Users are also unaware that their Web traffic is being routed through an undisclosed — and perhaps untrusted — business.
Mayer, who is also a lawyer, wrote that the legality of ad injection is a "messy subject," but there are regulations and laws that would appear to prohibit it, such as wiretapping and pen register statutes and net neutrality rules.
"Regardless of where the law is, AT&T should immediately stop this practice," Mayer wrote.
AT&T officials couldn’t be immediately reached for comment.
There is a defense against this kind of ad injection. It won’t work against websites that encrypt their traffic, indicated by the padlock symbol and “https” in the URL bar.
Also, using a VPN service, which encrypts all traffic passing over the Wi-Fi network, would also inhibit the ability to inject ads. Security experts generally recommend using VPNs over public Wi-Fi networks anyway to prevent interlopers from spying on unencrypted traffic.
Sign up for CIO Asia eNewsletters.