AT&T's "free" Wi-Fi may be too good to be true. One of the company's Wi-Fi hotspots, in Virginia's Dulles airport, is reportedly using an ad-injection platform to tamper with the web traffic of users and bombard them with more ads. Jonathan Mayer, a computer scientist and Stanford lawyer, says he discovered ad-injecting code while using the AT&T hotspot in the airport. Mayer noticed ads appearing on educational, government, and ad-supported sites such as The Wall Street Journal, and decided to take a look at the web source, discovering that it was adding lines of code that would pull in promotional materials from outside companies.

AT&T's hotspot was reportedly tampering with web traffic

Mayer said that the hotspot was making three edits to his traffic. First, he says it added an advertising stylesheet, before injecting a back-up ad, just in case the browser didn't support JavaScript. The hotspot also added two scripts for controlling ad loading and display, code that allows the platform to import the ads themselves from third parties. The ad-injection platform appears to have been built by a company called RaGaPa, a startup whose video pitch, Mayer notes, "features 'MONETIZE YOUR NETWORK' over cascading dollar signs." AT&T's Wi-Fi terms of service makes no direct reference to the tool or the company's intention to insert extra ads.

In addition to cluttering web pages and slowing down the browsing experience, Mayer says the code introduces an extra security risk, as web developers don't anticipate their sites receiving additional scripts. For now, such tools exist in something of a legal gray area, with the FCC's net neutrality rules and a host of other legislation and rulings theoretically restricting their use. Last year, Comcast started using a similar tool to inject ads across its 3.5 million public Wi-Fi hotspots, and a number of other companies have followed suit. Many of those found to have been using ad-injection tools appear to have dropped them when discovered, including cable and internet company Mediacom, and hotel chain Marriott. The latter pinned the blame on its own ISP when an ad-injection tool was discovered on its Wi-Fi service in 2012. In a statement, the chain said that it was not aware of the tool, and that it did not condone the practice of inserting extra ads into web traffic.