About one percent of the Web pages being delivered on the Internet are being changed in transit, sometimes in a harmful way, according to researchers at the University of Washington.

In a paper, set to be delivered Wednesday, the researchers document some troubling practices. In July and August they tested data sent to about 50,000 computers and discovered that a small number of ISPs were injecting ads into Web pages on their networks. They also found that some Web browsing and ad-blocking software was actually making Web surfing more dangerous by introducing security vulnerabilities into pages.

"The Web is a lot more wild than we originally expected," said Charles Reis , a PhD student at the University of Washington who co-authored the paper.

The paper, which was co-written by a researcher at the International Computer Science Institute, will be delivered at the Usenix Symposium on Networked Systems Design and Implementation in San Francisco.

To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit.

In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. "We're confirming some rumors that had been in the news last summer, that ISPs had been injecting these ads."

The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector. An XO spokesman said that the company does not engage in this practice and that any ad-injection linked to its network is probably being done by a "downstream" service provider that is purchasing network capacity from XO.

In June 2007 the TechCrunch blog reported RedMoon, a small Texas wireless provider, was using a system built by a Redwood City, Calif., company called NebuAd to insert advertising into the HTML code of Web pages.

Critics blasted the ISP for meddling with its customers' traffic and worried that this kind of ad injection undermined the integrity of Web sites, which had no control over the ads being displayed.

NebuAd has now discontinued its ad-injection product line and now delivers only the standard type of advertising that it buys from Web publishers, a company spokesman said Tuesday.

The IDG News Service is a Network World affiliate.