Nikhil Mahadeshwar, a Mumbai cybersecurity expert and digital forensics investigator, told Digital Privacy News. “So, people are basically unable to check if there is an encryption mechanism in place.”

Kumar observed: “The majority of internet users are not even familiar with terms like data privacy or defense-in-depth.

“The majority of people do not even understand the difference between data and information.”

Previous initiatives to establish WiFi networks across India have not been successful.

In 2015, Google launched its Google Station project to provide free WiFi at more than 400 railway stations across India — but the company ended the program last February after mobile data prices got cheaper in India and in other global markets.

Regardless, experts told Digital Privacy News that the graver threat to a public WiFi program is the access it would provide to government surveillance and user information.

“Mass surveillance has often been cited as necessary to fight terrorism, prevent crime and social unrest, protect national security — and in some cases — control the population,” said Kumar, the New Delhi cybersecurity expert.

“The majority of people do not even understand the difference between data and information.”

Nikhil Mahadeshwar, Mumbai cybersecurity expert.

“However, this is a dangerous position to take for anyone who cares about democratic values — such as free expression, freedom of political affiliation, and the right to privacy.”

Aishwarya Jagani is a writer in India.

Sources: