AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams

from the the-man-in-the-middle-is-a-bit-of-a-jerk dept

Everybody wants a piece of the Internet advertising pie, and many are willing to sink to the very bottom of the well of stupidity to get what they believe is owed them. For years now ISPs, hardware vendors and even hotels simply haven’t been able to help themselves, and have repeatedly been caught trying to inject their own ads over the top of user browsers and data streams. This is a terrible idea for a number of reasons, ranging from the fact that ad injection is effectively an attack on user traffic, to the obvious and inherent problem with defacing other people and organizations’ websites and content with your own advertising prattle.

Still, companies like Comcast, Marriot and Samsung have all been caught trying to shove their ads over the top of user data streams. When pressed, most companies are utterly oblivious (or pretend to be utterly oblivious) as to why this behavior might not be that good of an idea.

AT&T appears to be the latest company to use its perceived power over the conduit to manipulate the message. Stanford computer science and legal lecturer Jonathan Mayer recently visited the Dulles airport in DC, and found AT&T’s Wi-Fi hotspots pushing a number of pop up ads, overlaying themselves on browser content:

AT&T’s hotspots (or at least the one in Dulles) appear to be using technology provided by RaGaPa, a startup that promotes itself as an expert in “Wi-Fi Monetization and In-Browser User Engagement Solutions.” RaGaPa’s tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user’s browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading. There’s no mention of this practice anywhere in AT&T’s terms of service.

As already noted, this type of injection is highly problematic and sets an awful precedent:

“AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user?s browsing activity to an undisclosed and untrusted business. It clutters the user?s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don?t plan for extra scripts and layout elements.”

As Mayer also notes, this is a legally muddy area, and, worried about regulatory wrist slaps, most busted ISPs have very quickly and sheepishly backed away from the practice for fear of legal repercussions. I reached out to AT&T to see whether this is a one-off instance of stupidity on the part of AT&T or somebody else (like Dulles), or if aggressively and idiotically injecting itself into the user browsing experience is now going to be AT&T’s standard operating procedure across the company’s network of 30,000+ Wi-Fi hotspots.

Update: AT&T has sent us a statement indicating that this was part of a limited trial:

“Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.”

Filed Under: , , , ,
Companies: at&t, ragapa

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams”

Subscribe: RSS Leave a comment
Carlie Coats (profile) says:

Re: Criminal infrimgement; ex parte seizure?

This is criminal copyright infringement for purposes of commercial advantage
or private financial gain: see US Code Title 17 § 506:

According to <;,

Under 17
U.S.C. § 503(a) and Rule 65(b) of the Federal Rules of Civil
Procedure (see also Copyright Rules, 17 U.S.C. foll. § 501), a
federal judge can issue an ex parte order without any notice
at all, requiring a U.S. Marshall or County Sheriff to raid
the premises of an infringer and to seize and impound all
unlawful copies, as well as masters, molds, tapes, negatives
and other articles by means of which such copies can be

…and AT&T and RaGaPa would certainly be subject to having all
the related computing/networking equipment seized, as well as
being hit for legal fees and costs. It couldn’t happen to a nicer
company (except maybe ComCast 🙂 )

That One Guy (profile) says:

See this?

This is exactly the kind of crap I run adblock for. Advertising companies may whine about how people are using adblock software, but they aren’t the ones dealing with idiots who care more about their money than the user’s computer security and ability to use a site without being bombarded by intrusive and annoying ads.

Make ads that are low-key, don’t present a security threat, and by the FSM aren’t pop-ups, and you might convince younger people that they don’t need ad blocking software. Don’t even bother spending time trying to convince older people though, they’ve seen what browsing is like without ad blocking software, and aren’t likely to want to repeat the experience, ever.

That Anonymous Coward (profile) says:

“In-Browser User Engagement Solutions”
And what they failed to mention is they will engage users in ways to express their outrage & finding workarounds. It will help damage the brand, and when it finally starts infecting peoples computers you will then have to walk back your stupidity and the amount of fines & legal damages will outweigh anything you earned from this idiotic methods.

No end user thinks kindly of ads.
This type of intrusive kind is really shitty.
Isn’t it bad enough you have supercookies, tracking IDs and the 1000 other ways you spy on consumers to make a buck enough? Do you really have to try and scrape that last half a cent out of it?

TKnarr (profile) says:

Re: "In-Browser User Engagement Solutions"

I think it’s time for a little user engagement here, of the sort usually covered by “rules of engagement”. 🙂 First, prime a browser so AT&T’s serving up the most offensive, undesirable ads possible. Then hit some major news sites like CNN or the New York Times. Screen-grab the ads. Send them and dumps of the web page source to the site’s complaints or abuse department attached to a complaint about the ads they’re serving up, and topping it off with a complaint about how your antivirus software complained about other pages on their site as well and you’re afraid it’s those ads since you only have the problem when those ads show up. Slip in a mention somewhere about how it only happens when you’re using AT&T’s WiFi and can they check if they’re doing something special for AT&T customers. I’d think even a few dozen complaints about bad ads and malware would get some attention, and attention from major news sites’ll be a lot harder for AT&T to ignore.

Anonymous Coward says:

So using lousy public wifi which is made worse by lousy ads that do nothing but annoy users. When was the last time an ad that you were forced to look at did something more than annoy you. Typical advertising, Techdirts is an exception, not distracting and sometimes neat but not overbearing, one of the few places adblocking is shut off

DB (profile) says:

This is a blatant copyright violation.

But it’s done by a big corporation, and therefore gets a pass.

If I copied the New York Times website, or published my version of the Washington Post, substituting my advertisements in place of theirs, I would be quickly sued.

This is no different from a copying viewpoint, and far worse for security.

Anonymous Coward says:

1) This is malware, plain and simple. They can try to spin this more than the Earth has turned in its lifetime but anything that takes over and/or overwrites a user’s experience without their permission is effectively malware.

2) They’re making bigger the problem that they themselves created. The whole reason for blocking javascript and popups and the proliferation of ad blockers is because these companies just can’t help themselves to destroying the user’s experience. This sort of thing that it’s trying to circumvent is exactly the reason the thing they’re trying to circumvent came into existence. It’s an arms race.

Anonymous Coward says:

Free hot spots could be advertising

You can make the whole thing painless to everyone by limiting the advertising to the initial splash-screen. People have to read the TOS and agree to them anyway, so might as well throw up a few ads on the side. These would ideally be to upgrade to a premium account with higher bandwidth and unlimited use for the rest of the day. If you are already an AT&T customer, you should automatically get the upgrade since you are in the club by already paying AT&T every month. Anything like the man in the middle attack that seems to be going on here, should be stopped immediately and anyone associated with that idea should be fired and monitored.

Pronounce (profile) says:

A Niche Market Opportunity

You are a consumer, and you know that Big Business is in the business of screwing you over. But they hold the goods services you want, and you have to go through them to get these things. So you do things like regularly change vendors knowing that companies like to offer new customers good service, or run applications that remove the “dirt and grime” that companies add to their IT products. Companies will do X and consumers fight back by doing Y. A game played over and over again.

So here we have a case where using WiFi adds grime to a service that consumers want, and they are doing it in a way that thwarts previous Y type moves “(in case [where] the user’s browser has disabled Javascript)”.

So now the ball is in the consumer’s court. This is a product or service opportunity. The consumer is ready for an enterprising soul who’ll offer a product or service that defeats this practice. If it’s good it will make money.

And the fight will continue.

Roger Strong (profile) says:

Strictly Hypothetical

A decade ago there was a wonderful demonstration of how easy it is to modify web pages passing through to a neighbor stealing your Wi-Fi. There are apps for your laptop or tablet that will turn it into a portable Wi-Fi hub.

Which means that someone could stick a laptop or tablet in any public place with a high population density, use a misleading SSID, and serve up ads of their own. And possibly make enough money for it to be worthwhile.

Or while passing through an airport terminal, add audio files to web pages yelling certain words that upset the local security.

While I would never condone such behavior, I am naturally curious as to what ads and other page modifications people would serve up at various campaign rallies and political conventions next year.

Anonymous Coward says:

Re: Another argument for HTTPS everywhere

My first thought as well. The government may hate encryption, but things like that absolutely demonstrate why it’s needed.

It’s no different than a ManInTheMiddle attack on the content you’re viewing. If they can add Ad’s to the content, they can do anything else to it as well.

tqk (profile) says:

That's just marketing research!

AT&T has sent us a statement indicating that this was part of a limited trial …

What’s that have to do with anything? They most certainly were considering using it, and in fact used it even if in a limited trial. How many thousands of people per day use that airport finding them subject to this? How many third party web entities were illegally shouldered out of their rightful place by this bullying behavior?

When a department of a corporation does something, it’s lying to say it was only the marketing department was trying something out and the rest of the corp. shouldn’t be blamed (you know, left hand, right hand). The truth is the corporation was trying something out, and it was being handled by its marketing dept. The corp. is responsible for corp. policy and for all acts perpetrated by its divisions and employees.

Weasling doesn’t cut it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...