Never Commit a Crime When Your Phone Is Connected to a Wi-Fi Network

Four students who left racist graffiti on their high school were caught when their smartphones betrayed them.

A phone in a seat pocket, with Wi-Fi signals surrounding the phone.
Photo illustration by Slate. Photo by Mikail McVerry on Unsplash.

Like many bad ideas, this one started with Bud Light. As four high school seniors sat around shooting the breeze before graduation, they decided to vandalize their school as a senior prank. Disguised with T-shirts over their faces to evade security cameras, the young men originally set out to spray-paint “Class of 2018,” but in a moment one of the men describes to the Washington Post as “a blur,” their graffiti fest took a turn toward swastikas, racial slurs attacking the school’s principal, and other hateful symbols.

Despite their covered faces, school officials had no problem finding who was responsible: The students’ phones had automatically connected with the school’s Wi-Fi using their unique logins. Their digital fingerprints tipped off administrators to who was on campus just before midnight, and, as the Post describes, they were held accountable for their crime. But the incident also showcases how little we know about what we’re giving away with our digital footprints. These men had clearly given thought about how to stay anonymous—they knew they needed masks to foil the cameras—but they didn’t think the devices in their pockets could give them away. And as we move about the world, we give little thought to the little breadcrumbs our phones leave behind.

Automatically connecting to Wi-Fi networks, especially public ones, can reveal personal information about what you’re doing online in real time. For instance, I’m currently writing on a laptop from a courtyard outside one of my favorite lunch spots, which has free Wi-Fi. When I arrived here and ordered my usual, my computer and phone automatically connected to their old friend, the free network, and I got to work. I know this makes my internet use vulnerable to hackers, but my assumption is that the other patrons here are probably not here to hack people, and that my web activity—mostly reading news stories—is not all that interesting. But if I were to log in without encryption and send emails or texts, or log in to accounts, it’s possible for folks to eavesdrop on my messages or even to glean my usernames and passwords.

Wi-Fi networks and cell towers collect information about our location and movement around the world. Most of us have heard at one point or another that using public Wi-Fi opens us up to potential data breaches. (Cybersecurity expert Jamie Winterton once wrote for Future Tense that you should never connect to public Wi-Fi anywhere you wouldn’t want to go barefoot.) But convenience of free internet often outweighs our privacy concerns. That data feels anonymous, and generally, people accept it as a reality of the world. It helps that this data is intended to be used at an aggregate level; for instance, Transport for London, which runs the city’s public transit, including the Underground, began tracking customers’ movements earlier this week via their phones’ connection to the Tube’s public Wi-Fi network. All data will be anonymized, the authorities say, and they hope that this information will help them understand trends in ridership and relieve congestion by adjusting train schedules and sending alerts to riders. The agency has put up signs in stations announcing the plan, and riders can opt out by refusing to use the Wi-Fi network or putting their phones in airplane mode.

But even anonymized data is not so anonymous with just a bit of effort. According to a 2013 study that analyzed location information for 1.5 million people over 15 months, just four location readings allowed researchers to correctly identify individuals in the study 95 percent of the time. Most of us mainly conduct our daily business within a radius of a few dozen miles and frequent the same places: work, home, gym, grocery store. A person’s commute routes and times would presumably be similarly predictable and thus, potentially identifiable. A New York Times investigation on digital privacy found that one particular individual, a teacher, was easily identifiable by her commute: She’s the only person who travels from her house to the school where she works.

Of course, Transport for London has no reason to weaponize this kind of information, but it’s yet another “anonymous” dataset that has the potential to reveal intimate details about individuals’ habits. When TfL first announced the plan, digital privacy experts expressed concern over how anonymous this information really is, and how that data would be stored. These are important questions to ask, and government agencies should be especially vigilant in ensuring that the data they amass about citizens is collected responsibly and appropriately protected.

Even if TfL (and other well-intentioned entities collecting cell data for good) behaves responsibly, we’re still leaving loaves’ worth of breadcrumbs behind just by connecting with cell towers. In one particularly terrifying deep dive into the shady world of phone tracking, Vice found that there’s a whole underground market for selling user data that allowed a bounty hunter to track down an individual person, not by hacking or sleuthing about the target’s life and habits, but just by their real-time cell signal. Telecommunications firms sell data to third-party companies, which then resell that information to bail bondspeople, car salespeople, property managers, and, yes, bounty hunters.

Apps, too, are selling us out. While many apps make an argument for you to enable location services—for instance, so you get the most accurate forecast in a weather app—they may also be selling that data to third parties. In its investigation, the New York Times found that 17 of the 20 apps they tested sent location information directly to 70 companies. For instance, the Times reports that the WeatherBug iPhone app sends location data to 40 other companies.

One small thing you can do is to change device settings to ask to join networks, rather than automatically connecting to ones it knows already. That certainly would have saved those graffiti artists some grief, and it could preempt situations where users are unknowingly tracked via their connection to public Wi-Fi.

But that won’t clear away all of your digital footprints. In a more drastic action, you could put your phone in airplane mode until you absolutely need to use it and avoid connecting to unknown networks, but then what’s the point in having a phone? The only alternative: Live your life hoping no one intends to dig up dirt on you. But if you are going to commit a crime, please don’t forget your phone.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.