This week, New York City officially inaugurated its free citywide Wi-Fi network, LinkNYC, though it will take several months to get going: 510 access points, called kiosks, are promised by July. The city touts some big stats in its fact sheet: 7,550 kiosks to be installed, with 4,550 in the first four years, all providing gigabit connections. Way down at the bottom is the vague phrase, “LinkNYC offers an encrypted public Wi-Fi network, adding a critical layer of protection to personal data.” That’s actually the most exciting news in the release: one of the first big uses of a new Wi-Fi technology called Passpoint, aka Hotspot 2.0.
Public Wi-Fi networks are usually about as clean as public toilets. Many offer no security at all. That splash screen you see when you log on at Starbucks asks you to agree to, among other things, the fact that the connection is not secure. “In a typical open hotspot…where you connect and get that web page, that Wi-Fi connection is not encrypted,” says Kevin Robinson, a VP at the Wi-Fi Alliance, an industry organization that certifies products as supporting the Wi-Fi tech standards. “That traffic is happening in the clear.” In other words, anyone on the network can see what anyone else is doing.
What about those coffee shops that write a username and password on the chalkboard next to the seasonal drink specials? “Believe it or not, that actually does provide a pretty strong level of security,” says Robinson. “Even though they are sharing a username and password, each one of those connections has a unique [encryption] key to the network.” The question is: Which network? “There is an increased…number of people who would operate fake networks… just to collect data,” says Ondřej Vlček, COO of antivirus maker Avast. They can use the same or a similar name for their bogus network, protected by the same username and password.
LinkNYC and networks already up and running in San Francisco and San Jose provide a new, safer, and much simpler kind of security as part of a tech standard called Passpoint—one of the most important words you probably haven’t heard. Passpoint allows a Wi-Fi hotspot to work roughly the same way that a cellphone tower does. Your connection can switch seamlessly from one hotspot to the next as you move down the street, with no need to log in again to each new station.
That’s super-convenient, and can save people a lot of money on their wireless data plans by offloading traffic to Wi-Fi. But Passpoint is a boon even to people who sit next to the same hotspot all day: an individualized secure network connection that (in theory) can’t be spoofed by a hacker. Passpoint actually uses the same security standard, called WPA2, that many access points have offered for years.
With Passpoint, rather than signing on to a single access point, you sign on—just once—to the service provider that operates networks of hundreds or thousands of access points; and you take your WPA2 encryption with you. Some networks even have roaming agreements, as cell carriers do. You can automatically and securely hop between San Francisco’s and San Jose’s systems, for example. In addition, a phone, laptop or other device that supports Passpoint holds a list of digital certificates that verify if a network is a legitimate Passpoint provider.
The Wi-Fi alliance has been certifying new products that support Passpoint for less than two years. If your laptop, phone, or tablet is older than that, you probably don’t have the capability. (Robinson says that chipmakers may be able to add Passpoint to older gear with a software update.) Even if your device has certified hardware, that doesn’t mean the Passpoint feature has been enabled in the operating system. The rule of thumb is that you need—depending on the device—at least Android 6.0, iOS 7, Mac OS X Mavericks, or Windows 10.
Networks—especially the free ones—are also slow to upgrade to Passpoint. The ability to hand off from hotspot to hotspot is almost essential for municipal systems like that in San Francisco, as well as for paid global Wi-Fi services like Boingo or Time Warner Cable’s hotspot network (which both recently upgraded to Passpoint). But it doesn’t offer much to Joe’s coffee shop or Jane’s hotel, where users are stationary. Yes, the Passpoint security is much better, but it’s not as if most people will skip their soy latte because the café doesn’t offer a new Wi-Fi standard they probably haven’t even heard of. “I’m not aware of any, what you may call a sole proprietor [such as a] café deploying a Passpoint network,” says Robinson.
Instead, the next place you will see Passpoint is probably via cellphone providers, such as T-Mobile, which are already conducting trials of the technology. “As those trials conclude, we’ll expect to see additional Passpoint deployments,” says Robinson.
So what’s the takeaway for itinerant web users? Best-case scenario: Connect to the nearest Passpoint network if your town has one and your device supports it. Even if you are sitting right next to the router in your café, go for the public hotspot across the street, if it’s a street in San Francisco or San Jose or (soon) New York. Somewhat more likely scenario: Connect to a network that requires a username and password. Otherwise, you have a box of lesser options. The best is to subscribe to a virtual private network (VPN) service such as Cloak or HMA (or the VPN your company may supply) that creates an encrypted connection for you—protecting your data even if it’s running through a hacker’s fake Wi-Fi hotspot. At the very least, make sure the website you are going to uses the HTTPS address that signals web encryption. “Ultimately, people are going to make their own decisions on how much risk they want to assume,” says Robinson.