AT&T on Wednesday confirmed that it recently intercepted Web traffic at WiFi hotspots in order to inject ads into the pages that users were visiting.
The ad injections were first noted by well-known privacy advocate Jonathan Mayer, who saw the extra ads while using a WiFi hotspot at Dulles airport. Mayer reported on Tuesday that the ads appeared in a broad array of unexpected sites, including ones operated by Stanford University, The Wall Street Journal, and the Federal Communications Commission.
At Stanford.edu, for instance, an overlay for ecommerce site MyHabit appeared in the center of the page, while an ad for AT&T ran across the bottom of the page. "Last I checked, Stanford doesn’t hawk fashion accessories or telecom service," Mayer writes. "And it definitely doesn’t run obnoxious ads that compel you to wait."
"AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory," Mayer writes.
He then goes on to list a host of potential problems with the ad injection program.
"It exposes much of the user’s browsing activity to an undisclosed and untrusted business," Mayer writes, referring to RaGaPa -- the Sunnyvale, Calif. startup that powers the ads.
Mayer adds: "It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements."
RaGaPa's ad injection platform isn't effective on sites that are secured with HTTPS, according to Mayer. "If websites needed (yet another) reason to adopt HTTPS, here’s a good one," he writes.
For its part, AT&T defends the tests, which were conducted at Dulles and Reagan National.
“Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi," a spokesperson said in an emailed statement. "The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.”
The complete details of RaGaPa's platform have yet to emerge, but its Web site touts the ability to enable "venues to successfully insert venue specific promoted content/advertisements on all the webpages (HTTP) a user visits using the venue WiFi."
RaGaPa adds that it "provides deep analytics on user traffic which can help venues learn more about the user behavior for better targeting." RaGaPa has not yet responded to MediaPost's request for comment.
It's too early to know whether AT&T's tests will result in any legal or regulatory fallout. Mayer -- a lawyer and Ph.D. candidate -- writes that ad injections are a "messy subject" from a legal point of view.
"It certainly doesn’t help AT&T and RaGaPa that the ads aren’t labeled as associated with the hotspot, and that AT&T’s wifi terms of service are silent about advertising injection," Mayer writes.
While he proposes several arguments against the legality of ad injections -- including that the practice might be considered unfair or deceptive by the Federal Trade Commission -- it's not clear how judges would rule.
AT&T isn't the first Internet service provider to experiment with ad injections. As far back as 2011, Mediacom tested a program that injected ads into publishers' sites. Comcast and Bright House also reportedly launched similar initiatives last year.
Meanwhile, the Federal Communications Commission is expected to propose broadband privacy regulations later this year. Whether those rules would limit Internet service providers' ability to inject ads into Web traffic remains an open question.