One of the perks of signing a contract with AT&T, the largest mobile carrier in the United States by customer base, is the use of its 30,000 free nationwide Wi-Fi hotspots. They are ubiquitously located around airports, retail businesses, stadiums, hotels, convention centers, restaurants, and universities. But as one Stanford lawyer and computer scientist recently discovered, the free service has one dangerous caveat.
In his blog Web Policy, Jonathan Mayer accuses AT&T of injecting advertisements into web browsers connected to its hotspots. Mayer posted the damning evidence on his blog, which included screenshots of AT&T’s wrongdoings. Some screenshots show advertisements that force users to wait several seconds before continuing to browse the Internet, while others show large, intrusive banner ads on websites that either don’t advertise at all or do so lightly. These websites include Stanford University’s website and several US government sites, which were all injected with ads hawking jewelry and cosmetics.
Mayer also posted snippets of source code that show how the injection works. First, the hotspot adds a CSS stylesheet, then injects a backup advertisement for browsers that don’t support Javascript, and finally adds scripts that control advertisement loading and display. Those scripts import advertisements from third-party providers not affiliated with the original website.
Hide Your Kids, Hide Your Wi-Fi
This discourtesy comes courtesy of RaGaPa, a startup that purports to “monetize your network” and claims to be a “pioneer in In-Browser Content Insertion Technology.” It is used by venues to inject promoted content and advertisements onto all HTTP web pages using a venue’s Wi-Fi. RaGaPa’s technology allows Wi-Fi providers to monetize their “free” services.
The problem with this practice, other than barraging users with extra advertisements, is security. “It exposes much of the user’s browsing activity to an undisclosed and untrusted business,” Mayer writes. “And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements.”
Furthermore, it ruins the carefully crafted browsing experience intended by the website’s creators with clutter. The ads are also not clearly labeled as originating from the hotspot service rather than the website.
Infernal Ad Injectors
This sort of ad injection is very unpopular. Google pulled almost a third of its available browser plugins from the Chrome Web store for the deceptive practice. The Courtyard Marriott in Times Square also backed off after bad publicity resulting from using similar ad injection.
Legally speaking, ad injection lies in a grey area. “[…] The FCC’s net neutrality rules, the FTC’s unfairness and deception authorities (and state parallels), wiretapping statutes, pen register statutes, tortious interference, copyright, and more” would seem to prohibit it, Mayer argues. Yet the scam continues. To make matters worse, AT&T Wi-Fi’s terms of service make no mention of ad injection. Sneaky.
Fight Ad Injection Now!
Tired of ad injection when you connect to AT&T’s not-so-free Wi-Fi hotspots? You’re not alone. Here are some things you can try to avoid being pummelled with ads.
- If you want to connect your laptop to the Internet when you’re out and about, try setting up a Wi-Fi hotspot from your phone’s cellular data network and connecting to that.
- Ad-blocking plugins like AdBlock can also be an effective way to mitigate the risks associated with ad injection.
- Website developers can prevent ad injection by switching to the more secure HTTPS protocol, as software like RaGaPa’s can only affect HTTP pages.
Featured image: ACP prod / Dollar Photo Club
