Starbucks, and most other 'portal' WiFi, is unencrypted. It would be nice if there were some (automated) method of 'upgrading' the connection (i.e. providing encryption without requiring the user to acquire and input a password). Maybe providing it over an SSL connection after you've agreed to the ToS?

The cheap (flawed, but better than nothing) way is to have the SSID be something like "Businessname Public (Password: iev8eiM9)" or similar, or just have it on a blackboard inside, which has the bonus of stopping people outside using it so easily.

The whole standard it a mess; it should have opportunistic encryption on open networks, then clients can display a warning if this doesn't happen for whatever reason ("Anything you send or receive over this network may be readable by others" or similar).

Wifi encryption is not going to help you much if anyone is able to connect to the network by just asking for the password, it won't protect you inside the network. If you want to be safe use a VPN or SSH tunnel onto a server you trust.

Sure it is. Each separate WPA connection involves a unique nonce (actually four, IIRC); my laptop and your laptop aren't using the same key even if we sign in with the same password. (This gets to the problem that WPA is being used for access control, which is not what it's actually "for", but that's a separate question.)

If you are sniffing the 802.11 frames (and you should assume someone is) and you catch the entire 4-way handshake and the nonce generation is predictable you could reverse-engineer it, but then again you can say the same thing about a TLS connection too.