Mayer’s curiosity was piqued when sites that feature no advertising (academic and government) and that already had some advertising sported more, including a banner stretched across the bottom, and pop-up ads that couldn’t be dismissed before a period of time had passed.
AT&T was injecting JavaScript into webpages, intercepting them and rewriting them on the fly, using a third-party ad network’s code to deliver the overlaid ads. In a statement provided by a spokesperson, AT&T said:
It should never have begun.
There are all sorts of things wrong with what AT&T did.
This just helps push users into safer surfing habits, an outcome I support. To inject advertising into a webpage as it loads, that page has to be unencrypted, and the network has to be allowed to load on a given device. AT&T isn’t the only company to ever test this; others regularly engage in lighter-weight versions, or simply scan what you’re doing to market at you more effectively.
In a post-Snowden era, a phrase I often have to write, the world is shifting to always-encrypted connections in almost every medium. Email was a natural, and while it took too long, it’s nearly impossible to set up an email connection on a modern mobile device or in a modern desktop OS email client and not engage encryption for sending and receiving.
The web has lagged, because a larger percentage of users visit a more diverse set of sites than email users relative to email hosts. Many web hosting sites have treated https encryption, which uses the SSL/TLS protocols, as an upgrade at an extra fee. It involves slightly more overhead, but vastly less than a few years ago. That will change, too.
Efforts by the Electronic Frontier Foundation (EFF) have lead to the HTTPS Everywhere plugin (co-developed by the Tor Project), which can be used with Firefox, Chrome, and Opera with desktop browsers, and Firefox for Android. The extension preferentially connects to the encrypted version of any site it’s aware of. I’ve used it for years.
At a more fundamental level of the web, server administrators can configure their systems to only feed out over https, or to signal that they have an https version of the site available. (It’s called HSTS, and all browsers currently in wide use support it.) Browsers are rapidly moving to pick those secured versions first. Many sites are shifting to https-only, and the EFF has another project that will assist in reducing complexity and cost for smaller sites, called Let’s Encrypt.
You can also opt to use a virtual private network (VPN) connection, which puts an encrypted wrapper around all your traffic. It’s generally advisable as a way to prevent any local network sniffing, whether at a café or airport, and it prevents code injection for advertising or for malware. I wrote up a couple of VPN services with Mac and iOS clients recently; there are dozens available.
And when iOS 9 rolls out with Content Blocking Filter Extensions, which El Capitan will include as well, blocking ad networks that are designed for injection will be a breeze: you will probably install and permanently leave switched on any content blocker designed strictly for privacy and reducing intrusion, even if you don’t block all ad networks.
One could look at AT&T’s misstep as the last effective time such an injection of code by an ostensible “white hat” firm is possible. Between the increasing, default amount of secure web connections and the rise of privacy-enhancing, ad-blocking technology, only a sliver of users in the near future would be able to have their sessions hijacked and rewritten in such a way.
(Disclosure: I hold a very tiny number of shares from employment at JiWire, which no longer operates under that name, which at one time ran an advertising network that in part delivered opt-in ads to airport customers in exchange for granting them free Wi-Fi access.)