Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISP Inserting Content Into Users' Webpages

Posted by kdawson on from the not-neutrality dept.

geekmansworld, among other readers, lets us know that the Canadian ISP Rogers is inserting data into the HTTP streams returned by the Web sites requested by its customers. According to a CBC article, Rogers admits to modifying customers' HTTP data, but says they are merely "trying different things" and testing the customer response.

24 of 396 comments (clear)

  1. What's the problem? by squidinkcalligraphy · · Score: 3, Insightful

    Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit, so you don't overshoot it and start having to pay extra. Lets put arguments about limits aside (after all, you've agreed to a contract involving limits). It's in their interests _not_ to inform you, as you'd have to start paying them extra. But they're trying to find a more pervasive way of letting you know. How else can they do it? Via email? They'd just send it to the email address they provide you with. Who really uses isp-provided email these days? it's all webmail, so they need some window to get through to you, and maybe http is that window.

    --
    "I think it would be a good idea" Gandhi, on Western Civilisation
    1. Re:What's the problem? by patternmatch · · Score: 5, Insightful

      How else can they do it? Via email? They'd just send it to the email address they provide you with. Who really uses isp-provided email these days? it's all webmail, so they need some window to get through to you, and maybe http is that window.

      Or maybe, just maybe, they could ask you for your regular email when you sign up. This is not rocket science. There is no excuse for an ISP to be arbitrarily modifying the content of a subscriber's traffic.

    2. Re:What's the problem? by Brian+Gordon · · Score: 2, Insightful

      Because they're using software made for inserting ads into or rewriting the HTTP stream, and that software is very evil. I think it's a very neat idea that's also very scary.

    3. Re:What's the problem? by Anonymous Coward · · Score: 1, Insightful

      What about a phone call, an IM, or a letter

      You know something that has proven to be both legal and moral.

    4. Re:What's the problem? by timmarhy · · Score: 4, Insightful
      the problem is going to be that modifying the http stream will break web applications and some secure sessions. it'll become even more of a problem as time progresses.

      imho they are creating a solution to a problem that doesn't exist. there's 1000's of widgets out there they could tune to give you an almost real time view of your quota, building their own an interfering with your http traffic is not a good solution.

      --
      If you mod me down, I will become more powerful than you can imagine....
    5. Re:What's the problem? by owlnation · · Score: 2, Insightful

      The problem...?

      The obvious one... consensus, agreement, privacy, respect, customer focus, precedent... etc...

      That all seems pretty rational to me.

    6. Re:What's the problem? by weorthe · · Score: 5, Insightful

      that software is very evil

      Yes. Imagine a world in which China/Bush's America/Hillary's America no longer censors the web but subtly modifies it instead. Maybe with the cooperation of Yahoo et al. All power inevitably becomes abused. What good is freedom of expression if you can't be sure your expression is your own?

      --
      cat * >> sig
    7. Re:What's the problem? by AccUser · · Score: 2, Insightful

      the ISP is trying to inform you you're reaching your limit

      The ISP is inserting data into the page. Suppose they add a logo, a hit the mosquito advert, and a movie trailer - will they 'charge you for that bandwidth?

      --

      Any fool can talk, but it takes a wise man to listen.

    8. Re:What's the problem? by jerw134 · · Score: 4, Insightful

      The ISP is clearly partnered with Yahoo, just like AT&T is in the US. So the service is called Rogers Yahoo High Speed Internet. It's not an ad, it's their logo.

    9. Re:What's the problem? by Valdrax · · Score: 3, Insightful

      You trust your ISP enough to give them your actual email address? You, sir or madam, are a braver soul than I.

      You also give them your physical street address to have the service hooked up, and every month a small piece of paper containing your checking account's account number and bank routing number. In America, they probably got your social security number too.

      I'm really not afraid of what they're going to do with email compared to all of that.

      --
      If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  2. Hey Rogers! by ScrewMaster · · Score: 4, Insightful

    I got your "customer response" right here.

    Seriously, when it becomes acceptable for the phone company to break into my conversation with "Did you know that Geico can save you ton of money on car insurance?" then my ISP can screw around with my Web pages. Otherwise, get your sticky paws OFF me, you damn dirty apes.

    --
    The higher the technology, the sharper that two-edged sword.
  3. Getting away with murder by javacowboy · · Score: 5, Insightful

    So.... why aren't there any high profile lawsuits against Rogers yet?

    First they throttle BitTorrent traffic. Then, when BitTorrent users encrypted their connections, all encrypted traffic was throttled, making VPN connections unbearably slow.

    The only reason I can think of that they're getting away with this is that...uh...people in Ontario don't telecommute at all?

    Why is everybody letting Rogers get away with these shenanigans? Rogers' practises must be costing some business users serious money. I simply don't understand.

    --
    This space left intentionally blank.
  4. Okay, I know... by gillbates · · Score: 5, Insightful

    This is a dupe, but it's worth commenting on.

    The fundamental problem I see with this is that the ISP is changing the content of webpages to suit their own interests. There are a myriad of problems here, regardless of whether or not the customer accepts it:

    1. Copyright law: technically, the modified web page is a derived work. The ISP can now be held liable for copyright infringement if, say, Google, or the New York Times objects. The potential revenues sinkhole from copyright litigators is far greater than what any ISP could bear.
    2. There are ethical problems with an ISP artificially inflating the size of webpages, especially if they charge for the bandwidth.
    3. This smacks of 1984-esque censorship. Once it becomes commonplace for an ISP to change a web page, how long before government uses this for nefarious purposes.
    4. Consider how the above may be abused: a political rival logs onto Google, and the ISP replaces the normal content with child porn. Enter the police and 10 to 20 years in prison...
    5. If I can't trust my ISP to deliver an unmodified webpage, the only alternative is to use https for everything. While I'm personally favorable to such a thing, I realize it will disenfranchize a lot of part time and small time web operators who don't have the sophistication to setup an https server properly. Thus, one of the great egalitarian aspects of the web dies.

    In light of the fact that a certain ISP blocked access to union websites, this is an alarming event indeed. Democracy depends on the free flow of information, and I'm thinking that it might be appropriate to make such a practice illegal, if only for the sake of preserving democracy. It will first be used for commercial gain, and later, leveraged as a political tool.

    --
    The society for a thought-free internet welcomes you.
  5. I don't think so. by Frosty+Piss · · Score: 2, Insightful

    This could open up a whole bunch of "but I didn't download that" claims when users are caught with dubious material. They could claim that their ISP modified their download streams and point (at least some of) the blame toward the ISP.
    Of course this is a disturbing trend, and from what I read about Rogers Cable, I'm not surprised. But I have to seriously question if your scenario would come to pass. I really don't think that ISPs are going to "insert" kiddie porn, "illegal" music or movies, or "terrorist" content in your Web page requests. Pirate Bay will not be buying banner ads on Rogers. The thing that *might* open them to liability are these stupid pop-ups that look like Windows dialog boxes advertising spyware removal or similar shit.
    --
    If you want news from today, you have to come back tomorrow.
    1. Re:I don't think so. by thegrassyknowl · · Score: 2, Insightful

      I didn't imply kiddie porn or anything of the like. I said "dubious". Dubious depends on locality and context.

      What you find acceptable I might find dubious.

      are a lot of corrupt people working all over the place. There are a lot of funky rules in regard to what people are and aren't allowed to look in various countries.

      There is nothing to say that a disillusioned worker at an ISP couldn't have himself a little fun by somehow hiding an iframe or something into the extra data that displays the contents of an external site that may cause you to be examined a little more closely by the authorities. It's unlikely, I know, but once the facilities are in place it becomes much easier to manipulate if someone ever wanted to.

      Your stupid popup ad thing is one more plausible example. Again, that is dubious content. You might not get in trouble for it but it could cause you trouble if it links to spyware.

      --
      I drink to make other people interesting!
    2. Re:I don't think so. by lena_10326 · · Score: 3, Insightful

      But while such garbage might be annoying, it's unlikely it would be illegal content.
      You're surfing on a public computer in Iran.... a popup displays showing hardcore gay sex and red blinking text says CLICK FOR FREE GAY PORN!

      --
      Camping on quad since 1996.
    3. Re:I don't think so. by afidel · · Score: 2, Insightful

      It doesn't have to be illegal to cause you legal headaches. Example: You're surfing a perfectly normal site with no expectations of adult banner ads, but your session is hijacked by your ISP with a less than reputable ad provider. Up pops a banner ad with a risque model just as your female coworker pops into your cube to ask a question. Now you and your company are potentially facing a lawsuit for a hostile work environment. I wonder is Websense et al can detect this type of manipulation in order to protect the corporate networks.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    4. Re:I don't think so. by Darby · · Score: 3, Insightful

      I really don't think that ISPs are going to "insert" kiddie porn, "illegal" music or movies, or "terrorist" content in your Web page requests

      You're almost certainly correct, if by "ISPs" you mean the decision makers of the ISPs, and therefore the official policies thereof.

      However, what this does is fundamentally change the way they run their network thereby opening up massive vulnerabilities.

      Before they decided to make it their official policy to engage in the mass of unethical behaviors this exhibits, in order to insert goat porn, or the like, into a client's browser a disgruntled employee would haver to jump through a mass of hoops (assuming they ever had any working network monitoring tools).

      Now, though, since this fraudulent activity is part of their official corporate policy and therefore necessarily of their infrastructure, all it takes is changing some text which is designed to be easily modified.

      That's the fundamental problem with this policy. Creating a method for potentially malicious people to insert unwanted content into the browsers of their own customers *is* the entirety of the policy.
      I doubt many people think that "goat porn for the masses" is the goal of Rogers, but they are going way out of their way to make sure that doing exactly that is trivial.

      I absolutely hope somebody pulls that argument and wins though, because this absolutely creates more than enough reasonable doubt.

      "But we didn't put that pic of two year olds fucking on his computer"...

      "Oh yeah? You created a process designed for the purpose of manipulating content and creating forgeries of web sites with deliberately falsified content in violation of every standard practice, every commonly sensible idea and every relevant ethical principle. Prove absolutely that each and every one of your employees was entirely uninvolved with this particular case, when you've spent so much time and effort ensuring that it would not only be possible, but trivial."

      It's not that Rogers has a plan for gross porn distribution, it's that they've created a means, a method and a process for doing exactly that with few if any possible legitimate uses.

  6. Re:Trying different things... by basic0 · · Score: 2, Insightful

    Good luck. I listen to Prime Time Sports with Bob McCown every day, and apparently even well-known, award-winning air talent doesn't have any level of access to Uncle Ted or the 10th floor of the Rogers building. McCown claims he's never met Ted Rogers in the ~10 years he's been working for him. I imagine his office is like something out of the movie "Sneakers".

  7. Re:No problem as used in this case by arkhan_jg · · Score: 2, Insightful

    Thing is, now you know they have the ability, equipment and willingness to modify your datastream...

    Write again when a (non-free) ISP injects ads or blocks competitor's websites.

    How would you know whether they are, or not?

    --
    Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  8. Re:Read between the lines by thinkertdm · · Score: 3, Insightful

    Now this is only the beginning. It is only a matter of time before other ISP's start doing the same thing, and you can't stop them. Here's why: 1. Comcast and other ISP's have more money they you do. Loads more. Sure, you may have a case on legal grounds, but they have the money. What are you going to do, stand in front of the CEO of comcast and say "pwease mr, don't do this!" Good luck with that. 2. Think you are going to drop whatever ISP is doing it and jump to the other one? Most places only have 2. It's not like tuna fish, where there are five different brands to choose from. 3. Why should any ISP listen to you, the consumer? See #2 above. 4. While this activity is wrong, no one is doing anything about it. The majority of the population thinks people with high speed are criminals anyway, so we deserve what we get. This isn't even news- if it comes up at all, it's buried after sports and the weather. Look at Comcast blocking bittorrent. Look at the RIAA lobbying in congress. We are screwed. 5. The only right way for an ISP to do things is the best way to make more money. Right or wrong has nothing to do with it. I think the only answer is for a strong net neutrality bill. The ISP's are supposed to answer to the consumer, not the other way around.

  9. Does HTML 5 have a provision for checksums? by ceoyoyo · · Score: 2, Insightful

    Looks like it should. We probably also need a new standard for lightly encrypted pages. Light enough to not put undue strain on the server but heavy enough to make it impractical to modify pages on the fly.

  10. Title is wrong; what else is wrong? by gvc · · Score: 2, Insightful

    Rogers are clearly not inserting content into users' web pages, as the title claims. They are inserting content into pages viewed by users.

    So I have little faith in the claim that they are "intercepting http." What is more likely is that the default proxy server they provide is inserting the content. While it may make little difference to the average user, as the "normal" setup uses the proxy, it seems to me that there's a huge difference between supplying a proxy and intercepting and manipulating http traffic; that is, hijacking TCP port 80. The proxy I can easily avoid by using a direct connection to the internet; TCP hijacking, I can't.

    1. Re:Title is wrong; what else is wrong? by yuna49 · · Score: 2, Insightful

      Many ISPs "hijack" outbound port 80 connections and transparently proxy them. I'm not sure how you think you'd avoid this proxy unless you yourself are using a proxy that listens on some port other than 80 and is located on a network outside your ISP's.

      I routinely configure office networks to do this with iptables+squid. It gives their administrators a log of requests in case they need to check up on what sites their employees have visited. It also enables us to add some security features to the network that apply automatically to all users, for instance, blocking downloads of .exe files.