Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Hotspots Now Injecting Ads

Posted by Soulskill on from the more-ads,-in-more-places dept.

An anonymous reader writes: Computer scientist Jonathan Mayer did some investigating after seeing some unexpected ads while he browsed the web at an airport (Stanford hawking jewelry? The FCC selling shoes?). He found that AT&T's public Wi-Fi hotspot was messing with HTTP traffic, injecting advertisements using a service called RaGaPa. As an HTML pages loads over HTTP, the hotspot adds an advertising stylesheet, injects a simple advertisement image (as a backup), and then injects two scripts that control the loading and display of advertising content. Mayer writes, "AT&T has an (understandable) incentive to seek consumer-side income from its free Wi-Fi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user's browsing activity to an undisclosed and untrusted business. It clutters the user's web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service.3 And it introduces security and breakage risks, since website developers generally don't plan for extra scripts and layout elements."

15 of 187 comments (clear)

  1. Copyright? by msauve · · Score: 4, Insightful

    Why is modifying a web site in this way not copyright infringement? Is not AT&T creating an unauthorized derivative work?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Copyright? by wbr1 · · Score: 5, Insightful
      They are tampering with a data stream between client and server. That it is not encrypted is moot. This is a violation of the computer fraud and abuse act as well as FCC regulations. If they are a common carrier, they have no business at all tampering with the content.

      Will they be charged? Probably not, and if so it will be a minuscule financial fine.

      --
      Silence is a state of mime.
    2. Re:Copyright? by Anonymous Coward · · Score: 4, Insightful

      It definitely won't be the criminal penalties you or me would face if we did the same thing for monetary gain. There are two standards. One for corporations, and another standard for individuals. It's been that way for far too long.

  2. Let's call it what it is... MITM attack by Anonymous Coward · · Score: 2, Insightful

    AT&T is initiating a man-in-the-middle attack. Can you really trust those ads? I mean they're injecting scripts. Who knows what those do, right?

    1. Re:Let's call it what it is... MITM attack by Anonymous Coward · · Score: 2, Insightful

      Well, it's AT&T, than whom no corporation, unless perhaps Microsoft, has ever been friendlier to the National Security Agency. So, I'd guess that you have a pretty good idea of what AT&T's ads and scripts and zero-days could do, but admitting it to yourself is probably too traumatic.

  3. https by Anonymous Coward · · Score: 5, Insightful

    Time for https on all websites.

    1. Re:https by psyclone · · Score: 4, Insightful

      Yup. Encryption isn't just for people who have something to hide, it's for integrity of all communications, even if it's cat gifs.

  4. Re:Can You Say Lawsuit? by Dutch+Gun · · Score: 3, Insightful

    I wouldn't be surprised if a lawsuit occurs the first time malware is injected onto a user's machine though one of these advertisements. If this keeps happening, it's really only a matter of time.

    I think Comcast tried this same thing earlier, and temporarily backed off when people noticed them doing this and complained about it. Advertisements are bad enough, but you can sort of understand the desire of a website operator to want to pay for bandwidth. It's downright slimy when ads are simply injected in content someone doesn't own at all.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  5. Umm by MobileTatsu-NJG · · Score: 3, Insightful

    Didn't they claim to just be a carrier in order to not being held liable for what the users do with that connection? By delivering content they've created aren't they having their cake and eating it, too?

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  6. Surprised? Don't be ... by gstoddart · · Score: 3, Insightful

    Anybody who is surprised by shit like this is an idiot.

    Everybody setting up "free" hotspots wants to monetize with anayltics and ads.

    Google wanting to sell you a router they can control is also going to lead to monetizing and ads.

    The problem is unless we have really good quality tools to block this shit, we're never going to stop it. And this is why we can't trust ad infrastructure at all and need to block it .. because it's being done by people who want money, and don't give a crap about your security of your privacy.

    Until this shit is deemed illegal (ie the computer fraud and abuse act), it will continue. Because the assholes at AT&T feel it is their right to do anything they want with your internet traffic.

    Never trust that "free" doesn't come with strings like this. And never trust than any corporation won't revert to being sociopaths and decide they can do anything they want to.

    --
    Lost at C:>. Found at C.
  7. Re:Free wifi by Anonymous Coward · · Score: 2, Insightful

    Adherence to the law.
    Even for free products.

  8. Re:Noscript by psyclone · · Score: 4, Insightful

    But they could inject local CSS and local scripts into the page, so if you trust the current hostname by default (which many do for basic functionality) then NoScript won't help you here.

  9. Re: Good News by Anonymous Coward · · Score: 4, Insightful

    The ONLY thing unsavory advertising, in any form, does is the exact opposite of the initial intent; i.e., "never buying that". Advertisers, regardless of the delivery, apparently are not smart enough to realize if you annoy people, you have LOST the sale.
    Plus, the whores are then really easy to spot. No resposible consumer likes a whore.

  10. Re: Good News by Ol+Olsoc · · Score: 4, Insightful

    The ONLY thing unsavory advertising, in any form, does is the exact opposite of the initial intent; i.e., "never buying that". Advertisers, regardless of the delivery, apparently are not smart enough to realize if you annoy people, you have LOST the sale. Plus, the whores are then really easy to spot. No resposible consumer likes a whore.

    Mod this guy up! Anything that manages to get through my defenses is put on the "Never ever" list.

    The sooner advertisers understand that, and the sooner they understand that if they put simple unobtrusive ads on web pages, the sooner we'll stop this war on web users.

    When your ads are having the opposite effect than you intended, maybe its time to change.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  11. Re: Good News by Chris+Johnson · · Score: 4, Insightful

    Have you tested this conclusion?

    If it turns out that advertisers can test this—for instance, on Facebook, let's say—and discovered that it's not true: that there's a measurable advantage to obnoxiousness in that you're outnumbered by the people who shrug off the obnoxiousness yet retain the payload then you're mistaken.

    I think they've already tested this, and we're seeing the outcome. Results are in: short of legislating better behavior, being abusive gets you enough local gains that it becomes a required strategy, impossible to compete against without adopting the same strategy.

    It would be nice if the 'I boycott youuuu!' reaction made any sort of difference, but clearly it does not.