
AT&T Hotspots: Now with Advertising Injection - jeo1234
http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/
======
Animats
Does this violate the "exceeds authorized access" provision of the Computer
Fraud and Abuse Act? AT&T is not acting as a regulated carrier in this
instance, and does not have the immunities of a carrier. Also, their terms of
service[1] do not permit them to modify the web pages of others. They can
block URLs, ask for a payment, or show an ad at connection time as an
alternative to a payment. But they did not disclose that they would modify
existing pages.

The requirement for arbitration in the AT&T terms does not apply, because the
Computer Fraud and Abuse Act is a criminal law. [2]

[1]
[http://www.att.com/legal/terms.wiFiServices.html](http://www.att.com/legal/terms.wiFiServices.html)
[2]
[http://apps.americanbar.org/litigation/committees/criminal/a...](http://apps.americanbar.org/litigation/committees/criminal/articles/summer2013-1013-glitches-
within-cfaas-exceeds-authorized-access-language.html)

~~~
georgemcbay
IANAL, but I don't see how this sort of thing doesn't count as copyright
violation on a massive scale.

The users probably agree to it in a terms of service, but the served websites
do not, and AT&T is creating what logically seems like a highly derivative
(but altered) copy of their content with their own content inserted without
permission of the original copyright owners.

While some amount of data rewriting is inherent in the nature of how the
Internet works, modifying the content of web page bodies to insert
advertisements just feels like it steps way, way over the lines of that,
especially when it can easily present situations where you have ads selling
products that would be vehemently opposed by the people whose site it seems to
be appearing on to the average user.

~~~
bpodgursky
If you get this declared copyright violation, there will be very solid
precedent for banning all adblockers as well.

~~~
msandford
Let's discuss the difference.

This is as though AT&T printed magazines written by others and advertised in
by others, and inserted their own extra advertisements in addition. So they
take a 90 page magazine and add an extra 10 pages of ads. Clearly not kosher
as they don't have the rights to the articles, ads, or anything. But they're
trying to sell it at the AT&T newsstand as though it's the original.

Now suppose that I buy a magazine, and the first thing I do is page through it
quickly and rip out all the ads. That's legit right? Once I own it, I can do
whatever I want with it. Now suppose I -- after purchasing the magazine --
convince my friend to rip out all the ads for me, before I ever see any of
them. Still OK isn't it?

I hope the parallels make it easy to see that what you do with the content
once it reaches your computer are very different than what other 3rd parties
do to content while it's in transit.

~~~
hsod
I'm not convinced. Your distinction makes this all about _you_ , when in fact
it's more about the _publisher_.

As far as the publisher is concerned, your friend and AT&T might as well be
the same person. Both are taking a copyrighted work from the publisher,
altering it materially, and presenting it to you.

AT&T is not selling the work, they are delivering it.

If one is a copyright violation, both are.

~~~
dublinben
Transforming a work on your own computer, and then viewing it is not copyright
infringement. There is no transmission of another copy being performed.
Without that, you don't have copyright infringement.

~~~
bpodgursky
What you are describing is an engineering answer, not a legal perspective.

As the Supreme Court made clear in the aero case, intent and impact is far
more important than technical details about transmission.

~~~
dublinben
Even in the light of the (I believe incorrect) Aereo decision, it would be
pretty much inconceivable for personal ad blockers to be ruled illegal. There
is already semi-relevant precedent for this with movies, in the Family
Entertainment Copyright Act of 2005.

[https://en.wikipedia.org/wiki/Family_Entertainment_and_Copyr...](https://en.wikipedia.org/wiki/Family_Entertainment_and_Copyright_Act)

------
edwhitesell
It's easy to get drawn into doing this kind of intrusive advertising when you
have a captive audience on a WiFi network. It's an idea I've discussed or been
involved in "testing" a number of times. (background: I've been
building/operating wireless/WiFi/Hotspot networks since 2001)

The reality is AT&T probably has no idea how bad this is, and likely would not
care. Somewhere, someone sees the potential dollars on the upside and that's
the only factor that matters.

There are better ways to monetize free WiFi today. Advertising is a piece of
that puzzle, but there are others too.

~~~
edwhitesell
(replying to myself is probably bad form, but I had another thought to note
here)

Most likely, the WiFi provided by carriers like AT&T is meant for offloading.
The phones will do EAP-SIM or some other authentication the customer has no
idea of. That will get the voice and SMS traffic passing via WiFi and
associated backhaul to the Mobile Core, instead of the mobile network.

Assuming that scenario, where WiFi is really a low-cost extension of the
mobile network, the carrier has very little incentive to do the "right thing"
when it comes to injecting ads and/or content filtering. They are already
improving the services their customers pay for. Offsetting that (relatively
low cost) with some "bad form" advertising probably won't get a second
thought.

------
Someone1234
Individual websites may be able to protect yourselves by:

\- Using HTTPS directly, in particular with HSTS set (optimal).

\- Use a third party like CloudFlare to add HTTPS via their proxy.

\- Alternatively: HTTP with Content Security Policy set (since it will reject
their scripts and CSS running as it isn't in the whitelist). This is only a
short term solution since they can alter the CSP header, but it will work if
you're stuck on HTTP for now. We bounce a lot of advertisers and malware off
of our site this way.

Ultimately this is yet another "Use HTTPS!" broken record. But the CSP
solution works until they get wise to it.

~~~
r1ch
Unfortunately the first two options aren't really viable if you're an ad
supported website. HTTPS will kill your ad revenue since most ad scripts don't
work properly over HTTPS.

~~~
dogma1138
That's a problem for site operators not users if more people force sites to
switch to HTTP's more AdNetworks will start serving content via HTTPS.

The good thing is that at least most browsers these days are good at blocking
mixed content so you won't have HTTP adds growing tumors due to injections
anyhow.

What i don't understand is why AT&T has to do injection in the 1st place they
can easily setup their own AdNetwork and partner with the large AdNetworks to
route through AT&T's own internal servers.

~~~
rsanders
Without injection, their own ad network is irrelevant. Nobody (more or less)
is getting on Free AT&T Wi-Fi to visit AT&T's websites. Without injection, any
ad revenue goes to the actual site operators.

~~~
dogma1138
Well that was a given in my statement... hence partner with the large
AdNetworks, use the already existing scripts which are integrated much better
into the existing sites, AT&T can simply server all requests to
www.big.ad.network/ads.js from it's own servers in it's own internal network
serving ads from their internal campaigns sharing revenue.... Heck considering
that the ads AT&T can serve can be much more relevant to a specific location
such as a mall, a large venue, or an airport heck even stores within say half
a mile of the hotspot they might actually be "useful".

Adnetworks are saving bandwidth, AT&T doesn't have to fight with HTML
injection which can break on many sites, AdNetworks get better targeted
advertisement win for everyone...

------
mp3geek
Now blocked in easylist.

[https://hg.adblockplus.org/easylist/rev/881423eab157](https://hg.adblockplus.org/easylist/rev/881423eab157)

------
0x0
I've seen this on the "xfinitywifi" SSID even when logged in with a valid
comcast subscriber ID... :(

Wonder how it handles apps that expect json, or jquery/ajax calls that works
with html fragments. Or even someone authoring a wordpress blog post?

~~~
eli
You would hope it would be checking Content-Type headers or similar... but
yeah, I'm sure it must subtly break a lot of stuff.

------
ejdyksen
I have just stopped connecting to most wifi hotspots altogether unless I'm
going to be somewhere for a few days (hotel, conference, etc). LTE is just
faster and more reliable, and tethering is dead simple these days.

~~~
some-guy
Are you in the US? How lenient are carriers these days when it comes to
tethering? I have AT&T and while their bandwidth and coverage is good, I
cannot get unlimited data with my plan so I'm SOL.

~~~
wtallis
Since the new FCC net neutrality rules went into effect, carriers are no
longer allowed to actively interfere with tethering.

~~~
JustSomeNobody
Unless you're on a grandfathered AT&T unlimited plan.

~~~
wtallis
The FCC's regulations have no such exception. Any "grandfathering" is purely
AT&T's generosity and has no legal significance. They're still bound by the
_current_ FCC regulations.

~~~
JustSomeNobody
Interesting. I thought I had read this was an exemption.

Even people in ATT's forums are having same question:

[https://forums.att.com/t5/Data-Messaging-Features-
Internet/W...](https://forums.att.com/t5/Data-Messaging-Features-Internet/Why-
can-t-I-tether-with-my-Grandfathered-Unlimited-Data-Plan/td-p/4203801)

------
pavel_lishin
I've seen this happen on a commercial ISP. I used to work for a web dev firm,
and our ISP decided to start injecting ads.

Ads that immediately broke all of our javascript that we were testing on QA
sites.

It took us an hour to realize what was going on, and that it wasn't our code
that was breaking, and another 30 minutes of angry phone yelling before they
backed down and turned that shit off.

------
makecheck
You know, I could stomach inserted ads a lot more if they were honest about
doing them; something like "the contents of this box were placed by the owners
of the free Wifi network you are using".

The infuriating part is that these ads are typically _folded into original
content_ as if the _original page_ had the extra garbage in it. When you see
an obnoxious ad, you're not thinking "well I guess I won't use this wifi
again"; you think "well I guess I'm not going to _this site_ ever again".

We desperately need a way to strongly sign each part of a page so that it is
_impossible to display_ a web site with any third-party content that wasn't
explicitly added by the site owner (e.g. such as an authorized "Like" button).
This naturally means removing i-frames and all other similar mechanisms from
browsers, or at least making them a hell of a lot more obvious.

------
ChuckMcM
which is why, by default on my laptop, I use an ssh tunnel with a SOCKS proxy
to get to the web. Truly sad, nothing you could do with your phone or tablet
though.

Not that I begrudge them trying to get some money out of their "free" service,
and I choose not to use such services.

Of course you will then get MITM routers which link to the free WiFi, offer
their own free WiFi on a different channel, and then swap the 'customer id' on
the ads going through to send them the money. Or something like that. I'm sure
there is a RasPi build to do something like this.

~~~
zrail
On phone and tablet you can set up a real VPN, potentially through the same
host where you're tunneling.

~~~
sigjuice
It was relatively straightforward to set up an IPSEC VPN on my Digital Ocean
VPS using these instructions
[https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14...](https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html)
. Also, it worked with the VPN clients built into OS X and iOS.

~~~
blazingfrog2
Is that VPN setup an "always on"-able setup so that iOS just routes traffic
through it without having to manually switch on the VPN client? I run the VPN
server bundled with OS X Server and I haven't been able to achieve that.

~~~
sigjuice
Sorry, I am not sure if there is an "always on" knob on the client. I don't
know the details, but some versions of iOS have a feature called per-App VPN,
that might get you close to what you want. Look for the text
"OnDemandMatchAppEnabled" on this page
[https://developer.apple.com/library/ios/featuredarticles/iPh...](https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html)
.

------
jtokoph
I'm pretty sure all AT&T iPhones pull carrier configurations that set attwifi
hotspots as a trusted auto-joined wifi network.

I reset my iPhone the other day without restoring any backup. Later that day I
found my phone connected to attwifi without any instructions from me.

------
dmitrygr
Holy shit!

They log pretty much ALL of the traffic too. Not just _CAN LOG_. They _DO
LOG_.

-

See [http://www.ragapa.com](http://www.ragapa.com) "analytics" tab:

Here are some of the analytics RaGaPa device collect:

Geographical Location

Mac Address/Cookie Tracking

User Agent

User Browser

Destination URL

Ad/Message Impressions

Ad/Message Clicks

User Activity with Time

~~~
edwhitesell
That's not really "logging", but analytics based on the ads. Any ad
software/network worth using is going to do at least the items listed here.

------
jeo1234
AT&T seems to really not care about their customers trusting them.

~~~
urda
Don't connect to open Wifi hotspots willy nilly then. Is AT&T taking advantage
of the situation? Absolutely, but this is what happens when you connect to any
WiFi network you find while on the road. Today it's AT&T, tomorrow it'll be
someone else.

~~~
Someone1234
And let's be frank, these networks are so insecure anyway even if you can
connect you likely shouldn't be using it for anything you care about anyway
(and certainly nothing that isn't HTTPS).

But even websites which support HTTPS won't mark cookies secure, so the
browser will happily upload it to the HTTP version for the world to see.

Ultimately open WiFi hotspots are a security nightmare, it is quite incredible
that nothing has been done about it. There's no reason we couldn't utilise
something akin to SSL to secure the WiFi connection itself (since the scenario
is identical, two previously unknown parties wanting to communicate securely,
and utilising an already trusted CA to facilitate that).

I guess as an industry we're just too lazy to make anything except PSK work.

------
droopybuns
It is 2015. If you're not running your own VPN on aws or if you're not using
solutions like Cloak, you get what you get.

[https://www.getcloak.com/](https://www.getcloak.com/)

I would prefer that carriers didn't do this kind of nonsense, but I'd also
prefer that companies like Facebook & Google didn't have the core of their
business built around the same function. We live in a world where people
expect miraculous technology for "free."

It's trivial to get around this.

~~~
falcolas
With DPI, it's also rather trivial for WiFi providers to block normal VPN
traffic - and they do.

There are ways around the DPI with SSL wrapping and such, but it's not always
"trivial".

Point in case, I'm living in a town with a population under 40k, and I know of
at least 3 places so far which block OpenVPN traffic over both UDP and TCP.

~~~
blacksmith_tb
I have seen a fair number of public APs blocking VPN traffic, but my instinct
is it's due to incompetence, not malice. It appears they are blocking
everything but traffic to 80 and 443, likely due to some sort of turnkey wifi-
in-a-box which makes bad assumptions. It is frustrating, as I won't use a
public AP if I can't VPN (but I have unlimited data, so it's not a huge
problem for me, at least).

~~~
falcolas
It's not just incompetence - the VPN can connect and authenticate, but all
actual traffic is blocked.

SSH also works properly, and I can use a SOCKS proxy over that.

------
JoshM33k
A smaller ISP near me (Bright House) does a similar thing with their hotspots.
There are no ad injections, but they inject a little popup with their logo,
that says something along the lines of "hotspot provided by Bright House
networks".

The funny thing is, this network requires you to log in with your Bright House
username and password, so anyone seeing that little "provided by" intrusion is
already a paying customer.

------
laurentoget
What I do not get is why the airport would allow that sort of things. I can
understand that providing wifi is a cost that should be mitigated for someone
like McDonalds who is running razor thin margins, but considering the cost of
operating an airport trying to monetize wifi will probably never make an
impact on your bottom line while annoying your users certainly will. It just
seem like a foolish move to me.

What am I missing?

------
JustSomeNobody
"Next, it injects a backup advertisement, in case a browser doesn’t support
JavaScript."

Ha! They do a better job of degradation than most web sites!

------
hinkley
There are a bunch of contract renewals coming up in a couple months (including
mine, which I've been on the fence about, and now I have an excuse to switch
carriers).

I wonder whose bright idea it was to roll this out now.

------
bsder
So, basically https and NoScript will block this.

Well, I guess if websites don't want ads crapping all over their stuff, they'd
better get on the stick.

------
r00fus
I wonder how AT&T's ad injection will fare with iOS9's content blocking
capabilities...

