Last week my barber asked: "How bad is public WiFi, really?" He uses public WiFi networks like most people and wants to know how vulnerable he actually is.

Most advice you'll get falls into one of two camps: Never use public WiFi. Or It's probably fine, don't worry about it. Both are wrong. The truth, like most things, is messier, and more useful. Public WiFi carries real risk—but the risk is manageable if you understand what you're exposing.

Let's break down what happens when your family connects to an open network, what attackers can see, what retailers are tracking, and the practical defenses you can put in place without turning your life upside down.

What Public WiFi Is

A public WiFi network is an open door. Anyone within range can join, and everyone on that network can potentially see what everyone else is doing. There's no encryption between your device and the router. It's like talking on a conference call where everyone can hear every word.

There are two types of public networks:

Network Type What It Means
Open Network No password required. Anyone can join. This is what you find at most coffee shops, libraries, and airports.
Shared-Passphrase Network Everyone uses the same password printed on the wall or given by staff. This doesn't actually encrypt your traffic—it just controls who gets on the network in the first place.

Both carry risk. The difference is that an open network exposes you to anyone who walks into range. A shared-passphrase network excludes outsiders but doesn't protect insiders from each other.

What's Exposed When You Connect

When your child joins a public network, several things happen that they might not realize:

Unencrypted HTTP Traffic: Websites that don't use HTTPS send your data in plain text. That means usernames, passwords, messages—everything—is readable by anyone on the same network. Fortunately, most major sites now enforce HTTPS automatically, and browsers with proper security settings stop you before loading the site. But the warning signs aren't always obvious, especially to kids who haven't been taught to look for them.

DNS Requests: Even with HTTPS, your device still sends DNS queries to translate a domain name into an IP address. These queries aren't encrypted by default, which means the network operator—and anyone sniffing the network—can see which sites you're visiting. Not the content, but the fact that you visited.

Device Metadata: Your phone broadcasts its MAC address, device name, operating system version, and hostname. This fingerprint identifies your device across visits. Starbucks knows your iPhone 17 Pro was there on Tuesday, and again on Thursday. That's foot traffic tracking without you ever buying anything.

Service Discovery: Other devices on the network can probe your device for open ports or services. Windows file sharing, AirDrop, network printers—these features can expose your device to anyone nearby.

The Retail Data Harvest

The part most people never think about is that the store itself is tracking. Retailers use public WiFi for far more than internet access. They use it to map foot traffic, and track dwell time and customer behavior in real time.

Here's how they do it:

WiFi Probe Requests: Your phone constantly broadcasts "I'm looking for known networks" even when it's not connected. Stores capture these probes to track which devices are in their vicinity. Your kid's iPhone announces itself at the mall food court. The mall knows the device is there, and it remembers.

Captive Portal Data: When you connect and accept the terms of service, you're often agreeing to data collection. Device info, browsing behavior, location within the store, duration of visit. All correlated with purchase data if you use their loyalty program.

Analytics Companies: Businesses like Euclid, Zenreach, and Cisco Meraki built entire industries on in-store WiFi analytics. They know which aisles customers linger in, how long they spend in specific zones, whether they've visited before, and what time of day they're most likely to return.

The Parent Angle: Your kid connects to mall WiFi to stream videos faster and text friends while you shop. The mall now knows your kid's device identifier, how often they visit, which stores they walk past, and how long they stay in each zone. That profile persists across visits and correlates with other data sources.

The Caveat: Modern iOS and Android randomize MAC addresses per network to mitigate this. Apple calls it "Private Wi-Fi Addresses" and Google calls it "Randomized Hardware Addresses." But it's not foolproof—retailers use additional fingerprinting techniques that combine signal strength, connection timing, and device behavior to identify users even with randomized MACs. There is a constant loop of someone implementing security and privacy features and someone figuring out a way around them.

Malicious Attacks

Not all threats are the same. Here are three you need to understand:

Packet Sniffing: Tools like Wireshark make this trivial. Advanced hacking skills are not required. You can download the software, run it on the public network, and suddenly you're reading traffic from every device on that network.

Rogue Access Point: Any unauthorized wireless access point on a network. Whether accidental or intentional, you can't verify who controls it or how your data flows through it.

Evil Twin: A specific type of rogue AP designed to impersonate a legitimate network, like using a nearly identical network name (SSID) to trick your device into connecting.

Recently, someone in Australia was jailed for running fraudulent airport WiFi networks that captured passenger credentials and payment data. He set up networks that looked official, waited for travelers to connect, and harvested their information. So none of this is theoretical—it's happening.

For parents, the risk multiplies at travel hubs. Airport WiFi is chaotic—dozens of networks with similar names, rushed travelers distracted by boarding gates, and kids using devices without supervision. It's the perfect storm for a successful attack.

What's the Realistic Threat Level?

Now we can separate theory from practice. Where is the actual risk on public WiFi?

The Opportunistic Attacker: The bored teenager with Wireshark scanning for unencrypted traffic. Low sophistication, looking for easy wins like login cookies or HTTP credentials.

The Professional Operator: The person running a rogue access point deliberately designed to capture data. Higher sophistication, more targeted.

The Network Owner: The coffee shop or big box store using your connection to build a customer profile. Legal but invasive, often buried in terms of service nobody reads.

What's the Probability? Most public WiFi attacks are opportunistic, not targeted. If your child is checking school email at Starbucks, the risk is low but not zero. If they're doing online banking on a mall network, the risk increases significantly.

Remember, HTTPS Changed the Game: Most major websites enforce HTTPS automatically. The "someone can read your Facebook messages" threat is largely mitigated for major platforms. But DNS, metadata, and rogue networks remain real vectors. And smaller websites, school portals, and lesser-known apps often lag behind.

What to Actually Do

You don't need to stay offline to be safe. The goal is to take informed precaution. Here's the tiered approach:

Level 1: Basic Protections (5 Minutes to Set Up)

Action How to Do It
Stick to HTTPS sites Modern browsers warn on non-HTTPS. Don't ignore those warnings.
Turn off auto-join Disable automatic connection to open networks in Settings.
Disable file sharing Turn off AirDrop, file sharing, and network discovery on public networks.
Verify network names Ask staff: "What's the exact name of your guest WiFi?" Don't guess.

Level 2: Better Protection (Install a VPN)

A VPN creates an encrypted tunnel between your device and a server. Even the network operator can't see your traffic—only that you're connected to a VPN.

Trusted Options: Proton VPN, Mullvad, IVPN. These are privacy-focused, audited, and don't log traffic.

Avoid Free VPNs: As always, if the service is free, you're the product. Many free VPNs log your activity and sell it.

Setup Tip: Configure your VPN to auto-connect when joining unknown networks. This removes the decision-making burden in the moment.

Level 3: Best Protection (Use Cellular Data)

A cellular connection is not the same as public WiFi. It's encrypted by default between your device and the carrier. Use a personal hotspot instead of public WiFi when handling anything sensitive (banking, email, health portals).

The Recommendation for Kids: If they need internet at the mall use hotspot from your phone, not from a public network.

*Combine level 2 and 3 for the safest approach.

The Neurodivergent Lens

Public WiFi security intersects with neurodivergence in ways most security guides don't address:

Sensory Regulation Spaces: ND kids may seek out quiet cafés or libraries as regulation spaces and connect to WiFi without thinking about security.

Routine Disruption: Travel disrupts routines. When a routine breaks down, security habits break with it.

Literal Interpretation: An Autistic child may assume "it says Starbucks WiFi so it must be Starbucks." Literal interpretation of network names creates vulnerability to evil twins.

Executive Function: Remembering to toggle VPNs, check settings, or verify networks requires executive function that ADHD brains may struggle with in the moment. Automation helps—set up auto-connect once so you don't have to remember every time.

Most security advice assumes a stable, regulated nervous system. For neurodivergent users, that assumption doesn't always hold. Automate what you can so the default path is safe not an extra step.

What to Teach Your Kids

Instead of memorized phrases, set the stage for critical thinking:

Teach Them to Ask: "Is this a network I trust?" Not "does it say Starbucks on the sign?" Ask the person behind the counter.

Teach Them to Verify: "Does the network name match what the venue says?" One character off—Starbuckz instead of Starbucks—is a red flag.

Set Their Devices: Configure devices to NOT auto-join public networks. Turn this on before you leave the house. You can change it back when you get home.

Pre-Install a VPN: Set it to auto-connect on untrusted networks. Remove the decision from the moment.

Default to Cellular: Make hotspots the standard for anything sensitive. No exceptions.

Appropriate Scaling: Match the advice to their developmental level. Chronological age matters less than whether they can be trusted with the information.

Coming Back to the Barber

"So, how bad is public WiFi?" The answer is "make sure you understand what you're exposing, and take the right precautions."

Your child will use public WiFi. It's everywhere they go nowadays and it's convenient. Give them the awareness to move through these spaces with their data intact. The risk is manageable and the defenses are accessible. The cost of complacency is your family's privacy.

When you connect to free WiFi, ask yourself: "Am I willing to put my data at risk for this convenience?" Sometimes the answer might be "yes" and sometimes it might be "I'll use my hotspot instead." Either way it's a choice made with open eyes.