(image: Ryan Singel)

Comcast has begun presenting intrusive advertising messages to users connected to any of its 3.5 million Wi-Fi hotspots nationwide, most hosted by customers paying more than $8 a month in leasing and electricity costs to provide a home for the company’s wireless gateways.

A Comcast spokesman confirmed to Ars Technica that Comcast began its ad insertions several months ago, ostensibly to alert users they are connected to an official Comcast Wi-Fi hotspot. But users report the company’s advertising messages go well beyond that, appearing about every seven minutes on every web page a customer visits. Some promote Comcast products and services, others invite customers to download the cable company’s apps. For now, they only appear on Comcast’s guest Wi-Fi network.

“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Comcast spokesman Charlie Douglas told Ars.

The most common ad seems to be a small banner dubbed “XFINITY Wi-Fi Peppy,” which can be closed by a user or eventually disappears on its own.

Although the ads are generally not exceptionally intrusive, often scooting across the bottom of web pages before disappearing, they are controversial because Comcast is injecting the advertising code into a third party’s website without permission.

Comcast is relying on JavaScript to insert its advertising and that has security experts concerned.

Seth Schoen, the senior staff technologist for the Electronic Frontier Foundation, told Ars the interaction of Comcast’s JavaScript with websites could “create” security vulnerabilities in websites.

“Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn’t have them,” Schoen said in a telephone interview.

Dan Kaminsky added that Comcast’s JavaScript injection has the potential to break “all sorts of stuff, in that you no longer know as a website developer precisely what code is running in browsers out there. You didn’t send it, but your customers received it.”

Although Comcast is now using its ad insertion technology only to promote its own products and services, nothing legally precludes Comcast from selling ads it could insert on any web page it wishes. Current law doesn’t give the Federal Communications Commission authority to stop the practice. Only strong Net Neutrality protections made possible by a redefinition of broadband as a communications service would grant the FCC regulatory authority to forbid Internet providers from interfering with the integrity of third-party websites.