cross-posted from: https://slrpnk.net/post/25779751
The intative promises to be privacy-friendly with no tracking. Stating:
Your privacy is important. The WiFi4EU app ensures a private online experience with no tracking or data collection. Simply connect and enjoy free public Wi-Fi without concerns.
Source: https://digital-strategy.ec.europa.eu/en/policies/wifi4eu-citizens
Will be interesting to see how this spans and plays out in reality. Looks promising too, did a quick scan of their builtin permissions and trackers and looks good too. (Scanning tool is called Exodus)
Leaving the EU is one of the stupidest self harming things we ever did.
Title is wrong. It’s an old initiative, not even funded anymore. Ran from 2018 to 2020 with 120 Million EUR.
A bit offtopic about a pet peeve of mine, but this is why it’d be super nice if social media that end up getting screenshot had absolute timestamps. Thank you for letting us know.
my bad! I misread the context and had not heard of it before - yet living in the EU. I will change the title. I got confused as I saw their post on LinkedIn, and it was posted recently: https://www.linkedin.com/posts/european-commission_wifi4eu-activity-7359136374895046656-oXYi
It’s still active as in, they maintain the hotspots. But I just had a look at the map, and it looks like there’s spotty service mostly clustered around tiny villages, rather than providing coverage to areas that actual get significant tourism or other visitors.
Ahh yes, border free travel… wait a minute, why are the Austrian police on the border here? Wait a minute, why are they stopping us…
Because it’s border free travel for EU citizens. It’s still another country you enter, as of course, there are rules.
They stop you to check. You obviously pass through.
Also, there’s still illegal import rules.
It’s still schengen rules, so if you take a train the likelihood of being stopped at the border is pretty low. Austria may have border agents board the train and verify passports, but that’s still pretty uncommon in Europe.
Well I don’t know if that’s a good use of EU money. I’d rather see investments in large and difficult infrastructure, rail, software, datacenters, industrial sectors we’re currently lacking, grid investments - stuff like that.
End user internet access is more like thousands of small decentralised projects. The coordination might make it easier to use compared to if everyone did their own free wifi project, but that’s such a small benefit…
As always, it’s not like both aren’t possible. As a matter of fact, there is a lot of railway projects ongoing at the same time, to only quote one of your examples.
A government can take care of more than one issue at a time, luckily.
It may be a small benefit for you (I assume you are german based on your server), but not every european country or citizen has the same access to internet. This is a good initiative, but obviously not primarily intended for the richer citizens/countries of the union.
I would say it’s a small benefit for anyone. It’s not like people will walk to the town square, or the park or the hospital to use some free EU Wifi.
The title is also very wrong I found out. It’s not being launched. It’s not even funded any more.
Wifi4EU ran from 2018 to 2020 with a funding of 120 million EUR. They paid up to 15 thousand EUR for equipment and installation per municipality, the local municipalities had to pay for the internet service and maintenance.
This is the result: https://wifi4eu.ec.europa.eu/#/list-accesspoints
Still looks like a pointless exercise to me.
15k for several distinct hotspots in a city is pretty reasonable, depending on what equipment they are using.
Enterprise quality IT gear is expensive. Each access point can easily be 1k, and that excludes any routers/firewall/switching that you may need at each site. As an example, I’ve worked in places that had small retail locations that at a minimum had 8k of network equipment, with some locations pushing into the 100k+ range based on needs and size. That’s per site. The above is all in USD, but just equipment. Labor can add 30% to the costs.
15k euro for a whole city that includes equipment and installation sounds very fiscally responsible.
My city runs it’s own wifi hotspots all over the city, and it is quite a nice feature, especially if your data plan isn’t very good.
I’m sure we could invest in all of them and money wouldn’t be the problem.
But why an App & not a PWA ?
Would have been nice indeed, however there is a web version: https://wifi4eu.ec.europa.eu/#/list-accesspoints
Why not both?
PWAs are easy to maintain & lightweight
Not saying they aren’t, just that a lot of folks will probably search their phone’s app store and if they don’t see it assume it doesn’t exist for their phone.
Who said PWAs can’t be put in an appstore ?
I think this is mostly for non-EU tourists. You don’t pay for roaming in EU anymore so you don’t really need WiFi when traveling.
Well, speak for yourself. I don’t have a running phone contract because I don’t really use my phone much for calling or stick to open WiFi when I need to be online. Just got top-up mobile data for the times when there is no WiFi.
I definitely do want WiFi when travelling.
Recently mobile phone operators introduced a “fair use policy”, so it’s not really a”roam like at home” anymore, but data volumes can be limited to a fraction of what you are entitled to in your home country.
This is a point where WiFi might get more important again when traveling.
If I had this in the US, I’d be cancelling my cellular service entirely, I’d still keep my home service though, to VPN into it for a bit more security when using a public wifi connection.
I would also just transfer my phone number to one of those cheap voip providers, then just use voip from my phone everywhere.
Ehhh… I would maybe cancel the data part of my plan, but I dunno how comfortable I would be relying on notoriously spotty and insecure public Wi-Fi services to make or receive phone calls.
In my case, it’d be fine. I already mainly use data for phone calls, and I also have 2 phones, one of which is work-provided, so I’ll still have communications…
you wouldn’t be happy with that. i looked up how the Wifi routers are distributed, and (in Austria at least) small towns have 1-2 routers placed in the municipal buildings they have, servicing the town square. Which means you would have to sit around inside or outside of city hall all day.
Yes, it’s not like poor people or children with abusive parents need library wifi to do anything important like looking up how to deal with life’s shit when their parents never taught them how. </sarcasm>
bro, i never said anything about people in bad situations; it’s clear that they profit from that and that’s a great thing. but cancelling your cell service to use this instead is not a smart move.
So, if I live in the EU, what’s stopping me from cancelling my home plan and making the wifi experience worse for everyone?
The fact that there’s 93k access points and that’s not very many when you consider the size of the EU and the average range and speed of an access point.
Limiting the bandwidth use of individual devices is pretty easy, and basically standard procedure for public networks. Even cheap consumer routers that come with ISP subscriptions can do that.
It’s mind-blowing how at the same time some EU government guys pushing stuff like DSA while other do something like this (which is nice, and a complete opposite, if it’s not honeypot anyways).
What’s the problem with the Digital Services Act?
Yeah, of all the things to criticise the EU for the DSA is a bizarre pick. Challenging techbro dominance with simple and technically-sensible demands on the gatekeepers is a win for the average person in my book.
They tried to push it to the point of stripping encryption from internet altogether and when that didn’t work they tried demanding chat apps to be able to scan people messages before they send them. Maybe I’m confusing multiple entirely different things here, but I kinda heard that mostly with the abbreviation DSA flying around so I assumed it was sorta umbrella for all those things.
Nah that’s Chat Control. DSA is about online platforms while Chat Control is about private chats.
yeah the DSA seems good to me, largely because it mostly adresses vlops being shitty
Indeed from their history of constantly wanting more control and invasive measures, always sold in the name of security, protection of minors, etc… I’m highly sceptical and always asume the worst.
But those are all publicly available pieces of legislation. It’s quite a leap to go from that to just assuming they’ll secretly and illegally spy on you through public wifi networks, without any law allowing them to do so. Besides, if they have no problem doing that, why would internet through your European ISP be any safer?
Never said the rest is safer, doesn’t mean they are ‘privacy friendly’, they aren’t.
It’s quite a leap to go from that to just assuming they’ll secretly and illegally spy on you
Plenty of stuff like this or this or this
And they did as much against Pegasus as they do against israel.
Some words and recommendations.22 EU clients, at least, have acquired it.
quite a leap to go from that to just assuming they will not spy on you as a collective, more than is already ‘publicly available’.
Organisations that spy usually don’t advertise their practices.Plenty of stuff like this or this or this
Again, those are all pushes for legislation. None of which are implemented at this point. The EU is, for better and for worse, a bureaucratic monster. Anything it does has to go through a long process involving multiple oversight comittees, the commission, the parliament etc. It really doesn’t have the option for much secrecy. National governments are quite a different story.
. Anything it does has to go through a long process involving multiple oversight comittees, the commission, the parliament etc. It really doesn’t have the option for much secrecy.
Oh my sweet summer child.
When a German MEP Patrick Breyer asked the EU to release the names of the people who were a part of the so called High Level Group that wrote this proposal, they replied with a list with all names blacked out. Here is Patrick Breyer’s own blog post on the subject.
According to Edri ”The HLG has kept its work sessions closed, by strictly controlling which stakeholders got invited and effectively shutting down civil society participation.”.
And that’s why I trust no one! Oh, wait. I’m lonely and miserable.
Saddest man indeed
oh dude, they promised to be privacy friendly! maybe I’m just too american to believe in promises.
You don’t have to trust them any more than you trust your local Starbucks WiFi. We’re at the point where your traffic should no longer be vulnerable just because you’re on the wrong WiFi network.
You don’t have to trust them any more than you trust your local Starbucks WiFi
I don’t really trust that either
That’s the point, you don’t have to. The system works on the assumption that the AP is untrusted.
except when not. HTTPS helps with security, but there’s privacy leaks all around all kinds of network traffic. apps and services you use, websites you visit (DNS, SNI), when do you do something, like arrive or receive a voip call, …
I feel like the OP you’re responding to. Explain how I should be comfortable? The idea creeps me out, but I admit I haven’t delved into security for a few years.
HTTPS is used on virtually every site out there these days. That is used to encrypt your traffic from the get go. So specifics of the traffic/request won’t be obvious/known. The EU could be big enough to force manufacturers to inject their certificates into devices… could be a man in the middle attack. But you can always just remove certs you don’t trust from your devices.
DNS by default is often plaintext. You can setup your device to use DoH or other encrypted versions of DNS.
That leaves just the raw connection analysis… eg, that your device is sending traffic to some known IP… many site share hosts so that can be hard to determine though often not really… Proxy or VPN services can make it impossible to do this type of analysis… but then those services will be able to tell.
Ultimately being able to say that “Shalafi sent some packets to an IP that google owns and received a bunch back” could be email… could be youtube… could be any number of things… at some point it become educated guess at best. And what specifically happened (ex: Watched a video about tying shoes) is simply unknown. It would take a bunch of external additional data to actually tie you to anything directly, eg server logs or other sources… which usually means more than one party is already working together against you. At that point you’ve got bigger issues usually.
this is such an oversimplification. maybe it’s hard to distinguish between google services, but if you play some online game, chat over whatsapp or signal, or have a voip call, that’s an entirely different story. these can probably be told apart by DNS requests or active connections, and in the case of communications, messaging and voice calling is obvious to tell apart because of the difference in the volume of data. when having a voip call, through a service that supports peer to peer calls (most do, and it’s default on), an observer may even be able to deduct something about who you are speaking with, like what general area they live at.
then what if you have apps that try to establish connections to services at home. like smb or nfs, https services. your smb/nfs client may leak your credentials, I think even linux does not encrypt smb communication unless you request it in a mount option, and with HTTPS you leak your internal domain names because of TLS SNI.
Forgive me for not covering 100% of this advanced topic in my 3 paragraphs on Lemmy… Nuance gets long, and most people have attention spans of a squirrel.
maybe it’s hard to distinguish between google services, but if you play some online game, chat over whatsapp or signal, or have a voip call, that’s an entirely different story.
Already covered as
That leaves just the raw connection analysis…
Where specifics can’t be divined… but other details might.
these can probably be told apart by DNS requests
Addressed already with
DNS by default is often plaintext. You can setup your device to use DoH or other encrypted versions of DNS.
when having a voip call, through a service that supports peer to peer calls (most do, and it’s default on), an observer may even be able to deduct something about who you are speaking with, like what general area they live at.
Actually this is quite unlikely. ASNs are not as structured as you think. It takes an external database that specifically tracks DHCP’d ISP addresses. Case in point, when I moved to my new house… Google maps though I was a good 60 miles away from where I was… it was after repeated access to google maps and other service for about a month before maps started getting accurate with where I’m accessing their service from.
And that point is covered with
It would take a bunch of external additional data to actually tie you to anything directly, eg server logs or other sources… which usually means more than one party is already working together against you. At that point you’ve got bigger issues usually.
then what if you have apps that try to establish connections to services at home.
If you purposefully steer your car off the road… of course you’re going to crash. If you’re going to expose non-encrypted things onto the internet…
At that point you’ve got bigger issues usually.
I would suspect the untrusted wifi to NOT be the leading thing you’d want to care about in this situation. But even then… I would start making reasonable assumptions such as you’re likely on a DHCP connection without static addressing… your site and resources will rotate IPs every once in a while. Makes tracking you even harder.
with HTTPS you leak your internal domain names because of TLS SNI.
Encrypted SNI (ESNI) / Encrypted Client Hello (ECH) exists… Cloudflare for example supports ECH, and they transit a LOT of data.
But once again… would be outside of the scope of discussion here. Yes… an ISP can make an educated guess of where you’re likely to be going… and maybe even make a reasonable guess of what you could doing… But certainly not the details of it.
And this all ignores the fact that a random coffee shop isn’t going to do full packet inspection to get this data to begin with. It’s not worth it for them. They gain very little from collecting meta data without some bigger company backing them to do so… Which falls under
It would take a bunch of external additional data to actually tie you to anything directly, eg server logs or other sources… which usually means more than one party is already working together against you. At that point you’ve got bigger issues usually.
Edit: Typo that changed meaning. Fixed.
Every site uses HTTPS which encrypts your data in transit. Even if they sniff the packets, they would spend literal decades trying to decrypt it.
Just be wary of visiting sites or sending traffic not over HTTPS. Its rare, but it does happen.
HTTPS does not protect against everything. there’s many other protocols that apps can use for whatever use case, and even HTTPS traffic leaks lots of information directly or indirectly, like the websites you visit (because of DNS, and TLS SNI)
You don’t HAVE to be comfortable. But if you use any sort of public WiFi, this is no riskier than any of those networks. They can grab some metadata unless you use a VPN, but likely less than what your ISP already has on you anyway. Basically, there’s no reason this should be putting up any major red flags. We’re past the days when a malicious access point could MitM most connections due to lack of encryption.
What the others said. If you want a practical example of this working, have a look at eduroam. It’s the joint WiFi of all European universities and I cannot recall that there ever were any privacy issues.
My traffic is not vulnerable, but my device might be.
When you connect to public WiFi, you also share it with others, and maybe someone on that network wants to test out their new hacker skills ?
Maybe not as much of a problem for phones, but that juicy developer laptop running unauthenticated MongoDB with a dump of the production database… yup, that now “mine”.
Ideally all those services should be listening on 127.0.0.1 / ::1, but everybody makes mistakes. Maybe the service comes preconfigured to listen on 0.0.0.0.
Someone runs MongoDB unauthenticated, bound on 0.0.0.0 with production data, on a computer without a VPN, and the problem is the WiFi?
Like I get what you are saying, but this sounds like saying that we should ban speedbumps because imagine there is a guy with a loaded gun pointed at a kid with no safe, finger on the trigger, and high on coke, if the car hits the speedbump the toddler is gone. Yeah, but I would hardly say the speedump is the issue.
Just keep your firewall set to public network and you will most likely be fine.
Anything can be hacked, even on your private home network.
Again, people make mistakes, so they may think the firewall is on, but that one time 3 weeks ago when they were debugging something and they turned off the firewall for it, yeah, we never got around to enabling it again.
Also, my home network is a lot more secure by default than shared public WiFi. At home I have decent control over who and what connects. Sure, people could in theory crack my WiFi password, but the risk of that is low compared to sitting on public WiFi.
Nothing we can do to prevent that, unless we want to turn all laptops into walled gardens. PEBKAC is not the fault of the WiFi network.
I mean, we could switch to Linux distros (so that you can fine-tune DNS and VPN settings without corporate BS), but the intricacies that introduces to connecting to the WiFi safely are not casual in scope. Most people are better off buying a lightly-used Mac (or not, it’s been a while since people have been happy with Apple) or replacing their laptop with a Fairphone or Graphene OS phone than switching to Linux from Windows 10.
Windows 11+ however… is another story. Anything but letting the IngSoc Smart TV become the OS. The issue is that computers come bundled with Windows and so they use “Secure Boot” to trap you. You can’t use Secure Boot without Windows, and you can’t play many online games if you do not have Secure Boot (even if the excuse as to why is a filthy lie) so if you’re gaming you basically have to hope that Steam OS triumphs.
Best option is to just go to places where the wifi service is affordable but not free so that the operator needs to keep tabs on whether users are doing something other than browsing the internet or playing games (i.e. stealing people’s info or putting malware on their machine). Unfortunately, there doesn’t seem to be any great demand for internet cafes anymore in my location.
Most people are better off buying a lightly-used Mac (or not, it’s been a while since people have been happy with Apple) or replacing their laptop with a Fairphone or Graphene OS phone than switching to Linux from Windows 10.
I don’t really see the connection there with somebody bringing down their own firewall, hosting open services, and basically putting out the welcome mat. You can burn yourself on any OS (and if you can’t, I don’t want to be using or pushing it).
Best option is to just go to places where the wifi service is affordable but not free so that the operator needs to keep tabs on whether users are doing something other than browsing the internet or playing games
What place charges little enough for the WiFi to be affordable but has somebody live monitoring network traffic?
Been that way since https became common
How do we know intelligence agencies are not in collusion with certificate authorities though? What if they actually have access to ROOT CA private keys and can just automatically strip https from most of the traffic in their mass surveillance software? This is something I found with a very quick search: https://en.wikipedia.org/wiki/DigiNotar
Yeah sure but defending against nation state intelligence agencies is a thread model few people have. It’s also not really realistic unless you go to paranoia level mitigations.
The EU is almost just as bad, I know the bar is high compared to the US, but still.
There are tons of things the EU is doing well, dude.
From resisting the technocapitalist rethoric of the US, to standing up against imperial bullies like Russia.
I’m not saying it is perfect, nothing is. But sometimes it feels like the EU is the only reasonable beacon in a sea of corruption.
LOL ‘dude’
The EU just bent over to get fucked by US tarrifs.
They shouldn’t worry about Russia as much as they should about US imperialism that causes all the trouble.
But these sell outs will gladly suffer as good obedient vasals. 🤡The EU only cares about blocking the private sector from getting their citizen’s data. They actively harm privacy when it’s about government access
That’s why audits exist
Free Wireless ISP, you say?
cheapskate romanian sounds
Oh, sure. That’s fair. Just like how the US kicked the Natives off of their land. </sarcasm>
Germans are gonna start getting out their old cantennas or nanostations and point it at the closest hotspot
Of course I would never do such a thing, being half german, living in Germany. Certainly didn’t live off a nearby restaurants wifi hotspot for almost 2 years.
Classic European flavored racism. Are you aware that you are promoting racism or not? I think mindfulness is key here. People should consider their own internal biases and adjust to help make a better world.
If Hule wants to make cheapskate Romanian sounds he’s allowed to. It’s his goddamn choice whether he wants to be a cheapskate or not.
Pretty sure they are themselves Romanian.
Can you even be racist against yourself?
Yes you can.
Yes, I live in Romania.
It was a joke, but also true.
I don’t see the racist part, but please excuse me if I’ve offended you.
descurcăreț - someone who makes use of the flaws in rulings. It’s not even a negative term.
<sincerity> Sorry about the other response I made being accusatory. I get the difference between self-deprecating humor about one’s family, and actual boomerang racism. Thanks for clearing things up. </sincerity>
That’s cool. Here in the US, we’re this close to banning vaccines. *sad trombone sound
Having a union-wide regulatory framework for soda bottle caps, or mandatory categorization of cucumbers seems a lot less like a government overreach in comparison. Thanks, I guess… 🥲
deleted by creator
I hope you’re joking.
Honestly nowadays data plans are cheap on most mobile carriers and they’re obligated to have them work accross EU, so you no longer really need Wi-Fi when traveling.
Also, I can see this being easily and constantly exploited via Wi-Fi attacks where hackers set up fake Hotspots with the same name as the closest legit one.
Meanwhile Czech carrier cartel:
BTW free Wi-Fi exploits are overrated with widespread HSTS
Why is it written with USD?
Only the rich can afford to pay per GB
I have a free 1 MiB/day plan. I only pay €8/year to top up the prepaid SIM. This would be AMAZING in 2005 but now the number of webpages that work on my 2G feature phone via Opera Mini is shrinking. Not to mention, there is no privacy because of the transcoding server. A stock-firmware 4G smartphone would eat through this data in a minute just with background apps calling home.
With the right software (rooted Android, custom clients, transcoding server at home) one could theoretically get all day of use of text- and sparsely image-based services such as email, RSS, SSH, timetables, Lemmy… I’d need at least a data blocker for backhround apps, a kiB meter in the notification bar and a confirmation pop-up for every transaction above 10 kiB (this can be estimated by content length).
I’m sure non-EU visitors will like it
Getting their credentials stolen thru WiFi attack?
This is not really a common or easy attack, especially for any meaningful service (that is probably in preloaded HSTS lists).
It’s not like this is the only shared network. In airports millions of people everyday connect to the same network.
Cries in Brexit
~£2 a day data charge on most UK networks
Isn’t Lebara less than that per month and includes roaming?
The more competitive networks tend to include EU roaming as standard. The ones that charge a lot - like the £2/day mentioned - tend to be the ones with captive customers like Sky, for example, where most of their customers also have TV and broadband from them so they’re stuck.
Do you need that app to connect to a WiFi network?
No, the app is just a map of the hotspots.
To add to the other comment, you can see the map here.
If this does what it says on the box its huge
Damn, this is so cool.
We could have had this in the States too, but, well, you all know.This will never be possible in the States. We still have areas with no cellular.
Surely that’s unrelated to the billions of dollars that the telecom companies stole from the taxpayer after promising to build out infrastructure?
Ironically enough there’s basically a private version of this through Comcast turning their rented CPEs into their own unlicensed wifi mesh, they call it WiFi Pass – they at least have the courtesy to give it to you gratis if you’re already paying for residential service.
This would be cool 20 years ago. Now it’s just a stunt.
Better late than never though
It shows you are american and not familiar with the EU.
‘privacy friendly’ is a euphemistic PR term, not unlike making the horrible Patriot Act worse and renaming it the ‘Freedom Act’.Do you have other examples? I am really curious when they said privacy friendly and ended up snooping.
I’ll copy my answer to an EU fanboy:
Never said the rest is safer, doesn’t mean they are ‘privacy friendly’, they aren’t.
It’s quite a leap to go from that to just assuming they’ll secretly and illegally spy on youPlenty of stuff like this or this or this
And they did as much against Pegasus as they do against israel. Some words and recommendations.
22 EU clients, at least, have acquired it. quite a leap to go from that to just assuming they will not spy on you as a collective, more than is already ‘publicly available’. Organisations that spy usually don’t advertise their practices.
