AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams

from the the-man-in-the-middle-is-a-bit-of-a-jerk dept

Tue, Aug 25th 2015 2:58pm — Karl Bode

Everybody wants a piece of the Internet advertising pie, and many are willing to sink to the very bottom of the well of stupidity to get what they believe is owed them. For years now ISPs, hardware vendors and even hotels simply haven't been able to help themselves, and have repeatedly been caught trying to inject their own ads over the top of user browsers and data streams. This is a terrible idea for a number of reasons, ranging from the fact that ad injection is effectively an attack on user traffic, to the obvious and inherent problem with defacing other people and organizations' websites and content with your own advertising prattle.

Still, companies like Comcast, Marriot and Samsung have all been caught trying to shove their ads over the top of user data streams. When pressed, most companies are utterly oblivious (or pretend to be utterly oblivious) as to why this behavior might not be that good of an idea.

AT&T appears to be the latest company to use its perceived power over the conduit to manipulate the message. Stanford computer science and legal lecturer Jonathan Mayer recently visited the Dulles airport in DC, and found AT&T's Wi-Fi hotspots pushing a number of pop up ads, overlaying themselves on browser content:

AT&T's hotspots (or at least the one in Dulles) appear to be using technology provided by RaGaPa, a startup that promotes itself as an expert in "Wi-Fi Monetization and In-Browser User Engagement Solutions." RaGaPa's tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user's browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading. There's no mention of this practice anywhere in AT&T's terms of service.

As already noted, this type of injection is highly problematic and sets an awful precedent:

"AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user’s browsing activity to an undisclosed and untrusted business. It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements."

As Mayer also notes, this is a legally muddy area, and, worried about regulatory wrist slaps, most busted ISPs have very quickly and sheepishly backed away from the practice for fear of legal repercussions. I reached out to AT&T to see whether this is a one-off instance of stupidity on the part of AT&T or somebody else (like Dulles), or if aggressively and idiotically injecting itself into the user browsing experience is now going to be AT&T's standard operating procedure across the company's network of 30,000+ Wi-Fi hotspots.

Update: AT&T has sent us a statement indicating that this was part of a limited trial:

"Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ad injection, advertisements, dulles, encryption, wifi hotspot
Companies: at&t, ragapa

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Brian (profile), 25 Aug 2015 @ 3:17pm

"[..] loads the page via the hotspot, then make three edits [..]"

Maybe website owners should go after the ISPs for copyright violations.
[ link to this | view in chronology ]
- Carlie Coats (profile), 25 Aug 2015 @ 4:22pm
  
  Criminal infrimgement; ex parte seizure?
  This is criminal copyright infringement for purposes of commercial advantage
  or private financial gain: see US Code Title 17 § 506:
  <https://www.law.cornell.edu/uscode/text/17/506>
  
  According to <https://www.fenwick.com/FenwickDocuments/Copyright_Pirates.pdf>,
  
  Under 17
  U.S.C. § 503(a) and Rule 65(b) of the Federal Rules of Civil
  Procedure (see also Copyright Rules, 17 U.S.C. foll. § 501), a
  federal judge can issue an ex parte order without any notice
  at all, requiring a U.S. Marshall or County Sheriff to raid
  the premises of an infringer and to seize and impound all
  unlawful copies, as well as masters, molds, tapes, negatives
  and other articles by means of which such copies can be
  reproduced...
  
  ...and AT&T and RaGaPa would certainly be subject to having all
  the related computing/networking equipment seized, as well as
  being hit for legal fees and costs. It couldn't happen to a nicer
  company (except maybe ComCast :-) )
  [ link to this | view in chronology ]
  - Anonymous Coward, 26 Aug 2015 @ 8:21am
    
    Re: Criminal infrimgement; ex parte seizure?
    there is a precedent: https://www.ftc.gov/enforcement/cases-proceedings/122-3161/acquinity-interactive-llc-et-al
    
    don't modify users http traffic
    [ link to this | view in chronology ]
  - Bergman (profile), 27 Aug 2015 @ 7:33am
    
    Re: Criminal infrimgement; ex parte seizure?
    It also violates the CFAA, unauthorized access of a computer to run advertisements.
    
    If what Swartz did violated the CFAA, this does to a far greater extent.
    [ link to this | view in chronology ]
nate (profile), 25 Aug 2015 @ 3:32pm

"RaGaPa's tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user's browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading."

So this is clearly piracy, right?
[ link to this | view in chronology ]
That One Guy (profile), 25 Aug 2015 @ 3:44pm

See this?
This is exactly the kind of crap I run adblock for. Advertising companies may whine about how people are using adblock software, but they aren't the ones dealing with idiots who care more about their money than the user's computer security and ability to use a site without being bombarded by intrusive and annoying ads.

Make ads that are low-key, don't present a security threat, and by the FSM aren't pop-ups, and you might convince younger people that they don't need ad blocking software. Don't even bother spending time trying to convince older people though, they've seen what browsing is like without ad blocking software, and aren't likely to want to repeat the experience, ever.
[ link to this | view in chronology ]
That Anonymous Coward (profile), 25 Aug 2015 @ 3:44pm

"In-Browser User Engagement Solutions"
And what they failed to mention is they will engage users in ways to express their outrage & finding workarounds. It will help damage the brand, and when it finally starts infecting peoples computers you will then have to walk back your stupidity and the amount of fines & legal damages will outweigh anything you earned from this idiotic methods.

No end user thinks kindly of ads.
This type of intrusive kind is really shitty.
Isn't it bad enough you have supercookies, tracking IDs and the 1000 other ways you spy on consumers to make a buck enough? Do you really have to try and scrape that last half a cent out of it?
[ link to this | view in chronology ]
- TKnarr (profile), 25 Aug 2015 @ 8:19pm
  
  Re: "In-Browser User Engagement Solutions"
  I think it's time for a little user engagement here, of the sort usually covered by "rules of engagement". :) First, prime a browser so AT&T's serving up the most offensive, undesirable ads possible. Then hit some major news sites like CNN or the New York Times. Screen-grab the ads. Send them and dumps of the web page source to the site's complaints or abuse department attached to a complaint about the ads they're serving up, and topping it off with a complaint about how your antivirus software complained about other pages on their site as well and you're afraid it's those ads since you only have the problem when those ads show up. Slip in a mention somewhere about how it only happens when you're using AT&T's WiFi and can they check if they're doing something special for AT&T customers. I'd think even a few dozen complaints about bad ads and malware would get some attention, and attention from major news sites'll be a lot harder for AT&T to ignore.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2015 @ 3:47pm

So using lousy public wifi which is made worse by lousy ads that do nothing but annoy users. When was the last time an ad that you were forced to look at did something more than annoy you. Typical advertising, Techdirts is an exception, not distracting and sometimes neat but not overbearing, one of the few places adblocking is shut off
[ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2015 @ 4:09pm
  
  Re:
  Are they truly public wifi? I thought AT&T's wifi access points were only usable if you were an AT&T customer (having an AT&T wireless plan on your phone).
  
  Maybe they changed this.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 26 Aug 2015 @ 6:07am
    
    Re: Re:
    This hasn't been true for at least two years (I don't think it was ever true). Anyone can use the hotspots, but if you aren't an AT&T customer, you are limited to a certain number of hours per week for your total hotspot usage.
    [ link to this | view in chronology ]
  - WHT, 1 Oct 2015 @ 8:55pm
    
    AT&T Open Access
    Prior to 2006 or so, you had to have an AT&T DSL account to access the Wayport hotspots (AT&T bought out Wayport and provides service to Walmart and Home Depot now).
    
    All AT&T Wayport hotspots are open now.
    [ link to this | view in chronology ]
mb (profile), 25 Aug 2015 @ 3:54pm

U.S. Code § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited
This is such a clear violation of law in so many ways someone at AT&T should rot in prison for a very long time.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2015 @ 4:08pm
  
  Re: U.S. Code § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited
  Or, they'll update their TOS and be fine...
  [ link to this | view in chronology ]
DB (profile), 25 Aug 2015 @ 4:12pm

This is a blatant copyright violation.

But it's done by a big corporation, and therefore gets a pass.

If I copied the New York Times website, or published my version of the Washington Post, substituting my advertisements in place of theirs, I would be quickly sued.

This is no different from a copying viewpoint, and far worse for security.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Aug 2015 @ 8:14am
  
  Re:
  I believe it would be a derivative work.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2015 @ 4:17pm

1) This is malware, plain and simple. They can try to spin this more than the Earth has turned in its lifetime but anything that takes over and/or overwrites a user's experience without their permission is effectively malware.

2) They're making bigger the problem that they themselves created. The whole reason for blocking javascript and popups and the proliferation of ad blockers is because these companies just can't help themselves to destroying the user's experience. This sort of thing that it's trying to circumvent is exactly the reason the thing they're trying to circumvent came into existence. It's an arms race.
[ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2015 @ 4:19pm

3) Can you imagine the absolute shitfit AT&T would have if, say, Google decided to inject ads over AT&T's website? They would be in court with million dollar lawyers before the HTML even finished drying.
[ link to this | view in chronology ]
- David, 26 Aug 2015 @ 7:02am
  
  Re:
  So, go to Verizons website, with the AT&T ad on top of it, and get Verizon to go after AT&T for unfair business practices. Let them eat each other.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2015 @ 4:34pm

Free hot spots could be advertising
You can make the whole thing painless to everyone by limiting the advertising to the initial splash-screen. People have to read the TOS and agree to them anyway, so might as well throw up a few ads on the side. These would ideally be to upgrade to a premium account with higher bandwidth and unlimited use for the rest of the day. If you are already an AT&T customer, you should automatically get the upgrade since you are in the club by already paying AT&T every month. Anything like the man in the middle attack that seems to be going on here, should be stopped immediately and anyone associated with that idea should be fired and monitored.
[ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2015 @ 4:35pm

i wonder what would happen if att were to plaster ads/posters on the doors and windows of brick&mortar stores

why do they think this is different?
[ link to this | view in chronology ]
Pronounce (profile), 25 Aug 2015 @ 4:36pm

A Niche Market Opportunity
You are a consumer, and you know that Big Business is in the business of screwing you over. But they hold the goods services you want, and you have to go through them to get these things. So you do things like regularly change vendors knowing that companies like to offer new customers good service, or run applications that remove the "dirt and grime" that companies add to their IT products. Companies will do X and consumers fight back by doing Y. A game played over and over again.

So here we have a case where using WiFi adds grime to a service that consumers want, and they are doing it in a way that thwarts previous Y type moves "(in case [where] the user's browser has disabled Javascript)".

So now the ball is in the consumer's court. This is a product or service opportunity. The consumer is ready for an enterprising soul who'll offer a product or service that defeats this practice. If it's good it will make money.

And the fight will continue.
[ link to this | view in chronology ]
afn29129 (profile), 25 Aug 2015 @ 4:53pm

Call it alterations!
"then make three edits..." No. Call it alterations.
[ link to this | view in chronology ]
Roger Strong (profile), 25 Aug 2015 @ 5:10pm

Strictly Hypothetical
A decade ago there was a wonderful demonstration of how easy it is to modify web pages passing through to a neighbor stealing your Wi-Fi. There are apps for your laptop or tablet that will turn it into a portable Wi-Fi hub.

Which means that someone could stick a laptop or tablet in any public place with a high population density, use a misleading SSID, and serve up ads of their own. And possibly make enough money for it to be worthwhile.

Or while passing through an airport terminal, add audio files to web pages yelling certain words that upset the local security.

While I would never condone such behavior, I am naturally curious as to what ads and other page modifications people would serve up at various campaign rallies and political conventions next year.
[ link to this | view in chronology ]
techflaws (profile), 25 Aug 2015 @ 9:45pm

In-Browser User Engagement Solutions.

Nice newspak you got there, guys.
[ link to this | view in chronology ]
Klaus, 25 Aug 2015 @ 10:58pm

Another argument for HTTPS everywhere
"When an HTML page loads over HTTP, the hotspot makes three edits. (HTTPS traffic is immune, since it’s end-to-end secure.)"

From the link above.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Aug 2015 @ 7:04am
  
  Re: Another argument for HTTPS everywhere
  My first thought as well. The government may hate encryption, but things like that absolutely demonstrate why it's needed.
  
  It's no different than a ManInTheMiddle attack on the content you're viewing. If they can add Ad's to the content, they can do anything else to it as well.
  [ link to this | view in chronology ]
  - Anonymous Coward, 26 Aug 2015 @ 7:13am
    
    Re: Re: Another argument for HTTPS everywhere
    Do you mean every site should be using HTTPS (on which I agree with you), or are you advocating the "HTTPS Everywhere" browser plugin that is fairly useless?
    [ link to this | view in chronology ]
Anonymous Coward, 26 Aug 2015 @ 6:27am

Re: "legally muddy area"
Whether anybody has the funding to take on AT&T is the muddy part. This behavior is clearly illegal in a number of states.
[ link to this | view in chronology ]
tqk (profile), 26 Aug 2015 @ 3:51pm

That's just marketing research!
AT&T has sent us a statement indicating that this was part of a limited trial ...

What's that have to do with anything? They most certainly were considering using it, and in fact used it even if in a limited trial. How many thousands of people per day use that airport finding them subject to this? How many third party web entities were illegally shouldered out of their rightful place by this bullying behavior?

When a department of a corporation does something, it's lying to say it was only the marketing department was trying something out and the rest of the corp. shouldn't be blamed (you know, left hand, right hand). The truth is the corporation was trying something out, and it was being handled by its marketing dept. The corp. is responsible for corp. policy and for all acts perpetrated by its divisions and employees.

Weasling doesn't cut it.
[ link to this | view in chronology ]