WiFi4EU broken by technical specifications - a year of misery & new allies

With the Wifi4EU programm the EU is planning to spend 100 million € by 2020 to subsidise a centralized surveillance infrastructure for centers of public life in the EU. The talk will lay out how Wifi4EU is supposed to work both administratively and technically, where there are problems with the later and what is and can be done about it.

With the Wifi4EU programm [1] the EU is planning to subsidies the installation of free Wi-Fi with 120 million € until 2020. The installations are planned to be "... free of charge, free of advertising and free from commercial re-use of data. ..." [2] and aim "... to equip every European village and every city with free wireless internet access around the main centres of public life. ..." [1]

Unfortunately the technical specifications implemented in the first call on the 7th - 9th of November 2018 [3] and the second call on the 4th- 5th of April 2019 [4] tell a different story. So far 93 Million € are planned to be spend in a flawed design.

Amongst other problems they include:

• requirements for a centralized authentification infrastructure - like eduroam [5] (FAQ 23),
• inherent IT security problems - embedded snippets in the captive portals [5] (FAQ 26) and
• proprietary standards - hotspot 2.0. [5] (FAQ 27)

Following a talk at the Wireless Community Weekend 2018 in May 2018 [6] and the 35c3 refreshing memories [7][8] talk will include:

• a short introduction to the programm,
• how it came to be,
• what happend so far
• the implications of the programm
• what can be done to fix things.

Besides contacting the european comission, several members of the european parlament and Klaus Landefeld of the eco [9] we were able to get members of the german Bundestag to get interested in the issue [10]. This led to a "schriftliche Anfrage" towards the Bundesregierung regarding the GDPR compliance of the authentification infrastructure, the situation is currently evolving.

Futhermore an open letter [11]  to the european data protection supervisor (EDPS) Giovanni  Buttarelli [12] was answered and included the following passage:

"... The EDPS was not consulted in this context. From a technical perspective, an open and secure WiFi network does
not in principle require any form of user registration and authentication, in line with the
principle of data minimisation. ..."

Unfortunatley the inquiry by the EDPS towards the european comission was not answered at the 29th of May 2019. 

The talk aims to inform about the current state of affairs and hoefully foster a discussion during the congress what can and should be done to prohibit the creation of yet another surveillance infrastructure and what a desirable public Wi-Fi infrastructure should look like.