Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Confirms ISPs Meddle With Web Traffic

Posted by Soulskill on from the you-wouldn't-like-me-when-i'm-angry dept.

Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld: "To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."

5 of 131 comments (clear)

  1. Re:common carrier? by pegdhcp · · Score: 5, Informative

    While IANAL, I used to manage our relations with Telecommunications Authority of Turkey, whose regulations are closely similar to other ITU member organizations. Here we are required to protect customer privacy during their telecommunication activities and only share pertaining data with legal authorities. Similarly we are required to modify some web content (in fact, we are poisoning DNS data) only under legal orders. However it is not clear if the traffic from public web sites are private traffic, while messing with a banking site's traffic and/or a transactional traffic carrying credit card info will certainly put you behind the bars.

  2. USA ISPs are NOT common carriers! by The+tECHIDNA · · Score: 5, Informative

    When will this zombie...er, urban legend die (at least in the US?)

    Cable Internet Service Not Common Carrier ... and that was a ruling by the US Supreme Court.
    Corollary:
    FCC Reclassifies DSL, Drops Common Carrier Rules ... so DSLs don't escape either.

    I'm not rooting for this, but we need to try harder for an actual solution rather than seek the unicorn of a "solution" that didn't/no longer exists.

    1. Re:USA ISPs are NOT common carriers! by Kjella · · Score: 4, Informative

      No, in legal terms they're not but USC 17512 is "common-carrierish" enough that most people will call them that anyway. At any rate, 17512(a)(5) states "(5) the material is transmitted through the system or network without modification of its content." So, if your copyright is being infringed and shown on a page where these ISPs have injected ads, I would say this protection does not apply and you can sue the ISPs for damages. Plus I imagine this shoudl fall under all sorts of other laws, you can't just associate my page with your ad, it can be anything from defamation (ads that are offensive to the site's content) to fraud (thinking you support a page you don't). If you throw a big enough pile of shit at them for this, something will stick.

      --
      Live today, because you never know what tomorrow brings
  3. Re:I charge for ads by Compholio · · Score: 4, Informative

    I don't know how I could monitor that or even detect it unless the client user notified me.
    Have your server compute the MD5 sum of the page of your website and transmit it as an invalid HTML tag (or just a hidden one) at either the beginning or end of the document. In this document (or in a referenced "SCRIPT" page) also insert JavaScript that computes the MD5 sum of the client-received document (sans the added information) and transmits both the original MD5 sum and the computed sum back to your sever using AJAX. If these don't match then somewhere along the way someone tampered with your document.
  4. Toolkit for detecting changes to your own page by csreis · · Score: 5, Informative
    If you're interested in knowing if your own page is being modified in flight, we (the authors of the study) have an open source toolkit for adding a "web tripwire" to your page. It's just a piece of JavaScript code that does an integrity check within the user's browser, and it can report any in-flight changes back to your server.

    The toolkit requires you to run CGI scripts on your server to collect results, but we also have a web tripwire service that is easier to use (available on the same page above). Just add one line of JavaScript to your page, and our server will handle the integrity check and collect the results. We can then provide you with reports of the changes, much like Google Analytics.

    We hope that by spreading web tripwires to other pages, we can at least deter ISPs from making further changes to web pages in-flight.