Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Stop ad injections with HTTPS connections or a VPN

Glenn Fleishman | Aug. 28, 2015
You already knew that secure web connections prevent snooping by criminals and others on points between you and a server. But they also keep networks from injecting advertising.

thinkstockphotos airport wifi

AT&T got caught with its hands in the proverbial cookie jar. It was testing injecting advertising at one of its airport Wi-Fi hotspot locations, and one of the nation’s leading privacy advocates with expert technical proficiency was passing through. Jonathan Mayer wrote up his experience on Tuesday; AT&T said on Wednesday it was an “experiment” it’s already discontinued.

Mayer’s curiosity was piqued when sites that feature no advertising (academic and government) and that already had some advertising sported more, including a banner stretched across the bottom, and pop-up ads that couldn’t be dismissed before a period of time had passed.

AT&T was injecting JavaScript into webpages, intercepting them and rewriting them on the fly, using a third-party ad network’s code to deliver the overlaid ads. In a statement provided by a spokesperson, AT&T said:

Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.

It should never have begun.

Tinkering with what we see

There are all sorts of things wrong with what AT&T did.

  • Disclosure. From what I can tell, there was no overt disclosure or opt-in process to accept that using free Wi-Fi would allow them to intercept your pages. AT&T doesn’t mention it in their statement, and it wasn’t in the privacy disclosure.

  • Risk. Injecting JavaScript into a webpage dramatically enhances the risk of responsible users being the victims of either a hacked third-party server about which they know nothing or criminals who manage to get their malware ads inserted into ad networks and distributed. Yahoo’s ad network was subverted to this end just a few weeks ago.

  • Trust. A multi-billion-dollar company shouldn’t be engaged in pushing privacy and integrity envelopes around the edges in the interests of collecting a few dollars. Even with millions of annual users of Wi-Fi networks, these kinds of ads can’t produce much revenue on the scale of the cost of operating them and the benefit AT&T accrues from its branding.

  • Content disruption. The sites over which ads were placed might have a basis on which to lodge civil or even criminal complaints, or report the behavior to federal agencies, as the ads appear to be served by the sites in question, rather than by a third-party network. Not being able to control what appears on a site is a significant breach in responsibility, liability or otherwise. (Mayer’s post gets into details there with a number of links to read more, as well.)


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.