Public Wi-Fi: privacy obligations
Legal memo published on The Legal Industry Review.
Nowadays, most of the activities we perform daily have been transferred to the digital world. The common denominator among them is that to carry them out, it is necessary to make use of the Internet. In this sense, the Internet has become an indispensable intangible asset for human beings. That is why different countries around the world, including Mexico, have recognized Internet access as a Human Right.
As a result, both the Mexican State and establishments of all kinds (hospitals, airports, libraries, restaurants, hotels, shopping centers, etc.) have installed public Wi-Fi networks so that people can connect to the Internet quickly and free of charge. However, there is lack of awareness about the risks that may be involved in connecting to them.
On the one hand, public Wi-Fi may not encrypt the information that is transmitted through them, so that any other person connected to them with certain knowledge, may access information such as: emails, passwords, bank card information, social network content, among others.
To prevent the theft of this information, certain recommendations have been issued to follow in case of connecting to an untrusted or unknown public Wi-Fi; for example: do not exchange private or confidential information, do not use mobile or Internet banking services, and do not make online purchases that require any banking data. Likewise, most devices currently offer the option of connecting to such public networks through a VPN (Virtual Private Network), the purpose of which is precisely to encrypt the users’ connection, thus avoiding any interception of their information.
These measures and recommendations can provide some protection against third-party attacks, such as phishing crimes. However, what happens to the information collected by establishments over public Wi-Fi networks? Most users are unaware of what personal data they are sharing, to whom, and for what purpose when using a public network. The root cause of this problem is due to the failure of establishments to provide such information.
Speaking of the private sector, according to the provisions of the Federal Law for the Protection of Personal Data in Possession of Individuals, both establishments and Internet service providers would have the obligation to inform users about the personal data they collect from them, the purposes of the processing thereof, the transfers of such personal data to third parties, these being minimum requirements.
However, the reality is that a huge number of establishments fail to comply with this obligation by not making available to users a privacy notice to inform them of the processing to which their personal data will be subjected. In this way, they should inform about the use given to the data that users provide directly to the establishment to access the Internet service, as well as those collected automatically by the establishment and simultaneously when users browse through a public Wi-Fi.
The aforementioned evidences the need to continue promoting a culture of personal data protection, in order for users to know and demand their privacy and data protection rights. Finally, it is worth emphasizing the observance of these rights by companies and public and private entities, and above all, the role of the control bodies to ensure their protection.
On July 26th, the Cyber Incident Response Center of the General Scientific Directorate of the National Guard issued a statement on the most relevant considerations for users to prevent becoming a victim of a “Phishing” attack via email, due to the increase in cases of this criminal activity, namely:
- Never send data by e-mail, since companies and banks will never request financial or credit card data by this means.
- If in doubt of the authenticity of the e-mail, do not click any links included in it.
- If you are concerned of the veracity of the email, verify the facts directly with the bank (whether in a call or visit).
- If you have received a phishing email, never reply to it; it is best to ignore it.
- Check that the web page you are accessing is a secure address; it should begin with https://. A small, closed padlock should also appear in the browser’s status bar.
- Make sure to correctly spell the address of the web site you want to visit, since there are hundreds of attempts to spoof the most popular sites with only one or two letters of difference.
If you suspect you have been a victim of phishing, immediately change your passwords and contact the company or financial institution to report the incident.
TMT Area of ECIJA Mexico
(+52 55) 56 62 68 40