Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot [Updated]

Update at 1:29 p.m. ET: AT&T's ad injection program has ended, at least for now. "We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended," an AT&T spokesperson told Ars. "The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast."

Original story follows:

When computer scientist Jonathan Mayer was in Washington Dulles International Airport last week, he logged onto an AT&T Wi-Fi hotspot and soon noticed that websites were showing a lot more ads than usual. The website of Stanford University, where Mayer conducts security and privacy research, was showing ads for a jewelry store and AT&T.

Ad-supported news sites like The Wall Street Journal had extra ads on top of them. Federal government websites were showing ads for both AT&T and other businesses.

"Curious, and waiting on a delayed flight, I started poking through web source. It took little time to spot the culprit: AT&T’s wifi hotspot was tampering with HTTP traffic," Mayer wrote.

The hotspot ads are similar to ones delivered by Comcast. It's also common for free Wi-Fi networks at airports to require users to watch an ad before logging on, but they don't necessarily show extra ads on top of websites after giving the user full access to the Web.

According to Mayer, AT&T's ad injection was handled by a company called RaGaPa, which advertises "hotspot monetization," saying its "exclusive technology inserts content displaying advertisement or other venue specific promoted content on every webpage a user visits using venues’ internet access." We've contacted RaGaPa to try to confirm if AT&T is one of its customers and will provide an update if we get one.

Mayer pointed out that AT&T's Wi-Fi terms of service don't mention the ads. The terms do say that AT&T gathers "anonymous and aggregate web browsing information about websites that are most visited by users" in order to "provide External Marketing and Analytics Reports." AT&T provides a link for users to opt out of being included in those marketing reports. The company says it does not gather information from VPN and HTTPS connections. We contacted AT&T about Mayer's blog post but haven't heard back.

Mayer suggested that AT&T's hotspot ads might run afoul of the Federal Communications Commission's net neutrality rules, but making that case might be tricky.

Inserting ads isn't the same as degrading traffic as long as customers can move past the ads and get to the actual website, noted Harold Feld, senior VP of advocacy group Public Knowledge. "It just looks like an ad-supported access network," he told Ars.

Beyond that, the rules do not apply "to premises operators—such as coffee shops, bookstores, airlines," and other businesses that offer hotspots, the FCC said in its net neutrality order. AT&T isn't the premises operator at an airport, but the FCC is making a distinction between publicly available Wi-Fi hotspots and the home Internet service consumers buy for themselves.

"An airport providing W-iFi itself and an airport paying AT&T to just take care of it would probably be treated the same," said John Bergmayer, senior staff attorney at Public Knowledge. Bergmayer said he'd need to know more about the relationship between AT&T and premises operators to answer the question more definitively.

The FCC's transparency rules require disclosure of privacy policies, and AT&T includes a privacy policy on its Wi-Fi terms of service, though it doesn't mention ad injection.

We reached out to the FCC on the net neutrality questions, and a commission spokesperson declined to comment.

AT&T also gets money from advertisers by selling ads on top of its home Internet service. AT&T's "GigaPower" Internet service scans its users' Internet traffic in order to deliver personalized ads to the websites you visit, e-mail to your inbox, and junk mail to your front door. AT&T makes the GigaPower ad program more obvious to customers, however. When they sign up for Internet service, they are given the option to avoid the scanning and personalized ads in exchange for paying at least $29 more per month.

As for AT&T's public hotspots, Mayer is not pleased. "AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory," he wrote. "Among other drawbacks: It exposes much of the user’s browsing activity to an undisclosed and untrusted business. It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements."