Report: AT&T injecting advertising into websites when users connect to its Wi-Fi hotspots

AT&T (NYSE: T) is reportedly injecting advertising, sometimes for its own services, into unsecured websites of customers who use its Wi-Fi hotspots, according to a report from Stanford University computer science and legal lecturer Jonathan Mayer. AT&T said the practice was part of a trial that has since ended. 

While at Washington's Dulles International Airport, Mayer logged onto an AT&T Wi-Fi hotspot and noticed that pop-up and banner ads were being placed onto websites he was visiting. Some of the ads, he said, were for AT&T services, such as its Digital Life home automation platform, while others were for ads from other companies.

The ad injections seems to be coming from a company called RaGaPa, a Silicon Valley-based startup that bills itself as a "hotspot monetization" firm. "RaGaPa's exclusive technology inserts content displaying advertisement or other venue specific promoted content on every webpage a user visits using venues' internet access," the company says on its website. "This results in a recurring revenue stream for the venue. We call this 'Monetize Your Network.'"

Mayer noticed that when the an HTML page loaded over normal HTTP, the AT&T Wi-Fi hotspot made three edits to the HTML. As TechDirt points out, RaGaPa's technology injected an advertising style sheet, loaded backup advertisement (in case the user's browser has disabled Javascript) and the injection of a pair of scripts for managing advertisement selection and loading. None of those processes are mentioned anywhere in AT&T's terms of service.

"Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended," AT&T said in a statement to FierceWireless. "The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast."

Representatives from RaGaPa did not immediately respond to requests for comment, nor did spokesman for the FCC and Federal Trade Commission.

While Mayer notes that HTTPS traffic is immune to this process secured end-to-end, he criticized the practice. "AT&T has an (understandable) incentive to seek consumer-side income from its free Wi-Fi service, but this model of advertising injection is particularly unsavory," Mayer said in his blog post. "Among other drawbacks: It exposes much of the user's browsing activity to an undisclosed and untrusted business. It clutters the user's web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service."

The idea of injecting ads into HTML streams of Wi-Fi-connected devices is not unique to telecom providers. As TechDirt  points out, companies like ComcastMarriot and Samsung have all been caught engaging in the practice.

It's unclear if the practices violate the FCC's net neutrality rules. In addition to bans on blocking content, throttling content and paid prioritization, the regulations also include a "no-unreasonable interference/disadvantage standard." The standard is designed to protect the ability of consumers and content providers to use the Internet and connect to each other without being unreasonably interfered with or disadvantaged.

For more:
- see this WebPolicy post
- see this TechDirt article
- see this The Verge article 
- see this DSL Reports article 

Related Articles:
Verizon lets customers opt out of program that inserted 'super cookie' to track mobile browsing
AT&T stops adding 'super cookie' to track mobile browsing, but Verizon's program continues
Electronic Frontier Foundation: Verizon's Precision Market Insights profiling service raises concerns
AT&T AdWorks adds anonymous wireless customer data to TV ad targeting platform
IEEE study group recommends improvements in Wi-Fi security