Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Confirms ISPs Meddle With Web Traffic

Posted by Soulskill on from the you-wouldn't-like-me-when-i'm-angry dept.

Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld: "To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."

9 of 131 comments (clear)

  1. Re:common carrier? by pegdhcp · · Score: 5, Informative

    While IANAL, I used to manage our relations with Telecommunications Authority of Turkey, whose regulations are closely similar to other ITU member organizations. Here we are required to protect customer privacy during their telecommunication activities and only share pertaining data with legal authorities. Similarly we are required to modify some web content (in fact, we are poisoning DNS data) only under legal orders. However it is not clear if the traffic from public web sites are private traffic, while messing with a banking site's traffic and/or a transactional traffic carrying credit card info will certainly put you behind the bars.

  2. Re:common carrier? by Anonymous Coward · · Score: 2, Informative

    No.

    This is because ISPs aren't common carriers in the first place.

  3. duh by the+brown+guy · · Score: 2, Informative

    tell us something we don't know http://tech.slashdot.org/article.pl?sid=08/04/07/1457218 http://yro.slashdot.org/article.pl?sid=08/03/29/2217231 http://tech.slashdot.org/article.pl?sid=08/03/27/149253 http://yro.slashdot.org/article.pl?sid=08/03/25/035200

    --
    Orbis terrarum est non altus satis
  4. USA ISPs are NOT common carriers! by The+tECHIDNA · · Score: 5, Informative

    When will this zombie...er, urban legend die (at least in the US?)

    Cable Internet Service Not Common Carrier ... and that was a ruling by the US Supreme Court.
    Corollary:
    FCC Reclassifies DSL, Drops Common Carrier Rules ... so DSLs don't escape either.

    I'm not rooting for this, but we need to try harder for an actual solution rather than seek the unicorn of a "solution" that didn't/no longer exists.

    1. Re:USA ISPs are NOT common carriers! by Kjella · · Score: 4, Informative

      No, in legal terms they're not but USC 17512 is "common-carrierish" enough that most people will call them that anyway. At any rate, 17512(a)(5) states "(5) the material is transmitted through the system or network without modification of its content." So, if your copyright is being infringed and shown on a page where these ISPs have injected ads, I would say this protection does not apply and you can sue the ISPs for damages. Plus I imagine this shoudl fall under all sorts of other laws, you can't just associate my page with your ad, it can be anything from defamation (ads that are offensive to the site's content) to fraud (thinking you support a page you don't). If you throw a big enough pile of shit at them for this, something will stick.

      --
      Live today, because you never know what tomorrow brings
  5. Re:I charge for ads by Compholio · · Score: 4, Informative

    I don't know how I could monitor that or even detect it unless the client user notified me.
    Have your server compute the MD5 sum of the page of your website and transmit it as an invalid HTML tag (or just a hidden one) at either the beginning or end of the document. In this document (or in a referenced "SCRIPT" page) also insert JavaScript that computes the MD5 sum of the client-received document (sans the added information) and transmits both the original MD5 sum and the computed sum back to your sever using AJAX. If these don't match then somewhere along the way someone tampered with your document.
  6. Re:common carrier? by jhol13 · · Score: 2, Informative

    Lets put it this way: In Finland ISPs will not change the data.

    "Disturbing telecommunications" is punishable up to two years in prison. And if you are what I think "common carrier" means the minimum penalty is four months jail time.

    The law seems (IANAL) to be written so that ISPs are "common carriers" according to this law.

  7. Re:In Canada... by FunFactor100 · · Score: 2, Informative

    Apparently they can inject ads without you using their browser. There are other ISPs in Ottawa btw, some just resell Bell's DSL though...which is now being throttled.

  8. Toolkit for detecting changes to your own page by csreis · · Score: 5, Informative
    If you're interested in knowing if your own page is being modified in flight, we (the authors of the study) have an open source toolkit for adding a "web tripwire" to your page. It's just a piece of JavaScript code that does an integrity check within the user's browser, and it can report any in-flight changes back to your server.

    The toolkit requires you to run CGI scripts on your server to collect results, but we also have a web tripwire service that is easier to use (available on the same page above). Just add one line of JavaScript to your page, and our server will handle the integrity check and collect the results. We can then provide you with reports of the changes, much like Google Analytics.

    We hope that by spreading web tripwires to other pages, we can at least deter ISPs from making further changes to web pages in-flight.