AT&T was caught injecting advertisements into traffic that goes through its free Wi-Fi hotspots, which is not only an inconvenience to the user, but may also introduce privacy and security concerns. This was discovered by Jonathan Mayer, a computer scientist and lawyer at Stanford University, while he was waiting for a delayed flight at Dulles Airport. Mayer noticed many of the sites he visited were cluttered with more ads than normal, and he soon tracked down the cause: the hotspot was editing the html pages that went across its network to inject scripts to fetch ads from third-party providers. AT&T was apparently making use of a service provided by RaGaPa, in order to monetize its network.
Although it is reasonable to expect that AT&T would try to find some way to monetize its free Wi-Fi service, Mayer points out some major issues with this particular method of monetization, "It exposes much of the user’s browsing activity to an undisclosed and untrusted business. It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements." Also notable is the fact that there is nothing in the terms of service to indicate that ads will be injected. If they wanted to monetize the hotspot in this way, they should have at least disclosed it to the users.
AT&T was quick to respond to this issue and has already sent out messages to several sites that reported on it earlier in the day, "We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended," an AT&T spokesperson told Ars Technica, "The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast." However, just because the trial is over doesn't mean that they are never going to try this again.
AT&T isn't even the first company to try this sort of advertisement injection scheme, and likely won't be the last. As pointed out by the EFF twitter account, this is a good example as to why more sites should support HTTPS. Injections like this are impossible if the traffic is encrypted.
Do you think this was a bad move by AT&T, or is it okay for them to monetize their network in this manner? Leave your comments below.
