AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams

from the the-man-in-the-middle-is-a-bit-of-a-jerk dept

Everybody wants a piece of the Internet advertising pie, and many are willing to sink to the very bottom of the well of stupidity to get what they believe is owed them. For years now ISPs, hardware vendors and even hotels simply haven't been able to help themselves, and have repeatedly been caught trying to inject their own ads over the top of user browsers and data streams. This is a terrible idea for a number of reasons, ranging from the fact that ad injection is effectively an attack on user traffic, to the obvious and inherent problem with defacing other people and organizations' websites and content with your own advertising prattle.

Still, companies like Comcast, Marriot and Samsung have all been caught trying to shove their ads over the top of user data streams. When pressed, most companies are utterly oblivious (or pretend to be utterly oblivious) as to why this behavior might not be that good of an idea.

AT&T appears to be the latest company to use its perceived power over the conduit to manipulate the message. Stanford computer science and legal lecturer Jonathan Mayer recently visited the Dulles airport in DC, and found AT&T's Wi-Fi hotspots pushing a number of pop up ads, overlaying themselves on browser content:
AT&T's hotspots (or at least the one in Dulles) appear to be using technology provided by RaGaPa, a startup that promotes itself as an expert in "Wi-Fi Monetization and In-Browser User Engagement Solutions." RaGaPa's tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user's browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading. There's no mention of this practice anywhere in AT&T's terms of service.

As already noted, this type of injection is highly problematic and sets an awful precedent:
"AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user’s browsing activity to an undisclosed and untrusted business. It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements."
As Mayer also notes, this is a legally muddy area, and, worried about regulatory wrist slaps, most busted ISPs have very quickly and sheepishly backed away from the practice for fear of legal repercussions. I reached out to AT&T to see whether this is a one-off instance of stupidity on the part of AT&T or somebody else (like Dulles), or if aggressively and idiotically injecting itself into the user browsing experience is now going to be AT&T's standard operating procedure across the company's network of 30,000+ Wi-Fi hotspots.

Update: AT&T has sent us a statement indicating that this was part of a limited trial:
"Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast."

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Brian (profile), 25 Aug 2015 @ 3:17pm

    "[..] loads the page via the hotspot, then make three edits [..]"

    Maybe website owners should go after the ISPs for copyright violations.

    reply to this | link to this | view in chronology ]

    • identicon
      Carlie Coats, 25 Aug 2015 @ 4:22pm

      Criminal infrimgement; ex parte seizure?

      This is criminal copyright infringement for purposes of commercial advantage
      or private financial gain: see US Code Title 17 § 506:
      <https://www.law.cornell.edu/uscode/text/17/506>

      According to <https://www.fenwick.com/FenwickDocuments/Copyright_Pirates.pdf>,


      Under 17
      U.S.C. § 503(a) and Rule 65(b) of the Federal Rules of Civil
      Procedure (see also Copyright Rules, 17 U.S.C. foll. § 501), a
      federal judge can issue an ex parte order without any notice
      at all, requiring a U.S. Marshall or County Sheriff to raid
      the premises of an infringer and to seize and impound all
      unlawful copies, as well as masters, molds, tapes, negatives
      and other articles by means of which such copies can be
      reproduced...


      ...and AT&T and RaGaPa would certainly be subject to having all
      the related computing/networking equipment seized, as well as
      being hit for legal fees and costs. It couldn't happen to a nicer
      company (except maybe ComCast :-) )

      reply to this | link to this | view in chronology ]

  • icon
    nate (profile), 25 Aug 2015 @ 3:32pm

    "RaGaPa's tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user's browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading."

    So this is clearly piracy, right?

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 25 Aug 2015 @ 3:44pm

    See this?

    This is exactly the kind of crap I run adblock for. Advertising companies may whine about how people are using adblock software, but they aren't the ones dealing with idiots who care more about their money than the user's computer security and ability to use a site without being bombarded by intrusive and annoying ads.

    Make ads that are low-key, don't present a security threat, and by the FSM aren't pop-ups, and you might convince younger people that they don't need ad blocking software. Don't even bother spending time trying to convince older people though, they've seen what browsing is like without ad blocking software, and aren't likely to want to repeat the experience, ever.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 25 Aug 2015 @ 3:44pm

    "In-Browser User Engagement Solutions"
    And what they failed to mention is they will engage users in ways to express their outrage & finding workarounds. It will help damage the brand, and when it finally starts infecting peoples computers you will then have to walk back your stupidity and the amount of fines & legal damages will outweigh anything you earned from this idiotic methods.

    No end user thinks kindly of ads.
    This type of intrusive kind is really shitty.
    Isn't it bad enough you have supercookies, tracking IDs and the 1000 other ways you spy on consumers to make a buck enough? Do you really have to try and scrape that last half a cent out of it?

    reply to this | link to this | view in chronology ]

    • icon
      TKnarr (profile), 25 Aug 2015 @ 8:19pm

      Re: "In-Browser User Engagement Solutions"

      I think it's time for a little user engagement here, of the sort usually covered by "rules of engagement". :) First, prime a browser so AT&T's serving up the most offensive, undesirable ads possible. Then hit some major news sites like CNN or the New York Times. Screen-grab the ads. Send them and dumps of the web page source to the site's complaints or abuse department attached to a complaint about the ads they're serving up, and topping it off with a complaint about how your antivirus software complained about other pages on their site as well and you're afraid it's those ads since you only have the problem when those ads show up. Slip in a mention somewhere about how it only happens when you're using AT&T's WiFi and can they check if they're doing something special for AT&T customers. I'd think even a few dozen complaints about bad ads and malware would get some attention, and attention from major news sites'll be a lot harder for AT&T to ignore.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 3:47pm

    So using lousy public wifi which is made worse by lousy ads that do nothing but annoy users. When was the last time an ad that you were forced to look at did something more than annoy you. Typical advertising, Techdirts is an exception, not distracting and sometimes neat but not overbearing, one of the few places adblocking is shut off

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Aug 2015 @ 4:09pm

      Re:

      Are they truly public wifi? I thought AT&T's wifi access points were only usable if you were an AT&T customer (having an AT&T wireless plan on your phone).

      Maybe they changed this.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 26 Aug 2015 @ 6:07am

        Re: Re:

        This hasn't been true for at least two years (I don't think it was ever true). Anyone can use the hotspots, but if you aren't an AT&T customer, you are limited to a certain number of hours per week for your total hotspot usage.

        reply to this | link to this | view in chronology ]

      • identicon
        WHT, 1 Oct 2015 @ 8:55pm

        AT&T Open Access

        Prior to 2006 or so, you had to have an AT&T DSL account to access the Wayport hotspots (AT&T bought out Wayport and provides service to Walmart and Home Depot now).

        All AT&T Wayport hotspots are open now.

        reply to this | link to this | view in chronology ]

  • icon
    mb (profile), 25 Aug 2015 @ 3:54pm

    U.S. Code § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited

    This is such a clear violation of law in so many ways someone at AT&T should rot in prison for a very long time.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Aug 2015 @ 4:08pm

      Re: U.S. Code § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited

      Or, they'll update their TOS and be fine...

      reply to this | link to this | view in chronology ]

  • icon
    DB (profile), 25 Aug 2015 @ 4:12pm

    This is a blatant copyright violation.

    But it's done by a big corporation, and therefore gets a pass.

    If I copied the New York Times website, or published my version of the Washington Post, substituting my advertisements in place of theirs, I would be quickly sued.

    This is no different from a copying viewpoint, and far worse for security.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 4:17pm

    1) This is malware, plain and simple. They can try to spin this more than the Earth has turned in its lifetime but anything that takes over and/or overwrites a user's experience without their permission is effectively malware.

    2) They're making bigger the problem that they themselves created. The whole reason for blocking javascript and popups and the proliferation of ad blockers is because these companies just can't help themselves to destroying the user's experience. This sort of thing that it's trying to circumvent is exactly the reason the thing they're trying to circumvent came into existence. It's an arms race.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 4:19pm

    3) Can you imagine the absolute shitfit AT&T would have if, say, Google decided to inject ads over AT&T's website? They would be in court with million dollar lawyers before the HTML even finished drying.

    reply to this | link to this | view in chronology ]

    • identicon
      David, 26 Aug 2015 @ 7:02am

      Re:

      So, go to Verizons website, with the AT&T ad on top of it, and get Verizon to go after AT&T for unfair business practices. Let them eat each other.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 4:34pm

    Free hot spots could be advertising

    You can make the whole thing painless to everyone by limiting the advertising to the initial splash-screen. People have to read the TOS and agree to them anyway, so might as well throw up a few ads on the side. These would ideally be to upgrade to a premium account with higher bandwidth and unlimited use for the rest of the day. If you are already an AT&T customer, you should automatically get the upgrade since you are in the club by already paying AT&T every month. Anything like the man in the middle attack that seems to be going on here, should be stopped immediately and anyone associated with that idea should be fired and monitored.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 4:35pm

    i wonder what would happen if att were to plaster ads/posters on the doors and windows of brick&mortar stores

    why do they think this is different?

    reply to this | link to this | view in chronology ]

  • icon
    Pronounce (profile), 25 Aug 2015 @ 4:36pm

    A Niche Market Opportunity

    You are a consumer, and you know that Big Business is in the business of screwing you over. But they hold the goods services you want, and you have to go through them to get these things. So you do things like regularly change vendors knowing that companies like to offer new customers good service, or run applications that remove the "dirt and grime" that companies add to their IT products. Companies will do X and consumers fight back by doing Y. A game played over and over again.

    So here we have a case where using WiFi adds grime to a service that consumers want, and they are doing it in a way that thwarts previous Y type moves "(in case [where] the user's browser has disabled Javascript)".

    So now the ball is in the consumer's court. This is a product or service opportunity. The consumer is ready for an enterprising soul who'll offer a product or service that defeats this practice. If it's good it will make money.

    And the fight will continue.

    reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 25 Aug 2015 @ 4:53pm

    Call it alterations!

    "then make three edits..." No. Call it alterations.

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 25 Aug 2015 @ 5:10pm

    Strictly Hypothetical

    A decade ago there was a wonderful demonstration of how easy it is to modify web pages passing through to a neighbor stealing your Wi-Fi. There are apps for your laptop or tablet that will turn it into a portable Wi-Fi hub.

    Which means that someone could stick a laptop or tablet in any public place with a high population density, use a misleading SSID, and serve up ads of their own. And possibly make enough money for it to be worthwhile.

    Or while passing through an airport terminal, add audio files to web pages yelling certain words that upset the local security.

    While I would never condone such behavior, I am naturally curious as to what ads and other page modifications people would serve up at various campaign rallies and political conventions next year.

    reply to this | link to this | view in chronology ]

  • icon
    techflaws (profile), 25 Aug 2015 @ 9:45pm

    In-Browser User Engagement Solutions.

    Nice newspak you got there, guys.

    reply to this | link to this | view in chronology ]

  • identicon
    Klaus, 25 Aug 2015 @ 10:58pm

    Another argument for HTTPS everywhere

    "When an HTML page loads over HTTP, the hotspot makes three edits. (HTTPS traffic is immune, since it’s end-to-end secure.)"

    From the link above.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Aug 2015 @ 7:04am

      Re: Another argument for HTTPS everywhere

      My first thought as well. The government may hate encryption, but things like that absolutely demonstrate why it's needed.

      It's no different than a ManInTheMiddle attack on the content you're viewing. If they can add Ad's to the content, they can do anything else to it as well.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Aug 2015 @ 7:13am

        Re: Re: Another argument for HTTPS everywhere

        Do you mean every site should be using HTTPS (on which I agree with you), or are you advocating the "HTTPS Everywhere" browser plugin that is fairly useless?

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Aug 2015 @ 6:27am

    Re: "legally muddy area"

    Whether anybody has the funding to take on AT&T is the muddy part. This behavior is clearly illegal in a number of states.

    reply to this | link to this | view in chronology ]

  • icon
    tqk (profile), 26 Aug 2015 @ 3:51pm

    That's just marketing research!

    AT&T has sent us a statement indicating that this was part of a limited trial ...

    What's that have to do with anything? They most certainly were considering using it, and in fact used it even if in a limited trial. How many thousands of people per day use that airport finding them subject to this? How many third party web entities were illegally shouldered out of their rightful place by this bullying behavior?

    When a department of a corporation does something, it's lying to say it was only the marketing department was trying something out and the rest of the corp. shouldn't be blamed (you know, left hand, right hand). The truth is the corporation was trying something out, and it was being handled by its marketing dept. The corp. is responsible for corp. policy and for all acts perpetrated by its divisions and employees.

    Weasling doesn't cut it.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.