Don't use Marriot hotels' sleazy Wi-Fi

Brian X. Chen for the New York Times: "The hotel’s Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page’s creator. (He did not actually see any such ads.)"
Guest Justin Watt's full report has that air of mounting frustration so many of us now associate with hotel travel. The best parts of Chen's story are where Courtyard Marriot is such an organizational disaster that it can't even figure out what spokesperson is responsible for replying to the Times' inquiries; and where the WiFi provider, RG Nets, "quickly hung up on calls."

Update: Watt has added a statement received from Courtyard Marriot, in which it blames RG Nets and says the script insertion occurred "unbeknownst" to it. However, the hotel chain also claims it is "a common marketing practice with many Internet service providers".


  1. Free wireless at BWW restaurants used to hijack link clicks about once every 5 minutes, and instead of going to the url you wanted to, you got a page full of ads. 

    I understand the urge to try and squeeze pennies out of every single thing possible, but at some point you gotta wonder if the bad mojo is worth the microscopic bump in profits.

    1. Once upon a time, Belkin released a router that did the same thing, though less frequently.  I haven’t bought so much as a USB cable from them since.  Any company that thinks it’s OK to mess with my data stream doesn’t get my business.  Not ever.  IMO if they thought it was in any way acceptable even once, they are not people that I want to do business with even if they say they’ve changed.

    1. Or personal VPN. I use the VPN service on OS X Lion Server when I’m out an about. Before that OpenVPN on a DD-WRT router.

      Er… unless you are on a “Guest” WiFi service that locks down the ports to 53, 80 and 443. Then MiFi or similar is the way like Rob says.

  2. Target does something like this too. If you do a google search while on Target’s in-store WiFi, search results will have a green check mark next to them. Apparently they have some kind of proxy that only allows “approved” search results.

    I’ve tried ricockulously NSFW material and they don’t seem to care, and they don’t seem to be doing anything obvious like tampering with comparison shopping and competitors like…

    They did mange to break Apple’s iTunes and the App Store (you can browse, but you get an error if you try to download anything, which is really odd because Apple uses SSL)

    1. Just walk in with your phone set to Wi-Fi tether or carry a Mi-Fi. Visit whatever site you want then. If I want a good deal in a PC shop I always do this, and Google the cheapest prices. When the staff see this they usually panic, and bow down to reasonable price matching. If one shop is able to sell something for a certain price then it’s a fair assumption that they buy them in for the same price so therefore able to sell at the same price.

    2. That sounds like it may be an anti-spyware proxy; the green check marks would then be links that the proxy provider doesn’t have on their list of drive-by-downloaders.

    1. Wonderful business practice for them — try to charge me $13/night more for something that should be included in the room rate, lose a s*&t-ton of room-nights entirely. (Two months a year, in my case.)

      1. It’s about as wonderful as what you’re doing there.

        except, of course, they own and you visit.

  3. Seems a copyright lawsuit  is in order here. Marriot created a derivative work with intent to profit. That should be worth like eleventy-brazillion dollars. (According to the MAFIAA).

    1.  Yep, this was my thought too.  I saw this myself recently on an airport’s wifi.  I was visiting a page that I own and that has no ads at all on it, and sure enough, there was my content with a big banner ad across the top.  I took screen caps and saved copies of the vandalized code, but I didn’t do anything about it.  It didn’t seem worth hunting down a lawyer or even posting an angry blog post somewhere.

      The thing that pissed me off the most was that my site’s visitors would have no way of knowing that I hadn’t put the ads up myself.  It seemed a real breach of trust.

    2. Maybe I missed your point, but this sounds like arguing Regal Cinemas is violating the copyright on a studio’s movie by running a trailer before it for a different movie. Not saying the ad bannering isn’t icky, but this would be quite a novel interpretation of copyright law.

  4. One more reason why HTTPS will eventually become the protocol of choice and all communications will be encrypted. On-the-fly page-modification is simply another man-in-the-middle attack; encryption will take care of it.

    1. That assumes the users are smart enough to know they’re using proper encryption. It’s trivial to do a man in the middle attack with HTTPS if the users ignore certificate errors.

  5. This is nothing, when I stayed at the Fairmont Tremblant in March 2010 every SSL protected website that I use on a normal basis produced a self signed SSL cert verification error (I’m an internet engineer and know what the “scary warning bubble” means).  At first I thought it might be some great firewall of Canada trying to MITM me – so I rejected all the certs and just didn’t visit my bank account, credit card, or gmail that week.  To my surprise though I brought my laptop to the Internet cafe across the street from the hotel and low and behold – no warnings.  The f*cking Fairmont was the MITM culprit!!!!

  6. Whenever I’m using town bicycle Wifi I always ssh connect to my server and send all web traffic through that as a socks proxy. So even if the hotel is doing middleman SSL (surprisingly often) they don’t get a chance. I use putty + foxyproxy, but there are a lot of options. Of course it requires that you have an ssh account somewhere.

  7. WiTopia has worked well for me.  They seem trustworthy (though how can you ever be sure?) but their OpenVPN SSL gets me through filters without hassle.

  8. Shocking News,  whats next Facebook & Google are tracking users shopping interests!!! 
    LOL How long have you been living in the digital era?

  9. Marriott – two R’s two T’s.

    Also, it’s the ISP injecting code, not Marriott. 

    Finally, do a TINY bit of research when choosing a hotel and you’ll find, miraculously!, that only FULL-SERVICE hotels charge for internet, which is typically bundled with long distance service and/or premium cable access. This trend is the result of high end hotels catering to those who are seeking luxury as opposed to value. If you want free wi-fi, choose Courtyard, Residence Inn, Townplace Suites, SpringHill Suites…all complimentary.

    Here endeth the lesson.

  10. I’ve yet to find a ‘free’ wifi account that didn’t at the very least want to harvest your email address.   (In the UK.)

    Just after reading this, at a friends: “our wifi router has a free access thing from BT.  We don’t get billed”.  Tried it.  Got *all* sorts of warning messages about spoofing et al.

Comments are closed.