New York hotel's WiFi placing hidden code in web pages

If you are traveling, you likely want to stay at a hotel that offers free WiFi internet access. However, it looks like at least one New York City hotel does something with their free WiFi connection that's pretty sneaky. The New York Times reports that web engineer Justin Watt recently found that when he surfed the net on the WiFi network of Manhattan's Courtyard Marriott hotel, he discovered that the websites he viewed on his laptop contained some hidden code that were not there before.

As it turns out, the hotel's WiFi network was putting in that extra code on those websites, which could be used to display ad banners. While no actual ads were seen by Watt, the hotel's WiFi network was evidently putting in ad code to sites that had no prior knowledge or permission for such activities.

The company that created this hidden code is RG Nets, which proudly describes its process on its website. The code that the company uses doesn't require that the web browser install any plug-in software but instead rewrites any website viewed on the network on the fly with a banner ad that can be placed on top, on the bottom or to the side of a regular website.

Of course, the owners of the websites that are "visited" by RG Nets' code don't get any money from these ad impressions. So far, there's no word on which other hotels or businesses might be using this technology.

Report a problem with article
Previous Story

Microsoft's "Time Machine" site offers trip to Hawaii

Next Story

Possible Kinect-based Gears of War game cancelled

26 Comments

Commenting is disabled on this article.

Is it changing content or ads? Changing ads for local markets and viewers seems fair. Why see a local ad in New York if you are in Texas? Changing content is a different issue. Even if you read the TOS would you care the ad was replace with a local ad? Seems like an issue for ad brokers and content providers, not users. As long as I am getting good performance I am happy. Thanks Marriot. p.s. any good places for me to eat in this town? O look, there is one right here.

I wonder how long until ISPs start doing something similar, and then start charging you an additional "content delivery fee."

Anyone have the over/under on this?

This is why websites should make code that hides all elements by default, then enable the ones they want only.
Also, is it just me that has a problem with the phrasing of

John Callaham said,
hidden code that were not there before
?
Would've thought you'd say "was not there".

In fact I'm interested now, with AJAX requests... Surely what they're doing would completely **** them up? I know with what I'm currently coding it would.'if recieveddata == "1" then...'

The question is why rewrite the requested website? Couldn't they just create an iFrame and place the ads in a small section at the top or bottom of the sites?

From a security point of view, who has access to the modules that do the rewriting? Could they modify the module to steal login credentials? Even though people know not login to personal sites when connecting to unknown providers

primortal said,
The question is why rewrite the requested website? Couldn't they just create an iFrame and place the ads in a small section at the top or bottom of the sites?

From a security point of view, who has access to the modules that do the rewriting? Could they modify the module to steal login credentials? Even though people know not login to personal sites when connecting to unknown providers

1) placing an iframe in the code would be rewriting the website and that is probably what they are doing
2) anyone can steal your login information if you are on a unencrypted network, stealing the session id from the http headers is even more simple. You certainly don't have to do complicated stuff like hacking some third party rewriting module you don't know. All the information is right there

XerXis said,

1) placing an iframe in the code would be rewriting the website and that is probably what they are doing


On 1,Creating an iframe isn't rewriting the website per-say. It's modifying your request by delivering a new page that's an iframe; one for the ad the other for the actual requested site. The site would be intact in an iframe scenario.

If internet services across the globe becomes free then any service provider would incorporate their own AD on website thereby making ad provider like Google redundant?

If you don't want your communications intercepted then you should be using encryption (VPN or HTTPS for example) plain and simple. Just as many websites are ad-supported to run the website, the unencrypted pages are ad-supported to run the free connection. They should however make it more clear that there is interception code running, eg: Displaying a notice across each page rather than try and hide it. Also I would expect a better service for paying guests of the hotel that isn't being tampered with - I would imagine that this could cause some compatibility issues for some applications that use HTTP connections.

Shiranui said,
I'd rather they did this than charge me for access. I suppose they should inform you, though.

They probably did, in the TOS which most people just don't care to read and scream afterwards why is there this and that on somewhere.

I am a website owner, and this seems fair to me. They are providing a free service. No problem for them to add in their own ads.

FloatingFatMan said,
Wouldn't this come under illegal interception of private communications somewhere?

You should have read the TOS of the hotel wifi before agreeing with it

FloatingFatMan said,
Wouldn't this come under illegal interception of private communications somewhere?

Only if it was doing that to SSL and encrypted connections, and it wouldn't be doing that unless it have the server's key or you accepted a dodgy SSL certificate that the device generated.

XerXis said,

You should have read the TOS of the hotel wifi before agreeing with it

But any agreement/TOS must fall under the law.

For example, if you wanted to use my WiFi connection for free, but I made you sign an agreement stating that I will kill your child, the agreement would be null and void because it is illegal to kill someone.

Companies can do what ever they want for products that people get for free.. They have to pay for them somehow..

You can't do that on the backs of website owners though. Those owners may sue for ad revenues lost.

Lachlan said,
Companies can do what ever they want for products that people get for free.. They have to pay for them somehow..

ScottDaMan said,
You can't do that on the backs of website owners though. Those owners may sue for ad revenues lost.

Needs confirmation, but as I understand it, this code just adds a banner somewhere on the page. It doesn't replace the website's ads. Look at the video, when he browses to backcountry.com. There's still the website's ad on top and on the right, and the BMW ad has been added on the bottom.

KooKiz said,

Needs confirmation, but as I understand it, this code just adds a banner somewhere on the page. It doesn't replace the website's ads. Look at the video, when he browses to backcountry.com. There's still the website's ad on top and on the right, and the BMW ad has been added on the bottom.


To quote the article: "but instead rewrites any website viewed on the network on the fly with a banner ad that can be placed on top, on the bottom or to the side of a regular website."

Thus, the coding is a lot more complex, then just adding a banner. It rewrites entire websites! to place the ads. THAT could be seen as breaking intellectual copy right laws, as legally, a person or companies website is THEIR OWN property, and shouldn't be messed with by others for profit that the site owner will never see.

Lachlan said,
Companies can do what ever they want for products that people get for free.. They have to pay for them somehow..

I do not see as the Wi Fi in a hotel room is free....... it is part of the package: Wi Fi, bed, sheets, pillows etc.; all these items costs are included in the price of the room.

ScottDaMan said,
You can't do that on the backs of website owners though. Those owners may sue for ad revenues lost.

If they turn off the hotels free wifi with the arguement they are unable to provide it for free as it provides no revenue... then how would this scenario be providing any less revenue than having no-one visit the website through the hotel.