I finally figured it out when I saw Trump/Cruz ads on the front page of the New York Times. I’d been seeing oddly-placed and borderline irrelevant ads for a while, but I figured it was just bad algorithms. But Trump hanging out with The Gray Lady? There was no way this was just an ad network mixup. I toggled back and forth between the hotel wifi and my hotspot, and I verified that the ads were only coming through when connected to the hotel wifi. But why?
My first thought was that someone had hacked the hotel wifi network and was injecting ads (and probably inspecting outgoing traffic and grabbing passwords and etc.). I called down and spoke to the hotel manager. She was very concerned and said she’d call their wifi provider immediately. She gave me an email address so I could send her screenshots, which might help them diagnose the problem.
A few minutes later, she emailed back to say that the wifi hadn’t been hacked—it was actually the outsourced hotel wifi provider that was injecting the ads. She was surprised to learn this as I was, and she asked them to turn off this “feature” ASAP. The wifi provider in question is the blandly named Hotel Internet Services, a company that provides wifi for hotels across the country —including the Circus Circus in Reno and the Park Central Hotel in NYC.
I checked their terms of service to see if ad injection was explicitly part of the bargain. It was not. The TOS only states: “We may, from time to time, send e-mail messages or other forms of communication to User containing advertisements, promotions, etc. which may be offered by third parties”. I’m guessing this is the provision that they think gives them the right to inject ads willy nilly (I saw them injected on NYTimes.com and CBSNews.com, but it was probably on other sites also). I’m not a lawyer (anymore) but it seems like they’re skating on pretty thin ice. They could argue that ad injection is simply another form of communication that they’re “sending” to the user, but given the difference between sending email and injecting ads, this isn’t a great argument. And it’s made weaker by the fact that they don’t have my email address, so it’s not possible for them to send me email. It looks like they used this phrasing so that they could hide a vague catch-all phrase behind inocuous-sounding language about email—which was a ruse all along. Whether or not a judge would say this is adequate disclosure is anyone’s guess (and would likely depend on the judge), but one thing is clear: they’ve gone out of their way to obfuscate the fact that they’re injecting ads into web traffic. And considering the hotel itself wasn’t aware that this was happening, individual guests really can’t be expected to figure it out.
Why it matters
Guests obviously don’t want to have ads injected into webpages—especially when they’re paying for the wifi, as I was. These ads didn’t just slow down my browser—they also slowed down my computer. Thanks to these ads, my 2014 MacBook Air was at 85% processor load with just 3 Chrome tabs open to the NYT.
But it’s not just guests who should be against this practice—hotels should too (though some may have knowingly accepted ad injection in exchange for lower prices). Injecting and routing these ads clogs up the network, and the aggregate impact could be quite large. The hotel where I stayed had a decent connection after midnight, but it was slow from 8p until 12. Imagine how much faster it would be if every single page request didn’t drag two ads along with it! Even if hotels are getting a price cut, they’re probably losing as much money in terms of additional capacity they have to purchase.
Have you ever stayed in a hotel where the wifi injected ads? In the interest of transparency, it would be great to have a (black)list of wifi providers that inject ads and hotels that allow it. Use this Google Form to submit a hotel or provider, and see the (completely unverified) results here. You can check out a partial client list of Hotel Internet Services clients here (my hotel wasn’t on the list, and I don’t know how many are similarly omitted), and please share your experiences in the comments here or over on Hacker News.