Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
AT&T Security The Internet

AT&T Hotspots Now Injecting Ads 187

An anonymous reader writes: Computer scientist Jonathan Mayer did some investigating after seeing some unexpected ads while he browsed the web at an airport (Stanford hawking jewelry? The FCC selling shoes?). He found that AT&T's public Wi-Fi hotspot was messing with HTTP traffic, injecting advertisements using a service called RaGaPa. As an HTML pages loads over HTTP, the hotspot adds an advertising stylesheet, injects a simple advertisement image (as a backup), and then injects two scripts that control the loading and display of advertising content. Mayer writes, "AT&T has an (understandable) incentive to seek consumer-side income from its free Wi-Fi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user's browsing activity to an undisclosed and untrusted business. It clutters the user's web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service.3 And it introduces security and breakage risks, since website developers generally don't plan for extra scripts and layout elements."
This discussion has been archived. No new comments can be posted.

AT&T Hotspots Now Injecting Ads

Comments Filter:
  • Good News (Score:4, Interesting)

    by binarylarry ( 1338699 ) on Tuesday August 25, 2015 @06:42PM (#50391791)

    Soon someone will have a script or browser extension for this.

    • Re: Good News (Score:4, Insightful)

      by Anonymous Coward on Tuesday August 25, 2015 @07:55PM (#50392255)

      The ONLY thing unsavory advertising, in any form, does is the exact opposite of the initial intent; i.e., "never buying that". Advertisers, regardless of the delivery, apparently are not smart enough to realize if you annoy people, you have LOST the sale.
      Plus, the whores are then really easy to spot. No resposible consumer likes a whore.

      • Re: Good News (Score:5, Insightful)

        by Ol Olsoc ( 1175323 ) on Tuesday August 25, 2015 @09:06PM (#50392553)

        The ONLY thing unsavory advertising, in any form, does is the exact opposite of the initial intent; i.e., "never buying that". Advertisers, regardless of the delivery, apparently are not smart enough to realize if you annoy people, you have LOST the sale. Plus, the whores are then really easy to spot. No resposible consumer likes a whore.

        Mod this guy up! Anything that manages to get through my defenses is put on the "Never ever" list.

        The sooner advertisers understand that, and the sooner they understand that if they put simple unobtrusive ads on web pages, the sooner we'll stop this war on web users.

        When your ads are having the opposite effect than you intended, maybe its time to change.

        • by Vokkyt ( 739289 )

          I agree with you in principle, but I think you're missing that you're not all that important to advertisers as an individual. AT&T's actions are frustrating and dangerous, but they really aren't concerned about the buying habits of habitual ad-blockers. You are collateral damage as far as the advertising goes, not a "valued consumer". The people that these ads target are not you; you just happen to see them. There is a subset of people who do buy whatever junk an ad thrusts at them; if it's not you, the

          • I agree with you in principle, but I think you're missing that you're not all that important to advertisers as an individual. AT&T's actions are frustrating and dangerous, but they really aren't concerned about the buying habits of habitual ad-blockers. You are collateral damage as far as the advertising goes, not a "valued consumer".

            Perhaps. But when ordinary people can suddenly speed up the internet by blocking that shit, it starts to become a problem. I've noted in another post in this thread how I've sped up people's browsers by installing adblock and others. None of them are computing geniuses, they are just tired of paying for fast internet connections to be yanked back into dialup world because of loading all the ads. And being normal people, they don't mind the ads, just the inconvenience.

            tl;dr version

            Regular folks will put

        • Re: Good News (Score:5, Insightful)

          by Chris Johnson ( 580 ) on Wednesday August 26, 2015 @06:29AM (#50393993) Homepage Journal

          Have you tested this conclusion?

          If it turns out that advertisers can test this—for instance, on Facebook, let's say—and discovered that it's not true: that there's a measurable advantage to obnoxiousness in that you're outnumbered by the people who shrug off the obnoxiousness yet retain the payload then you're mistaken.

          I think they've already tested this, and we're seeing the outcome. Results are in: short of legislating better behavior, being abusive gets you enough local gains that it becomes a required strategy, impossible to compete against without adopting the same strategy.

          It would be nice if the 'I boycott youuuu!' reaction made any sort of difference, but clearly it does not.

      • You make it sound like whores are bad.
  • by sinij ( 911942 ) on Tuesday August 25, 2015 @06:43PM (#50391795)
    Free WiFi is a trap, news at 11!
    • by swb ( 14022 ) on Tuesday August 25, 2015 @07:08PM (#50391943)

      The free ATT hotspots I've found to be basically unusable tarpits of service that would make me grateful for the whine and hiss of a 9600 baud modem.

      I've mostly encountered them at McDonalds where they were almost always unusable. I kind of wonder how they get their Internet service for these, whether they just steal from whatever the specific franchise might have or whether it's something more retarded, like an ancient 3G hotspot above the ceiling.

      • https://www.youtube.com/watch?... [youtube.com]

        (Yeah, it's not 9600, sorry.)
        • by Dunbal ( 464142 ) *
          I once got a 300 baud modem to handshake with me by whistling the carrier tone.
          • I once got a 300 baud modem to handshake with me by whistling the carrier tone.

            I was going to say something snarky like "women must have been fighting over each other for you", but you know what ? That's actually damn cool!

      • by adolf ( 21054 )

        AT&T's hotspots used to be faster back when they were non-free.

        I used them a few times back then, generally at McDonald's, as an AT&T customer ("free" for me).

        They seemed backed by a T1, based on speeds and traceroute guessery in an empty store. And that was generally better than the alternatives at that time (3G or nothing), so was certainly welcome. But that was a different time...

        These days a T1 with multiple freeloading users is painfully slow. Overall experience can be helped considerably wi

        • by swb ( 14022 )

          I only tried using them when I first got my cellular-enabled iPad. Because it was an ATT cellular model, they would automatically associate with ATT hotspots and I figured that was better than the buy-as-you-go data I used at the time.

          I gave up when I realized how unusable they were and just disabled the ATT hotspot association and used LTE, which was much faster.

        • by cdrudge ( 68377 )

          These days a T1 with multiple freeloading users is painfully slow.

          These days a T1 is painfully slow, even without multiple or even a single other user. I can't think of any reason to still use a dedicated circuit like that unless you absolutely positively need the guaranteed bandwidth and SLA service...or there was absolutely no other option.

          • by adolf ( 21054 )

            Painfully slow for what?

            For /.? For email? Gaming? Streaming audio? Facebook? Youtube? Netflix? Downloading Linux ISOs from TPB?

            1.544Mbps is plenty for lots of things and insufficient for some other things.

    • But I pay for AT&T service and as part of that service they claim access to free wi-fi hotspots of theirs. I think this means that I PAY for these hotspots. So having advertisements in a paid service is obscene (well, more obscene than general purpose advertising). They don't need this side income from their paying customers.

      • But I pay for AT&T service and as part of that service they claim access to free wi-fi hotspots of theirs. I think this means that I PAY for these hotspots. So having advertisements in a paid service is obscene (well, more obscene than general purpose advertising). They don't need this side income from their paying customers.

        Yeah. Like their ad-free U-verse service. Oh no... wait. Look, advertising isn't the problem. A pre-roll add, or whatever wouldn't be offensive (just annoying). But injecting code into other people's sites. Yeah... not good.

  • Copyright? (Score:5, Insightful)

    by msauve ( 701917 ) on Tuesday August 25, 2015 @06:45PM (#50391809)
    Why is modifying a web site in this way not copyright infringement? Is not AT&T creating an unauthorized derivative work?
    • Re:Copyright? (Score:5, Insightful)

      by wbr1 ( 2538558 ) on Tuesday August 25, 2015 @06:55PM (#50391867)
      They are tampering with a data stream between client and server. That it is not encrypted is moot. This is a violation of the computer fraud and abuse act as well as FCC regulations. If they are a common carrier, they have no business at all tampering with the content.

      Will they be charged? Probably not, and if so it will be a minuscule financial fine.

      • Re:Copyright? (Score:4, Insightful)

        by Anonymous Coward on Tuesday August 25, 2015 @07:11PM (#50391965)

        It definitely won't be the criminal penalties you or me would face if we did the same thing for monetary gain. There are two standards. One for corporations, and another standard for individuals. It's been that way for far too long.

        • It definitely won't be the criminal penalties you or me would face if we did the same thing for monetary gain. There are two standards. One for corporations, and another standard for individuals. It's been that way for far too long.

          So incorporate. No reason not to enjoy the protections that the law was specifically written to provide.

          • by wbr1 ( 2538558 )
            Maybe, like Michael Valentine Smith, I will chose to discorporate.
          • by cfalcon ( 779563 ) on Wednesday August 26, 2015 @01:11AM (#50393257)

            At the point where you have to spend a bunch of money in order to be treated with the proper legal regard, you have "privilege" - literally "private law". You are espousing a tiered set of laws based on how much money you pay, correct? Do you see a lot of good coming from this? Do you normally favor government owned monopolies, or are you just making a special exemption here?

        • by Alumoi ( 1321661 )

          And this is how things are supposed to be. After all, you, the individual, do not spend a shitload of money on politicians

      • Re:Copyright? (Score:5, Interesting)

        by wbr1 ( 2538558 ) on Tuesday August 25, 2015 @07:30PM (#50392075)
        To clarify. From the fraud and abuse act

        In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication.

        ....

        (5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

        Sending my PC an ad, at the bear minimum causes damage due to increased wear on storage devices. At its worst it installs malware or defrauds such as to install malware.

        Perhaps more relevant is mail and wire fraud:

        18 U.S.C. 1343 provides:

        Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

        • by piojo ( 995934 )

          I'm not sure either of those applies. I'm no lawyer, but I doubt a judge or jury would agree with your interpretation of "intentionally causes damage". First of all, wear and tear is not damage. When you finish an apartment lease, the landlord cannot keep your deposit to pay for wear and tear. When you rent a car, you are not charged damages for wear and tear. When you borrow something, it would be unheard of to hold you accountable for wear and tear. Furthermore, how do you prove it? Due to the way hard dr

          • I'm not sure either of those applies. I'm no lawyer, but I doubt a judge or jury would agree with your interpretation of "intentionally causes damage".

            Agreed.

            In the wire fraud definition you cited, I don't think AT&T is fulfilling the core of the definition: "defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises". Advertising, by and large, is not considered fraud (as much as we might feel that way about most ads we see).

            Here I'm not so certain. The fraud isn't the ad itself, but the fact that the ad being on the site claims a relationship between their client (the advertiser) and the site owner that does not exist. Stanford accepted that jewelry ad? They must be legit. My favourite webcomic is advertising X? Well I know the guy really vets his advertisers and I like to support the comic so I'll go through.

            Of course AT&T is not the first to insert their own ads into web pages, any charges are likely thwarted by w

            • by JazzLad ( 935151 )
              Also no lawyer, but I think it would be up to Stanford and the webcomic to sue AT&T (and gosh, would I love to see that).
        • by Raenex ( 947668 )

          They probably have a terms of service that you have to agree to before you can browse web pages that explicitly allows them to do this.

      • Prepare to be flamed by cretins who have no sympathy for your making the reasonable assumption that ISPs are common carriers (which they are by nature but not in US law).

        • by HiThere ( 15173 )

          ISPs may not be common carriers under US law, but I believe that AT&T *is* a common carrier under US law.

      • by pepty ( 1976012 )
        So long as RaGaPa doesn't try to inject ads into Google search results pages they will probably be fine.
    • Re:Copyright? (Score:4, Interesting)

      by adolf ( 21054 ) <flodadolf@gmail.com> on Tuesday August 25, 2015 @08:10PM (#50392315) Journal

      Is using a browser on a dumb phone with a WAP gateway creating a derivative work?

      Is using the Readability bookmarklet [readability.com] creating a derivative work?

      Both of these things have been happening for number of years (over a decade, in the first example). They simply reformat web pages.

      Now that you've thought about these questions for a moment, consider: If they reformatted a web page and added advertising, does that addition of advertising affect the things status as a (non-)derivative work? (Aside from making you livid, of course. I'm not happy about ads, either.)

      • Along those lines, is using adblock+ copyright infringement? Is something that was served up dynamically copyrightable?
        • IANAL; if this matters to you, find somebody who is. I'm not liable for the actions of people who rely on the uneducated legal musings of a pseudonymous Internet user.

          Something that is put together creatively on the spot is copyrighted automatically, but it isn't a registered copyright, and there's (IIRC) no statutory damages there. So, to get in trouble, it would be necessary to establish (a) that something with outside content selected by algorithm is creative (that could go either way), (b) that th

    • Why is modifying a web site in this way not copyright infringement? Is not AT&T creating an unauthorized derivative work?

      It is! I used to run an Anon Service and had a lengthy discussion with my attorney about doing something like what they are doing.

      My idea was to capture the banner ad's and replace them with my own as the proxy processed the web page. I was not going to add to it or inject scripts. Just replace the banner ad's with ones my sponsors were paying for.

      The final decision was to go with a set of frames and tag the banner ad in the top frame as being a sponsor of the anon-service while displaying the requested pag

    • by coats ( 1068 )
      They are creatilng an unauthorized derivative work for commercial gain: this is criminal copyright infringement; see the relevant chunk of the Copyright Act: US Code Title 17, Section 506 (here courtesy of the Cornel Legal Information Institute, https://www.law.cornell.edu/uscode/text/17/506 [cornell.edu])
    • There's also a trademark issue. Suppose I load Bruce Schneier's web site and his site has an ad for some bogus "security" software. That reflects poorly on Bruce because it appears that Bruce is endorsing, or at least tolerant of, the scam software. Similarly, suppose I load DaveRamsey.com and his page contains ads questionable financial products. Dave's brand is damaged by falsely associating those products with his trademarked brand.

    • The obvious thing to do is to make some static but halfway useful web pages, and register their copyrights. Put a prominent copyright notice on them. Record how they come out of AT&T's hotspot. Sue AT the minimum statutory damages for violating a registered copyright are plenty enough to cover the expenses, bearing in mind that the money amount is (IIRC) per copyrighted work.

  • by Anonymous Coward

    AT&T is initiating a man-in-the-middle attack. Can you really trust those ads? I mean they're injecting scripts. Who knows what those do, right?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Well, it's AT&T, than whom no corporation, unless perhaps Microsoft, has ever been friendlier to the National Security Agency. So, I'd guess that you have a pretty good idea of what AT&T's ads and scripts and zero-days could do, but admitting it to yourself is probably too traumatic.

  • Can You Say Lawsuit? (Score:4, Interesting)

    by Marlin Schwanke ( 3574769 ) on Tuesday August 25, 2015 @06:47PM (#50391821)
    So, basically AT&T is placing their advertising on someone's web site without paying for the privilege? Were I the content owner, I'd be speaking to my lawyers first thing. The sad thing is that major companies don't even seem to worry breaching the public's trus or their reputations anymore. How long until Comcast decides to force extra advertising into my cable internet browsing. Oh! That's right, I cancelled them after the NetFlix throttling episode. So now, I guess I have to cancel DirecTV (AT&T) too.
    • by jeek ( 37349 )

      Wasn't it Comcast who broke the world's email for days when they thought it was worth the advertising dollars to redirect all nonexistent domains to an ad-laden server they set up?

    • by Dutch Gun ( 899105 ) on Tuesday August 25, 2015 @06:56PM (#50391873)

      I wouldn't be surprised if a lawsuit occurs the first time malware is injected onto a user's machine though one of these advertisements. If this keeps happening, it's really only a matter of time.

      I think Comcast tried this same thing earlier, and temporarily backed off when people noticed them doing this and complained about it. Advertisements are bad enough, but you can sort of understand the desire of a website operator to want to pay for bandwidth. It's downright slimy when ads are simply injected in content someone doesn't own at all.

      • But these AT&T hotspots are intended for AT&T's paying customers. They're not free hotspots for freeloaders. They don't need the side income to pay for the bandwidth since they already claimed in their marketing that these hotspots were a part of their customer ISP and mobile phone packages. This marketing undoubtedly attracted customers who otherwise would have chosen other providers.

        • But these AT&T hotspots are intended for AT&T's paying customers. They're not free hotspots for freeloaders.

          I'm not sure how you come to that conclusion given that it sounded like it was an open wifi spot in an airport. There was no mention that this was a paid access point, like with the Boingo partnership [pcmag.com] a few years ago. The article calls it "free", but it actually required paid access, so apparently there's some confusion on PC Mag's part as to what the word "free" means.

          My guess? Few customers bothered with the paid access plans, so they're trying to figure out other ways of monetizing those hotspots, and

          • by gl4ss ( 559668 )

            it's "free" in the sense that they don't want to agree that it's a service they sell to you(and be responsible for).

            it's also free in the same sense that at&t unlimited 4g is "unlimited".

      • Imagine if all the backbones inserted ads. A page with just "hello world!" would become a jumbled mess of ads and scripts.
  • https (Score:5, Insightful)

    by Anonymous Coward on Tuesday August 25, 2015 @06:53PM (#50391851)

    Time for https on all websites.

  • Piracy? (Score:5, Funny)

    by hawguy ( 1600213 ) on Tuesday August 25, 2015 @06:55PM (#50391869)

    So when I browse Pirate Torrent sites at an AT&T hotspot, then AT&T can get sued for profiting from piracy?

    • by DewDude ( 537374 )
      They would likely claim safe harbor...saying they didn't know what content they were injecting ads in. They'd probably be shooting themselves in the foot when admitting they blindly added advertising to everything.
  • Free wifi (Score:2, Interesting)

    by Archfeld ( 6757 )

    and you wonder that they push ads ? Provide your own connection and stop using free ones. While I think it is low class, what do you expect for FREE ?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Adherence to the law.
      Even for free products.

    • Re:Free wifi (Score:4, Interesting)

      by andymadigan ( 792996 ) <amadigan@@@gmail...com> on Tuesday August 25, 2015 @07:34PM (#50392097)
      Fine, but require AT&T to disclose (in large font) that it's not an internet connection, since the content is being modified en route.

      Something like:

      WARNING: Web pages you view may be recorded or altered by AT&T or its affiliates. Web pages and other content retrieved may not reflect the content available over a standard internet connection. Information you enter or retrieve may be transferred or sold to third parties. AT&T is not responsible for malware injected into your content by its affiliates, or damage done to you or your computer by said malware.

      (Actually, I think that last sentence should be in large font at the top of every web page that uses ads inject by third parties)
      • WARNING: Web pages you view may be recorded or altered by AT&T or its affiliates. Web pages and other content retrieved may not reflect the content available over a standard internet connection. Information you enter or retrieve may be transferred or sold to third parties. AT&T is not responsible for malware injected into your content by its affiliates, or damage done to you or your computer by said malware.

        Add to that "Do not use this connection under any circumstances."

      • In other words, if somebody is accessing my web site (unavailable at the moment, need rehosting), AT&T is supposed to confess to violating my copyright? My website is copyright by me, and any modifications of my copyrighted material without my permission is copyright infringement (although damages are trivial unless I've registered the copyright). Since AT&T is violating my copyright arbitrarily many times for commercial gain, I think we get criminal law in there too.

      • Fine, but require AT&T to disclose (in large font) that it's not an internet connection, since the content is being modified en route.

        Back in the day, quite often I'd have to explain the difference between AOL being an 'online service provider' and Mindspring/MediaOne/whoever being an 'internet service provider'.

    • They're not free. As in AT&T hotspots are not accessible to everyone who wanders by, but are only for paying AT&T customers. You log in using your existing account. So yes, as a customer I expect decent service for a product I pay for, not additional monetization. If it's unacceptable to sell my customer lists to advertisers then it's also unacceptable to inject side advertisements into a paid product.

      And despite being a paid customer, I suspect some one being paid by advertisers is going to pop

      • by adolf ( 21054 )

        It's free at McDonald's. Has been for years, much to my annoyance as a paying AT&T customer. [citation [pcworld.com]]

  • Umm (Score:4, Insightful)

    by MobileTatsu-NJG ( 946591 ) on Tuesday August 25, 2015 @07:02PM (#50391901)

    Didn't they claim to just be a carrier in order to not being held liable for what the users do with that connection? By delivering content they've created aren't they having their cake and eating it, too?

  • by gstoddart ( 321705 ) on Tuesday August 25, 2015 @07:11PM (#50391963) Homepage

    Anybody who is surprised by shit like this is an idiot.

    Everybody setting up "free" hotspots wants to monetize with anayltics and ads.

    Google wanting to sell you a router they can control is also going to lead to monetizing and ads.

    The problem is unless we have really good quality tools to block this shit, we're never going to stop it. And this is why we can't trust ad infrastructure at all and need to block it .. because it's being done by people who want money, and don't give a crap about your security of your privacy.

    Until this shit is deemed illegal (ie the computer fraud and abuse act), it will continue. Because the assholes at AT&T feel it is their right to do anything they want with your internet traffic.

    Never trust that "free" doesn't come with strings like this. And never trust than any corporation won't revert to being sociopaths and decide they can do anything they want to.

    • Except that it's not free. This service is for paying customers. Which makes this behavior even worse, actually.

  • by SkunkPussy ( 85271 ) on Tuesday August 25, 2015 @07:17PM (#50391999) Journal

    mint update manager seems to query for descriptions of package updates via http. So wifi that interferes with http somtimes causes mint to give nonsonse descriptions for updates.

    breaking end-to-end connections is really really really bad.

    • Why aren't all those requests going over HTTPS?

      • Well why does any HTTP request not go over HTTPS? In the long run every request will. But for now, equipment that assumes (reasonably) that people won't corrupt their HTTP responses will fail in various ways.

  • Time Warner Cable has been doing this for over a year on their public networks in California.
  • by Balthisar ( 649688 ) on Tuesday August 25, 2015 @08:08PM (#50392305) Homepage

    My home ISP -- China Telecom -- does this to me, for the service that I pay for. And no, I can't use a VPN 100% of the time because China is getting pretty good at killing VPN connections. It doesn't even matter if I use a non-ISP DNS server, because it's standard in China to poison DNS results (I've not tried experimenting with DNSSEC yet).

    In my case I'll try to load Bing (which isn't blocked by Golden Shield), and the only content will be a meta reload instruction. The rest of the "real" page will have been served via an injected javascript with a shitty Chinese ad at the bottom. Reloading will fetch the real page, as the ads aren't injected 100% of the time, but only seemingly randomly.

  • by JustAnotherOldGuy ( 4145623 ) on Tuesday August 25, 2015 @08:11PM (#50392325) Journal

    Once again, I'm shocked, SHOCKED I tell you!!

  • by Holi ( 250190 )
    I get access to AT&T hotspots because I am an AT&T customer, So I am wondering about this use of the term "free". Access to these access points was a selling point when I signed up. In what world is something I am paying for called free?
  • How is this significantly different from the old NetZero free dial-up business model? If you don't want to use "free" internet access paid through ad revenue, then don't join the network.

news: gotcha

Working...