AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams
from the the-man-in-the-middle-is-a-bit-of-a-jerk dept
Everybody wants a piece of the Internet advertising pie, and many are willing to sink to the very bottom of the well of stupidity to get what they believe is owed them. For years now ISPs, hardware vendors and even hotels simply haven’t been able to help themselves, and have repeatedly been caught trying to inject their own ads over the top of user browsers and data streams. This is a terrible idea for a number of reasons, ranging from the fact that ad injection is effectively an attack on user traffic, to the obvious and inherent problem with defacing other people and organizations’ websites and content with your own advertising prattle.
Still, companies like Comcast, Marriot and Samsung have all been caught trying to shove their ads over the top of user data streams. When pressed, most companies are utterly oblivious (or pretend to be utterly oblivious) as to why this behavior might not be that good of an idea.
AT&T appears to be the latest company to use its perceived power over the conduit to manipulate the message. Stanford computer science and legal lecturer Jonathan Mayer recently visited the Dulles airport in DC, and found AT&T’s Wi-Fi hotspots pushing a number of pop up ads, overlaying themselves on browser content:
As already noted, this type of injection is highly problematic and sets an awful precedent:
“AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user?s browsing activity to an undisclosed and untrusted business. It clutters the user?s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don?t plan for extra scripts and layout elements.”
As Mayer also notes, this is a legally muddy area, and, worried about regulatory wrist slaps, most busted ISPs have very quickly and sheepishly backed away from the practice for fear of legal repercussions. I reached out to AT&T to see whether this is a one-off instance of stupidity on the part of AT&T or somebody else (like Dulles), or if aggressively and idiotically injecting itself into the user browsing experience is now going to be AT&T’s standard operating procedure across the company’s network of 30,000+ Wi-Fi hotspots.
Update: AT&T has sent us a statement indicating that this was part of a limited trial:
“Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.”
Filed Under: ad injection, advertisements, dulles, encryption, wifi hotspot
Companies: at&t, ragapa
Comments on “AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams”
“[..] loads the page via the hotspot, then make three edits [..]”
Maybe website owners should go after the ISPs for copyright violations.
Re: Criminal infrimgement; ex parte seizure?
This is criminal copyright infringement for purposes of commercial advantage
or private financial gain: see US Code Title 17 § 506:
<https://www.law.cornell.edu/uscode/text/17/506>
According to <https://www.fenwick.com/FenwickDocuments/Copyright_Pirates.pdf>,
…and AT&T and RaGaPa would certainly be subject to having all
the related computing/networking equipment seized, as well as
being hit for legal fees and costs. It couldn’t happen to a nicer
company (except maybe ComCast 🙂 )
Re: Re: Criminal infrimgement; ex parte seizure?
there is a precedent: https://www.ftc.gov/enforcement/cases-proceedings/122-3161/acquinity-interactive-llc-et-al
don’t modify users http traffic
Re: Re: Criminal infrimgement; ex parte seizure?
It also violates the CFAA, unauthorized access of a computer to run advertisements.
If what Swartz did violated the CFAA, this does to a far greater extent.
“RaGaPa’s tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user’s browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading.”
So this is clearly piracy, right?
See this?
This is exactly the kind of crap I run adblock for. Advertising companies may whine about how people are using adblock software, but they aren’t the ones dealing with idiots who care more about their money than the user’s computer security and ability to use a site without being bombarded by intrusive and annoying ads.
Make ads that are low-key, don’t present a security threat, and by the FSM aren’t pop-ups, and you might convince younger people that they don’t need ad blocking software. Don’t even bother spending time trying to convince older people though, they’ve seen what browsing is like without ad blocking software, and aren’t likely to want to repeat the experience, ever.
“In-Browser User Engagement Solutions”
And what they failed to mention is they will engage users in ways to express their outrage & finding workarounds. It will help damage the brand, and when it finally starts infecting peoples computers you will then have to walk back your stupidity and the amount of fines & legal damages will outweigh anything you earned from this idiotic methods.
No end user thinks kindly of ads.
This type of intrusive kind is really shitty.
Isn’t it bad enough you have supercookies, tracking IDs and the 1000 other ways you spy on consumers to make a buck enough? Do you really have to try and scrape that last half a cent out of it?
Re: "In-Browser User Engagement Solutions"
I think it’s time for a little user engagement here, of the sort usually covered by “rules of engagement”. 🙂 First, prime a browser so AT&T’s serving up the most offensive, undesirable ads possible. Then hit some major news sites like CNN or the New York Times. Screen-grab the ads. Send them and dumps of the web page source to the site’s complaints or abuse department attached to a complaint about the ads they’re serving up, and topping it off with a complaint about how your antivirus software complained about other pages on their site as well and you’re afraid it’s those ads since you only have the problem when those ads show up. Slip in a mention somewhere about how it only happens when you’re using AT&T’s WiFi and can they check if they’re doing something special for AT&T customers. I’d think even a few dozen complaints about bad ads and malware would get some attention, and attention from major news sites’ll be a lot harder for AT&T to ignore.
So using lousy public wifi which is made worse by lousy ads that do nothing but annoy users. When was the last time an ad that you were forced to look at did something more than annoy you. Typical advertising, Techdirts is an exception, not distracting and sometimes neat but not overbearing, one of the few places adblocking is shut off
Re: Re:
Are they truly public wifi? I thought AT&T’s wifi access points were only usable if you were an AT&T customer (having an AT&T wireless plan on your phone).
Maybe they changed this.
Re: Re: Re:
This hasn’t been true for at least two years (I don’t think it was ever true). Anyone can use the hotspots, but if you aren’t an AT&T customer, you are limited to a certain number of hours per week for your total hotspot usage.
Re: Re: AT&T Open Access
Prior to 2006 or so, you had to have an AT&T DSL account to access the Wayport hotspots (AT&T bought out Wayport and provides service to Walmart and Home Depot now).
All AT&T Wayport hotspots are open now.
U.S. Code § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited
This is such a clear violation of law in so many ways someone at AT&T should rot in prison for a very long time.
Re: U.S. Code § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited
Or, they’ll update their TOS and be fine…
This is a blatant copyright violation.
But it’s done by a big corporation, and therefore gets a pass.
If I copied the New York Times website, or published my version of the Washington Post, substituting my advertisements in place of theirs, I would be quickly sued.
This is no different from a copying viewpoint, and far worse for security.
Re: Re:
I believe it would be a derivative work.
1) This is malware, plain and simple. They can try to spin this more than the Earth has turned in its lifetime but anything that takes over and/or overwrites a user’s experience without their permission is effectively malware.
2) They’re making bigger the problem that they themselves created. The whole reason for blocking javascript and popups and the proliferation of ad blockers is because these companies just can’t help themselves to destroying the user’s experience. This sort of thing that it’s trying to circumvent is exactly the reason the thing they’re trying to circumvent came into existence. It’s an arms race.
3) Can you imagine the absolute shitfit AT&T would have if, say, Google decided to inject ads over AT&T’s website? They would be in court with million dollar lawyers before the HTML even finished drying.
Re: Re:
So, go to Verizons website, with the AT&T ad on top of it, and get Verizon to go after AT&T for unfair business practices. Let them eat each other.
Free hot spots could be advertising
You can make the whole thing painless to everyone by limiting the advertising to the initial splash-screen. People have to read the TOS and agree to them anyway, so might as well throw up a few ads on the side. These would ideally be to upgrade to a premium account with higher bandwidth and unlimited use for the rest of the day. If you are already an AT&T customer, you should automatically get the upgrade since you are in the club by already paying AT&T every month. Anything like the man in the middle attack that seems to be going on here, should be stopped immediately and anyone associated with that idea should be fired and monitored.
i wonder what would happen if att were to plaster ads/posters on the doors and windows of brick&mortar stores
why do they think this is different?
A Niche Market Opportunity
You are a consumer, and you know that Big Business is in the business of screwing you over. But they hold the goods services you want, and you have to go through them to get these things. So you do things like regularly change vendors knowing that companies like to offer new customers good service, or run applications that remove the “dirt and grime” that companies add to their IT products. Companies will do X and consumers fight back by doing Y. A game played over and over again.
So here we have a case where using WiFi adds grime to a service that consumers want, and they are doing it in a way that thwarts previous Y type moves “(in case [where] the user’s browser has disabled Javascript)”.
So now the ball is in the consumer’s court. This is a product or service opportunity. The consumer is ready for an enterprising soul who’ll offer a product or service that defeats this practice. If it’s good it will make money.
And the fight will continue.
Call it alterations!
“then make three edits…” No. Call it alterations.
Strictly Hypothetical
A decade ago there was a wonderful demonstration of how easy it is to modify web pages passing through to a neighbor stealing your Wi-Fi. There are apps for your laptop or tablet that will turn it into a portable Wi-Fi hub.
Which means that someone could stick a laptop or tablet in any public place with a high population density, use a misleading SSID, and serve up ads of their own. And possibly make enough money for it to be worthwhile.
Or while passing through an airport terminal, add audio files to web pages yelling certain words that upset the local security.
While I would never condone such behavior, I am naturally curious as to what ads and other page modifications people would serve up at various campaign rallies and political conventions next year.
In-Browser User Engagement Solutions.
Nice newspak you got there, guys.
Another argument for HTTPS everywhere
“When an HTML page loads over HTTP, the hotspot makes three edits. (HTTPS traffic is immune, since it’s end-to-end secure.)”
From the link above.
Re: Another argument for HTTPS everywhere
My first thought as well. The government may hate encryption, but things like that absolutely demonstrate why it’s needed.
It’s no different than a ManInTheMiddle attack on the content you’re viewing. If they can add Ad’s to the content, they can do anything else to it as well.
Re: Re: Another argument for HTTPS everywhere
Do you mean every site should be using HTTPS (on which I agree with you), or are you advocating the “HTTPS Everywhere” browser plugin that is fairly useless?
"legally muddy area"
Whether anybody has the funding to take on AT&T is the muddy part. This behavior is clearly illegal in a number of states.
That's just marketing research!
What’s that have to do with anything? They most certainly were considering using it, and in fact used it even if in a limited trial. How many thousands of people per day use that airport finding them subject to this? How many third party web entities were illegally shouldered out of their rightful place by this bullying behavior?
When a department of a corporation does something, it’s lying to say it was only the marketing department was trying something out and the rest of the corp. shouldn’t be blamed (you know, left hand, right hand). The truth is the corporation was trying something out, and it was being handled by its marketing dept. The corp. is responsible for corp. policy and for all acts perpetrated by its divisions and employees.
Weasling doesn’t cut it.