AT&T hot spot advertising raises security questions

On a recent trip through Washington Dulles International Airport, Jonathan Mayer, a computer scientist and lawyer at Stanford University, noticed that when he pulled up the Stanford University website through an AT&T hot spot at the airport, the website came with extra advertisements.

The Stanford website came with an ad selling precious metals. In a post on WebPolicy.org, Mayer noted “the Web had sprouted ads. Lots of them, in places they didn’t belong.”

It is safe to say that Mayer was slightly perturbed by this: “Last I checked, Stanford doesn’t hawk fashion accessories or telecom service. And it definitely doesn’t run obnoxious ads that compel you to wait.”

Mayer went on to explore other websites and found that all of them had similar ads.

Using his expertise in computer science, he began poking around in the source code. “It took little time to spot the culprit: AT&T’s Wi-Fi hot spot was tampering with HTTP traffic,” he said.

With a little more cyber-detective work, Mayer found that the ad-injected platform was powered by RaGaPa, a startup specializing in “Wi-Fi monetization and in-browser user engagement solutions.”

Mayer believes this is a dangerous precedent to set.

“It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service,” he said in his blog post. “And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements.”

Legally, practices such as these are still being debated, but Mayer wrote “under the [Federal Communications Commission’s] net neutrality rules, the [Federal Trade Commission’s] unfairness and deception authorities (and state parallels), wiretapping statutes, pen register statutes, tortious interference, copyright and more.”

“According to RaGaPa’s product sheet, one possible configuration involves redirecting all user traffic through RaGaPa’s servers. That would raise particularly thorny wiretapping issues,” he added.

In response to an email from RCR Wireless News, AT&T said the advertisements were part of a trial program. “Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.”