AT&T Hotspots: Now with Advertising Injection

Does this violate the &quot;exceeds authorized access&quot; provision of the Computer Fraud and Abuse Act? AT&amp;T is not acting as a regulated carrier in this instance, and does not have the immunities of a carrier. Also, their terms of service[1] do not permit them to modify the web pages of others. They can block URLs, ask for a payment, or show an ad at connection time as an alternative to a payment. But they did not disclose that they would modify existing pages.<p>The requirement for arbitration in the AT&amp;T terms does not apply, because the Computer Fraud and Abuse Act is a criminal law. [2]<p>[1] <a href="http:&#x2F;&#x2F;www.att.com&#x2F;legal&#x2F;terms.wiFiServices.html" rel="nofollow">http:&#x2F;&#x2F;www.att.com&#x2F;legal&#x2F;terms.wiFiServices.html</a> [2] <a href="http:&#x2F;&#x2F;apps.americanbar.org&#x2F;litigation&#x2F;committees&#x2F;criminal&#x2F;articles&#x2F;summer2013-1013-glitches-within-cfaas-exceeds-authorized-access-language.html" rel="nofollow">http:&#x2F;&#x2F;apps.americanbar.org&#x2F;litigation&#x2F;committees&#x2F;criminal&#x2F;a...</a>

It&#x27;s easy to get drawn into doing this kind of intrusive advertising when you have a captive audience on a WiFi network. It&#x27;s an idea I&#x27;ve discussed or been involved in &quot;testing&quot; a number of times. (background: I&#x27;ve been building&#x2F;operating wireless&#x2F;WiFi&#x2F;Hotspot networks since 2001)<p>The reality is AT&amp;T probably has no idea how bad this is, and likely would not care. Somewhere, someone sees the potential dollars on the upside and that&#x27;s the only factor that matters.<p>There are better ways to monetize free WiFi today. Advertising is a piece of that puzzle, but there are others too.

Individual websites may be able to protect yourselves by:<p>- Using HTTPS directly, in particular with HSTS set (optimal).<p>- Use a third party like CloudFlare to add HTTPS via their proxy.<p>- Alternatively: HTTP with Content Security Policy set (since it will reject their scripts and CSS running as it isn&#x27;t in the whitelist). This is only a short term solution since they can alter the CSP header, but it will work if you&#x27;re stuck on HTTP for now. We bounce a lot of advertisers and malware off of our site this way.<p>Ultimately this is yet another &quot;Use HTTPS!&quot; broken record. But the CSP solution works until they get wise to it.

Now blocked in easylist.<p><a href="https:&#x2F;&#x2F;hg.adblockplus.org&#x2F;easylist&#x2F;rev&#x2F;881423eab157" rel="nofollow">https:&#x2F;&#x2F;hg.adblockplus.org&#x2F;easylist&#x2F;rev&#x2F;881423eab157</a>

I&#x27;ve seen this on the &quot;xfinitywifi&quot; SSID even when logged in with a valid comcast subscriber ID... :(<p>Wonder how it handles apps that expect json, or jquery&#x2F;ajax calls that works with html fragments. Or even someone authoring a wordpress blog post?

I have just stopped connecting to most wifi hotspots altogether unless I&#x27;m going to be somewhere for a few days (hotel, conference, etc). LTE is just faster and more reliable, and tethering is dead simple these days.

I&#x27;ve seen this happen on a commercial ISP. I used to work for a web dev firm, and our ISP decided to start injecting ads.<p>Ads that immediately broke all of our javascript that we were testing on QA sites.<p>It took us an hour to realize what was going on, and that it wasn&#x27;t our code that was breaking, and another 30 minutes of angry phone yelling before they backed down and turned that shit off.

You know, I could stomach inserted ads a lot more if they were honest about doing them; something like &quot;the contents of this box were placed by the owners of the free Wifi network you are using&quot;.<p>The infuriating part is that these ads are typically <i>folded into original content</i> as if the <i>original page</i> had the extra garbage in it. When you see an obnoxious ad, you&#x27;re not thinking &quot;well I guess I won&#x27;t use this wifi again&quot;; you think &quot;well I guess I&#x27;m not going to <i>this site</i> ever again&quot;.<p>We desperately need a way to strongly sign each part of a page so that it is <i>impossible to display</i> a web site with any third-party content that wasn&#x27;t explicitly added by the site owner (e.g. such as an authorized &quot;Like&quot; button). This naturally means removing i-frames and all other similar mechanisms from browsers, or at least making them a hell of a lot more obvious.

which is why, by default on my laptop, I use an ssh tunnel with a SOCKS proxy to get to the web. Truly sad, nothing you could do with your phone or tablet though.<p>Not that I begrudge them trying to get some money out of their &quot;free&quot; service, and I choose not to use such services.<p>Of course you will then get MITM routers which link to the free WiFi, offer their own free WiFi on a different channel, and then swap the &#x27;customer id&#x27; on the ads going through to send them the money. Or something like that. I&#x27;m sure there is a RasPi build to do something like this.

I&#x27;m pretty sure all AT&amp;T iPhones pull carrier configurations that set attwifi hotspots as a trusted auto-joined wifi network.<p>I reset my iPhone the other day without restoring any backup. Later that day I found my phone connected to attwifi without any instructions from me.

Holy shit!<p>They log pretty much ALL of the traffic too. Not just <i>CAN LOG</i>. They <i>DO LOG</i>.<p>-<p>See <a href="http:&#x2F;&#x2F;www.ragapa.com" rel="nofollow">http:&#x2F;&#x2F;www.ragapa.com</a> &quot;analytics&quot; tab:<p>Here are some of the analytics RaGaPa device collect:<p>Geographical Location<p>Mac Address&#x2F;Cookie Tracking<p>User Agent<p>User Browser<p>Destination URL<p>Ad&#x2F;Message Impressions<p>Ad&#x2F;Message Clicks<p>User Activity with Time

AT&amp;T seems to really not care about their customers trusting them.

It is 2015. If you&#x27;re not running your own VPN on aws or if you&#x27;re not using solutions like Cloak, you get what you get.<p><a href="https:&#x2F;&#x2F;www.getcloak.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.getcloak.com&#x2F;</a><p>I would prefer that carriers didn&#x27;t do this kind of nonsense, but I&#x27;d also prefer that companies like Facebook &amp; Google didn&#x27;t have the core of their business built around the same function. We live in a world where people expect miraculous technology for &quot;free.&quot;<p>It&#x27;s trivial to get around this.

A smaller ISP near me (Bright House) does a similar thing with their hotspots. There are no ad injections, but they inject a little popup with their logo, that says something along the lines of &quot;hotspot provided by Bright House networks&quot;.<p>The funny thing is, this network requires you to log in with your Bright House username and password, so anyone seeing that little &quot;provided by&quot; intrusion is already a paying customer.

What I do not get is why the airport would allow that sort of things. I can understand that providing wifi is a cost that should be mitigated for someone like McDonalds who is running razor thin margins, but considering the cost of operating an airport trying to monetize wifi will probably never make an impact on your bottom line while annoying your users certainly will. It just seem like a foolish move to me.<p>What am I missing?

&quot;Next, it injects a backup advertisement, in case a browser doesn’t support JavaScript.&quot;<p>Ha! They do a better job of degradation than most web sites!

There are a bunch of contract renewals coming up in a couple months (including mine, which I&#x27;ve been on the fence about, and now I have an excuse to switch carriers).<p>I wonder whose bright idea it was to roll this out now.

So, basically https and NoScript will block this.<p>Well, I guess if websites don&#x27;t want ads crapping all over their stuff, they&#x27;d better get on the stick.

I wonder how AT&amp;T&#x27;s ad injection will fare with iOS9&#x27;s content blocking capabilities...