Does this violate the "exceeds authorized access" provision of the Computer Fraud and Abuse Act? AT&T is not acting as a regulated carrier in this instance, and does not have the immunities of a carrier. Also, their terms of service[1] do not permit them to modify the web pages of others. They can block URLs, ask for a payment, or show an ad at connection time as an alternative to a payment. But they did not disclose that they would modify existing pages.
The requirement for arbitration in the AT&T terms does not apply, because the Computer Fraud and Abuse Act is a criminal law. [2]
IANAL, but I don't see how this sort of thing doesn't count as copyright violation on a massive scale.
The users probably agree to it in a terms of service, but the served websites do not, and AT&T is creating what logically seems like a highly derivative (but altered) copy of their content with their own content inserted without permission of the original copyright owners.
While some amount of data rewriting is inherent in the nature of how the Internet works, modifying the content of web page bodies to insert advertisements just feels like it steps way, way over the lines of that, especially when it can easily present situations where you have ads selling products that would be vehemently opposed by the people whose site it seems to be appearing on to the average user.
I also think this could affect the image or experience of a company or entity, since people might not know this is ATT's doing. In the examples provided, one might think this was an action of Stanford.
Exactly. Looking at the video linked in the article, RaGaPa shows what ads on Google's home page might look like. Surely Google doesn't want to be associated with certain products that way?
This is as though AT&T printed magazines written by others and advertised in by others, and inserted their own extra advertisements in addition. So they take a 90 page magazine and add an extra 10 pages of ads. Clearly not kosher as they don't have the rights to the articles, ads, or anything. But they're trying to sell it at the AT&T newsstand as though it's the original.
Now suppose that I buy a magazine, and the first thing I do is page through it quickly and rip out all the ads. That's legit right? Once I own it, I can do whatever I want with it. Now suppose I -- after purchasing the magazine -- convince my friend to rip out all the ads for me, before I ever see any of them. Still OK isn't it?
I hope the parallels make it easy to see that what you do with the content once it reaches your computer are very different than what other 3rd parties do to content while it's in transit.
I'm not convinced. Your distinction makes this all about you, when in fact it's more about the publisher.
As far as the publisher is concerned, your friend and AT&T might as well be the same person. Both are taking a copyrighted work from the publisher, altering it materially, and presenting it to you.
AT&T is not selling the work, they are delivering it.
The first sale doctrine would beg to differ with you. Once I buy a work I'm free to do whatever I'd like with it, provided that I don't infringe on the copyright by making more copies. I absolutely can remove whatever I would like from it.
Copyright protects publishers from unauthorized reproductions. AT&T are making an unauthorized reproduction when they insert extra things into something that isn't theirs.
Transforming a work on your own computer, and then viewing it is not copyright infringement. There is no transmission of another copy being performed. Without that, you don't have copyright infringement.
Even in the light of the (I believe incorrect) Aereo decision, it would be pretty much inconceivable for personal ad blockers to be ruled illegal. There is already semi-relevant precedent for this with movies, in the Family Entertainment Copyright Act of 2005.
There is a precedent: TV ads. Original content like a movie will get chopped up, edited and compressed for length, and broadcast with ads. They even de-zoom the rapidly-accelerated credits to show an ad while they scroll illegibly.
If this got to court, a tech illiterate judge wouldn't see the difference.
The broadcaster pays the movie's rights owner for the right to rebroadcast whereas AT&T has no such deal with the website owners and is supposed to be acting as a simple common carrier.
It's easy to get drawn into doing this kind of intrusive advertising when you have a captive audience on a WiFi network. It's an idea I've discussed or been involved in "testing" a number of times. (background: I've been building/operating wireless/WiFi/Hotspot networks since 2001)
The reality is AT&T probably has no idea how bad this is, and likely would not care. Somewhere, someone sees the potential dollars on the upside and that's the only factor that matters.
There are better ways to monetize free WiFi today. Advertising is a piece of that puzzle, but there are others too.
(replying to myself is probably bad form, but I had another thought to note here)
Most likely, the WiFi provided by carriers like AT&T is meant for offloading. The phones will do EAP-SIM or some other authentication the customer has no idea of. That will get the voice and SMS traffic passing via WiFi and associated backhaul to the Mobile Core, instead of the mobile network.
Assuming that scenario, where WiFi is really a low-cost extension of the mobile network, the carrier has very little incentive to do the "right thing" when it comes to injecting ads and/or content filtering. They are already improving the services their customers pay for. Offsetting that (relatively low cost) with some "bad form" advertising probably won't get a second thought.
Individual websites may be able to protect yourselves by:
- Using HTTPS directly, in particular with HSTS set (optimal).
- Use a third party like CloudFlare to add HTTPS via their proxy.
- Alternatively: HTTP with Content Security Policy set (since it will reject their scripts and CSS running as it isn't in the whitelist). This is only a short term solution since they can alter the CSP header, but it will work if you're stuck on HTTP for now. We bounce a lot of advertisers and malware off of our site this way.
Ultimately this is yet another "Use HTTPS!" broken record. But the CSP solution works until they get wise to it.
Unfortunately the first two options aren't really viable if you're an ad supported website. HTTPS will kill your ad revenue since most ad scripts don't work properly over HTTPS.
That's a problem for site operators not users if more people force sites to switch to HTTP's more AdNetworks will start serving content via HTTPS.
The good thing is that at least most browsers these days are good at blocking mixed content so you won't have HTTP adds growing tumors due to injections anyhow.
What i don't understand is why AT&T has to do injection in the 1st place they can easily setup their own AdNetwork and partner with the large AdNetworks to route through AT&T's own internal servers.
Without injection, their own ad network is irrelevant. Nobody (more or less) is getting on Free AT&T Wi-Fi to visit AT&T's websites. Without injection, any ad revenue goes to the actual site operators.
Well that was a given in my statement... hence partner with the large AdNetworks, use the already existing scripts which are integrated much better into the existing sites, AT&T can simply server all requests to www.big.ad.network/ads.js from it's own servers in it's own internal network serving ads from their internal campaigns sharing revenue....
Heck considering that the ads AT&T can serve can be much more relevant to a specific location such as a mall, a large venue, or an airport heck even stores within say half a mile of the hotspot they might actually be "useful".
Adnetworks are saving bandwidth, AT&T doesn't have to fight with HTML injection which can break on many sites, AdNetworks get better targeted advertisement win for everyone...
I have just stopped connecting to most wifi hotspots altogether unless I'm going to be somewhere for a few days (hotel, conference, etc). LTE is just faster and more reliable, and tethering is dead simple these days.
Are you in the US? How lenient are carriers these days when it comes to tethering? I have AT&T and while their bandwidth and coverage is good, I cannot get unlimited data with my plan so I'm SOL.
The FCC's regulations have no such exception. Any "grandfathering" is purely AT&T's generosity and has no legal significance. They're still bound by the current FCC regulations.
Inexpensive unlimited data is getting scarce, but I think that's reasonable. LTE capacity is by nature more limited & expensive than wired capacity.
For many activity categories- email, light browsing, etc- a few GB per month is more than sufficient.
If you want to torrent terabytes per month or run multiple Netflix streams all day long, you are a three or even six sigma user, and carriers realize that subsidizing your unusual usage with other subscriber's fees increases costs for the average user, making the carrier less cost-competitive. So you are either going to get pushed to hard lines, or you are going to have to pay for those terabytes of data.
My phone (Verizon prepaid) freely allows me to tether, although this relaxation is a recent development so there are probably many older phones that simply have not been updated to allow tethering. My 1GB is definitely a snug limit but not unworkable.
I have TMO with 4.5GB + tethering and have used it copiously. On a normal month I never get near the limit. On a heavy month, usually when traveling with family, I have dipped into and subsequently drained my Data Stash, but I currently have 13GB there for that heavy month.
In general however, I rely heavily on hotel wifi, as weak data signal is a real thing and drains battery. Tethering is a great backup, but not my daily driver even if I had unlimited.
I have Verizon, and tethering just comes out of my 5GB data cap. I've never even come close to using all my data, but then again, I'm somewhat frugal with my data when I am tethering.
I used to have unlimited data on my iPhone but ditched it for 15GB and unlimited talk and text (wife and I split) and its 15 bucks less than we were paying a month and she used to have line 350mb of data. They would not allow me to tether with my unlimited data. Now I don't know if that got lifted or not for grandfathered plans. But I use my tethering all the time with my laptop and it's great.
I use Verizon pre-paid, and tethering is included free. You can add-on data-packs that roll-over for up to three months as needed, and I use a LittleSnitch profile to curtail things like backup services and other heavy-data use services when I'm tethered.
The prevalence of stuff that likes to auto-update without asking you makes this even more dicey. I ran through 50% of my monthly mobile-data quota once when OSX decided to download a big OS update over tethering (my monthly quota is 1GB). It'd be nice if there were an OS-level service letting me mark certain SSIDs as not suitable for unnecessary data use, the way Android knows not to download app updates over the data connection.
Nowadays I mostly avoid tethering unless I really have to use it, since it's always rolling the dice whether it's going to eat hundreds of megabytes of my data quota without asking. Fortunately, there are so many wifi hotspots around that I'm finding tethering at all increasingly unnecessary. And a VPN takes care of the security issues well enough.
Windows 8.1 & 10 let you mark WiFi networks as "metered". Can't do it with USB or Bluetooth tethering, but anyway it does exactly what you are hoping for- the OS will suppress most background network activity. It even tracks "metered network usage" in a separate bucket from regular network usage.
I would expect OSX has a similar setting somewhere, with the increase in metered networks.
Hmm yes you as long as the tethering shows as a network interface (which all of them do) you can manage the metered settings individually, and every device will have it's own virtual network interface even if you sync 2 different phones via bluetooth.
The only time you "can't" do it is if you are using a Wifi Hotspot method in which case you'll have to set the Wireless connection to a metered one so it will keep track of the cap no matter to which HotSpot you connect too.
That said Windows doesn't block applications from accessing metered connections it moderates it self(Windows Update, Windows Mail etc...), has a separate setting for what ever MSFT calls "Metro" apps these days (so "Store" apps can be toggled individually with metered access policies), and for windows services so if Spotify decides to download a playlist you might get a surprise bill in the mail.
> Hmm yes you as long as the tethering shows as a network interface (which all of them do) you can manage the metered settings individually
Everything I've seen on Win 10 metered connections -- including from Microsoft -- indicates that only WiFi (not-metered by default) and cellular (metered by default) connections can be set as metered, and that other network interfaces are always treated as non-metered and cannot be set as metered.
Unless you phone emulates an Ethernet connection it will detect it as mobile broadband and set it up as metered automatically, i never had issues with that...
I don't think OSX currently supports this out of the box. My suspicion is that the next version will, but in an automagical way that only works with iPhones (probably by marking iPhone tethers as a different kind of connection from regular wifi).
> It'd be nice if there were an OS-level service letting me mark certain SSIDs as not suitable for unnecessary data use, the way Android knows not to download app updates over the data connection.
I've seen this happen on a commercial ISP. I used to work for a web dev firm, and our ISP decided to start injecting ads.
Ads that immediately broke all of our javascript that we were testing on QA sites.
It took us an hour to realize what was going on, and that it wasn't our code that was breaking, and another 30 minutes of angry phone yelling before they backed down and turned that shit off.
You know, I could stomach inserted ads a lot more if they were honest about doing them; something like "the contents of this box were placed by the owners of the free Wifi network you are using".
The infuriating part is that these ads are typically folded into original content as if the original page had the extra garbage in it. When you see an obnoxious ad, you're not thinking "well I guess I won't use this wifi again"; you think "well I guess I'm not going to this site ever again".
We desperately need a way to strongly sign each part of a page so that it is impossible to display a web site with any third-party content that wasn't explicitly added by the site owner (e.g. such as an authorized "Like" button). This naturally means removing i-frames and all other similar mechanisms from browsers, or at least making them a hell of a lot more obvious.
which is why, by default on my laptop, I use an ssh tunnel with a SOCKS proxy to get to the web. Truly sad, nothing you could do with your phone or tablet though.
Not that I begrudge them trying to get some money out of their "free" service, and I choose not to use such services.
Of course you will then get MITM routers which link to the free WiFi, offer their own free WiFi on a different channel, and then swap the 'customer id' on the ads going through to send them the money. Or something like that. I'm sure there is a RasPi build to do something like this.
Is that VPN setup an "always on"-able setup so that iOS just routes traffic through it without having to manually switch on the VPN client? I run the VPN server bundled with OS X Server and I haven't been able to achieve that.
Sorry, I am not sure if there is an "always on" knob on the client. I don't know the details, but some versions of iOS have a feature called per-App VPN, that might get you close to what you want. Look for the text "OnDemandMatchAppEnabled" on this page https://developer.apple.com/library/ios/featuredarticles/iPh... .
Don't connect to open Wifi hotspots willy nilly then. Is AT&T taking advantage of the situation? Absolutely, but this is what happens when you connect to any WiFi network you find while on the road. Today it's AT&T, tomorrow it'll be someone else.
And let's be frank, these networks are so insecure anyway even if you can connect you likely shouldn't be using it for anything you care about anyway (and certainly nothing that isn't HTTPS).
But even websites which support HTTPS won't mark cookies secure, so the browser will happily upload it to the HTTP version for the world to see.
Ultimately open WiFi hotspots are a security nightmare, it is quite incredible that nothing has been done about it. There's no reason we couldn't utilise something akin to SSL to secure the WiFi connection itself (since the scenario is identical, two previously unknown parties wanting to communicate securely, and utilising an already trusted CA to facilitate that).
I guess as an industry we're just too lazy to make anything except PSK work.
Staying off promiscuous mode is one thing, but all AT&T hotspots appear with the same SSID - if you rely on a single one you'll get all of them.
Weak Wifi signal is also a killer - you're using maps and driving near a Starbucks? Data crawls to a halt as your phone tries to connect to a wifi point 30+m away.
I would prefer that carriers didn't do this kind of nonsense, but I'd also prefer that companies like Facebook & Google didn't have the core of their business built around the same function. We live in a world where people expect miraculous technology for "free."
I downvoted this, but I'd like to explain why. It's not reasonable to expect people to go and get VPNs of their own unless we, as technologists, make it so completely trivial that it's the default. If you ask the average person whether they need a VPN for public wi-fi, they will give you a blank stare. If we believe that it is something that they need, it's our fault that they don't know about it. And, if we believe that they shouldn't need it, it's our fault for not building secure solutions to begin with.
This is either a failure on our part to educate, or a failure to build secure systems, or a failure to regulate the people who would do these things. But either way, it's our failure -- not a failure of the users.
At least in this situation, you have a mechanism to opt out if you pick up a VPN and disrupt traffic injection.
Your only solution with companies like google & facebook is not to play.
I agree that it is disappointing that the laymen isn't going to be able to disrupt this traffic injection. We are already so deeply into a privacy dystopia that I think think you're focusing on the wrong fight. Some of the most successful companies have more users than customers. They are using TLS to avoid MITM attacks between the client & their infrastructure, but then harvesting data & injecting traffic till the cows come home.
Arguing for other mechanisms to disrupt carrier traffic injection is in essence an argument for defending the privacy invasive business cases of google & facebook.
With DPI, it's also rather trivial for WiFi providers to block normal VPN traffic - and they do.
There are ways around the DPI with SSL wrapping and such, but it's not always "trivial".
Point in case, I'm living in a town with a population under 40k, and I know of at least 3 places so far which block OpenVPN traffic over both UDP and TCP.
I have seen a fair number of public APs blocking VPN traffic, but my instinct is it's due to incompetence, not malice. It appears they are blocking everything but traffic to 80 and 443, likely due to some sort of turnkey wifi-in-a-box which makes bad assumptions. It is frustrating, as I won't use a public AP if I can't VPN (but I have unlimited data, so it's not a huge problem for me, at least).
Cloak is pretty, but my goodness their site is light on technical detail. I can't tell where their servers are located, what protocols they support, who owns the servers. It's so vague and hand-wavy that I'm not sure why I'm supposed to trust them.
A smaller ISP near me (Bright House) does a similar thing with their hotspots. There are no ad injections, but they inject a little popup with their logo, that says something along the lines of "hotspot provided by Bright House networks".
The funny thing is, this network requires you to log in with your Bright House username and password, so anyone seeing that little "provided by" intrusion is already a paying customer.
What I do not get is why the airport would allow that sort of things. I can understand that providing wifi is a cost that should be mitigated for someone like McDonalds who is running razor thin margins, but considering the cost of operating an airport trying to monetize wifi will probably never make an impact on your bottom line while annoying your users certainly will. It just seem like a foolish move to me.
There are a bunch of contract renewals coming up in a couple months (including mine, which I've been on the fence about, and now I have an excuse to switch carriers).
I wonder whose bright idea it was to roll this out now.
The requirement for arbitration in the AT&T terms does not apply, because the Computer Fraud and Abuse Act is a criminal law. [2]
[1] http://www.att.com/legal/terms.wiFiServices.html [2] http://apps.americanbar.org/litigation/committees/criminal/a...