Slashdot Mirror
Study Confirms ISPs Meddle With Web Traffic
Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld:
"To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."
I am wondering whether altering web pages by inserting ads changes the ISP status of common carrier (http://en.wikipedia.org/wiki/Common_carrier) thereby exposing it to liability for crimes and/or infringement perpetrated by its customers. Any takers?
Rogers has been doing this for a while, which goes along very well with their expensive and not-really-high-speed service.
Someone actually had the balls to NAME these ISPs, instead of referring to generic "providers". Of course it sucks to be you if you live in an area where they have exclusive coverage - but it's good to know who thinks they have the right to tamper with packets going between you and the destination of your choice.
Seven puppies were harmed during the making of this post.
a: XO's spokesperson has publically stated (see the PCWorld article) that it was probably a reseller, not XO itself.
b: Most modifications, at least from the client viewpoint (and excluding the exploitable vulnerabilities which were discovered) are benign. 70% of the modifications were client-side proxies, such as personal firewalls, popup blockers, and add-removers.
Of the remaining, most other modifications where things like enterprise firewall services (which modify/insert Javascript checking code) and compression transformations (removing whitespace and/or routines for displaying downgraded images to save bandwidth).
Test your net with Netalyzr
Because of this issue and some related problems I've often wondered about extensions to HTTP to support cryptographically signed pages.
HTTPS is great, but involves a significant CPU cost per page and isn't friendly to web caches.
Signed pages, if static, could be signed once and stored. They'd also be cacheable with all the normal rules.
The main issue is key management. How do you get the signing key? Well, I'm pretty sure the HTTPS certificate key could be used to sign a page, though there might be risks to the integrity of the key. A better way would be to use a single HTTPS request to grab a signing key from the remote site.
Signatures could be just another HTTP header, so browsers without support would never even notice. An alternative would be a HTML comment after the close body tag. The HTTP header, though, would work for related resources like images as well, and for that reason would probably be much better.
Unfortunately, it's all useless because an ISP could trivially strip signatures from HTTP headers or pages if they wanted to mess with the page.
If this sort of thing keeps on happening sites will just have to start offering HTTPS for all communication. The dodgy ISPs will have lower cache hit rates and higher demand for external bandwidth, but they will have done it to themselves.
If only browsers would FINALLY include support for HTTP+TLS and for TLS upgrades, encryption could even be done transparently to the user.
All I see is "Local ISPs cure cancer. All hail SBC!"
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
as long as the ISP is paying me to download their ads. If I'm on the connection for 5 hours per week average, and using an average of 22kbps for that 5 hours, and it costs me about 11 dollars per week for service.
22 x (5x60x60=18000) = 396000 kb
if they force me to download one 75kB ad per page, say once per min. that would be (5x60x75x8=180000 bits or 180kb)
180 kb / 396000 kb = 0.0454545% OR $0.50 per week.
That would mean lowering my bill by an estimated average of $2.00 per month.
For that to happen requires three things:
1 - Agreement that they are using MY bandwidth
2 - That this bandwidth has some value as shown
3 - That they should pay me for it.
Once we start bartering for the actual value of my time to look at their ads... well, my time is expensive, especially when you are using MY bandwidth.
So, if you want to force me to look at your ads I will damned well expect a service fee of $5/month total cost for my internet connection.
Guess that will never happen so the other option is NO MORE FUCKING ADS, thank you very much.
NOW we know why some ISP's are claiming that some people use too much bandwidth? Perhaps this whole who uses what bandwidth should be reviewed with some transparency for the public.
That's just poor business. WTF ever happened to 'service is king' in American business? If you provide a damned good service people will be willing to pay damned good money. ?????
Support NYCountryLawyer RIAA vs People
I was thinking of the same thing. Trying to wrap my mind around it.
The best analogy I can come up with is a kid delivering newspapers. You THINK the kid is just delivering the newspaper to you, but he is instead cutting out the advertisements (or god knows what else) and inserting his own client's advertisements while being paid for it.
Now of course, unlike a newspaper, a website does not get paid for the advertisements up front. So I cannot see this as anything other then stealing. We can argue the technicalities to death here, but the EFFECT is that the website was denied revenue from their ads, while the ISP gained ad revenue for themselves. Your question of compensation is interesting, but how could one gauge what that potential compensation could have been? Assume the individual would have clicked all the replaced ads on the page and then multiply for punitive damages?
I don't know about copyright violation as a complaint from the newspaper being a viable method to protect themselves. Is there legal protection afforded to websites that states the entire website must not be altered in any form during transit? Like I said I dunno.
What I find more foreboding is that you can no longer trust the "messenger". These ISP's absolutely MUST lose their common carrier status, since I believe that any ISP must remain impartial to the data being transmitted across its networks to have that status. Injecting advertisements into web sessions could not possibly be considered impartial. They have a direct financial motive to do so.
In order to protect their advertisement revenue streams websites may have to resort to strong measures, like encapsulating ALL of their traffic with HTTPS. That is just ridiculous.
I am sure that the proponents of Net Neutrality are going to enjoy their nice new shiny bullet.
tell us something we don't know http://tech.slashdot.org/article.pl?sid=08/04/07/1457218 http://yro.slashdot.org/article.pl?sid=08/03/29/2217231 http://tech.slashdot.org/article.pl?sid=08/03/27/149253 http://yro.slashdot.org/article.pl?sid=08/03/25/035200
Orbis terrarum est non altus satis
When will this zombie...er, urban legend die (at least in the US?)
... and that was a ruling by the US Supreme Court.
... so DSLs don't escape either.
Cable Internet Service Not Common Carrier
Corollary:
FCC Reclassifies DSL, Drops Common Carrier Rules
I'm not rooting for this, but we need to try harder for an actual solution rather than seek the unicorn of a "solution" that didn't/no longer exists.
Please!
My sites charges for advertising -- it is NOT free. If an ISP inserts ads into my pages, then I expect to be properly compensated for them.
If an ISP starts inserting ads of my competitors on any of my web sites, that would be totally unacceptable behavior.
Does this occur when a client's ISP passes traffic from my host to the customer's client? If so, I don't know how I could monitor that or even detect it unless the client user notified me.
I'd like to hear more on this subject.
Banjo - The more I know about Windoze, the more I love *nix
All the huge communications/entertainment corporations and every government in the world have been trying for years to get control of the internet and make money off it/control it. It looks like the big push is on. The ISP's want to start throttling bandwidth and content, then raking in the cash from both ends. Governments have finally figured out that they can get what they want by bribery instead of just the threat of legislation, and so has the entertainment industry. They're all on the same page now, and all of us are squarely in their gun-sights.
It's time for those of us who value what we have here to wake up and start fighting back. The pressure is bound to get intense, and it's going to come from a lot of places. There's too much money to be made and too much power to be had in controlling the flow of information to a huge portion of the world's population.
I don't know whether the solution is technological, legal, some combination, or something completely different (like massive displays of civil disobedience, for example). But I'm utterly confident that if people don't start fighting back, we can all kiss access to unfiltered information goodbye.
And that will be a very, very dangerous thing.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Commies as in Comcast?
How many fulltime jobs can one man have?
We often complain about the efforts made by China and others in blocking Internet content. But how does this compare to modifying the content? With blocking you know it is blocked, but with modified content, can you tell? The ISP might say that it just puts ads on the pages, but would you trust it? Having a secret ISP framework for modifying content is a disaster waiting to happen. Personally, I think the web should go https.
I demand the Cone of Silence!
The ISP's surely have lobbyists...perhaps it's time website owners band together and hire their own lobbyists. I own a medium sized site, I'd get on board assuming we could all agree on things.
The reason they're so against it is because they're already VIOLATING it! If net neutrality laws/policies came to be the ISPs would have to change the way they conduct business now.
The toolkit requires you to run CGI scripts on your server to collect results, but we also have a web tripwire service that is easier to use (available on the same page above). Just add one line of JavaScript to your page, and our server will handle the integrity check and collect the results. We can then provide you with reports of the changes, much like Google Analytics.
We hope that by spreading web tripwires to other pages, we can at least deter ISPs from making further changes to web pages in-flight.
I'd say it's more like he's inserting flyers. TFA didn't mention anything about ISPs removing or replacing ads in web pages while in transit, just adding more.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
Just shut up already! Nobody gives a shit! If we wanted to use adblock we would!
Is injecting data into someone else's bitstream legal? IANAL, but I suspect this practice could very well run afoul of computer trespass and other anti-hacking laws.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
If you aren't encrypted, it could occur at any hop along the way. The good news is end to end encryption solves all sorts of problems :-)
The first hit is a thread on a BBS complaining about the web forum inserting _popupControl.
How many other problems caused by injection are being blamed on the wrong parties?
No it is not flyers. Inserting flyers would be the ISP makes a window pop with ads.(it still needs to modify the page to add the javascript). So the ISP is indeed messing up the withe newspaper and the content. So the analgy is correct. In flyers the newspaper content is not touched.
Gah. Two wrongs don't make a right.
And using the law as just some excuse to jail someone you don't like, even via some convoluted fallacy, is not how the rule of the law was supposed to work. And not just from a moral right vs wrong point of view, but it also takes away quite a bit out of the deterrence factor of the law and police. After all, if you know that (A) whether you get convicted or not depends more on whims, friends, or being in the wrong time at the wrong place, and (B) whatever you did, chances are decent they'll find a scapegoat to make an example of, instead of finding you, just says you have more chances to get away with something genuinely criminal.
We tried using spectacular shows of making an example of some bystander, to scare the criminals. Heck, half of the medieval justice worked like that, and the communist block kept at it until the bitter end. It doesn't really work well.
And in this case it would also create the precedent that _any_ content you serve can get you in PMITA state prison. There's nothing to say that only ISP's inserted ads can be demonized and victimized in your setup. Any site, regardless of whether it's serving ads, or is a free forum like Slashdot, or sells stuff on the internet, or is some company's web presence on the net, etc, could be hacked to serve malware, adware, spam, phishing, redirects to other sites, etc. Some of which, yes, porn or to porn.
So what do you propose? That if your company's site can be hacked like that, the CEO goes to jail? Well then how about we take that to the logical end then and give some responsibility in it to the guys who programmed those vulnerabilities too? Or to the admins who didn't secure the servers right? To the security teams who didn't find some glaring vulnerabilities? To the PHB's and developers who had an "auugh, those security guys are just bullies, blowing stuff out of proportion to make me look bad!" attitude and pulled all sorts of strings to get the severity rating lowered? To the beancounters who got a bonus for slashing the budget for security? To the controlling guy who insisted on hiring only the cheapest burger-flippers who had a crash-course in Java, as a cost saving measure? To the level 1 support monkeys who advised someone to disable his firewall and/or disable his virus scanner, just to install a stupid game or access some vuln-laden site? To the idiot who wrote that canned list of answers? Etc.
I mean, if it counts as "endangering the children" if you have some vulnerability that _could_ be used against children, then, seriously, there are a _lot_ of people who had a hand in creating that vulnerability, not just the CEO. That's a lot of jails we'll need.
You'll also notice that it just doesn't say "stop tampering with the sites". It just says that if you can be hacked, you can go to jail. So if you're sure enough of your code and your admins to be on the internet at all, then you're sure enough to mangle the web pages too. E.g., if you're sure enough that your ad server is secure enough to use it on your web site, then you're sure enough to use it in other people's pages too. After all, if it were hacked to serve kiddie porn, it would serve it on your own site too.
No. If it has to be stopped, it has to be a clear law and applied uniformly. The idea isn't even new. Any country has laws against tampering with snail mail. Make it illegal to mess with someone's electronics communications, and apply it impartially and uniformly.
A polar bear is a cartesian bear after a coordinate transform.
Now that you mention it, I do remember an ad asking for my "bodily fluids"
Great study, kudos etc, but one small heads up:
On visiting vancouver.cs.washington.edu (which you are encouraging people to digg and blog) I'm told that I have taken part in an experiment, many thanks, fait accompli - I'm not told (or at least, can't discover without extensive reading) what data has been gathered, whether it will be anaonymous, whether I can opt to withdraw etc.
Do you see where I'm going here...?
I really don't think the UW guys are going to be abusing this data, and they're doing it to protect us - I'm not feeling particularly violated and, hell, I love the smell of irony in the morning - but what is sauce for the goose is sauce for the gander/if you're standing on the moral high ground it helps to be wearing appropriate footwear/people who throw stones shouldn't build glass houses (er, that's enough aphorisms...) - this sort of thing could be picked up by the bad guys to smear the research.
The page really should link to a front page explaining what they're doing with a large, friendly "yes - I want to participate" button.
(Speaking as someone who's just had to submit a long, silly ethical clearance form for a completely innocuous research project, presumably on the grounds that anybody planning to seriously abuse their experimental subjects would be honest enough to point this out on the form...)
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
The content on your machine is not altered in any way. Once you pass it off, you really have no say in what's done with it.
How is this any different in principle from the ad stripping software we've always had?
Oh geez, first it is already in you terms of Service that you agreed to when you reqested the service. For example, I have Verizon DSL and theirs says, "Changes to Service or Features. Verizon reserves the right to change any of the features, Content or applications of the Service at any time with or without notice to you. etc." They state right there "content" and your most likely does too. Besides, you have the right to cancel, that's included in the TOS too. Second, it is not copyright infringement because the companies are probably doing pop-ups which is additional content or somewhere on the page that was blank already, even if they changed it to put there ad at the top and I doubt that the ISPs are replacing ads to theirs because that would be grounds for court, especially since a lot of sites are ad driven. Third, you already receive a similar system, your TV. regular has almost always had them, additional cable promised they would not do it because you were paying for it and opps they did it anyway - did people notice or were able to anything about it, nope, and premium channels would do it, but they already show enough of their own commercials. If subscribers go down though they may be forced to do it... Anyway, the internet is like the gold rush, companies do it to make money or more money in this case and they will keep digging till they find some.
This practice will probably end about the time a major corporation sees an ad for a competitor inserted into a web page. Purchasing a crypto accelerator and going 100% https seems like the only solution.
I think this is the same thing as if a paper boy were to take out ads, and or add ads to your paper on delivery. I don't think the newspaper would be very happy with this result. I don't see how this is any diffrent, and I don't think it should be tolarated as such.
Memory is deceptive because it is colored by today's events. - Albert Einstein
Why on Earth are we allowing anybody to read this traffic?
All new programs really need point to point encryption built in by default. As in, I want to design a new {whatever}: In programming I first decide how to secure the connection and encrypt the data. Second, I decide what I'm going to transfer, then the interface.
Post cards eventually led to folded paper with a wax seal to the letter inside a sealed envelope. Where is the same standard of privacy in Internet Clients that I expect when I mail something as simple as a greeting card?
Once Point to Point Encryption becomes the standard in all package design if the government wants to intercept and read my communications they'll have to do what the law says they have to do... Get a warrant. The same goes for my ISP or anyone else for that matter.
There's a reason all Internet use should be considered public. We're all shouting at the top of our lungs. Right now all they have to do is stand close enough to eavesdrop on a public communication that's out in the open.
Most of us on SlashDot are in the industry designing these Clients. Rather than complain, when you write your next Client why not design it securely?
-[d]-
Names are powerful.
If an ISP modifies a web page, they are tampering. Putting their own ads there is impersonation
If an ISP puts your IP at the top of a RST they generated, they are packet forging.
If an ISP examines the data portion of a packet they are reading your content.
If they change the header (other than decrementing TTL or doing NAT) they are packet tampering.
And if they say it's to enhance user experience they are lying
This is not my sandwich.
Actually, that would probably borrow some time for you, but still be the long and embarassing road back to square one.
Duverger's law basically says that no matter from where you start, a simple plurality voting system devolves into a two-party system, given enough time.
So pretty much unless you change the voting system, you'll be back to two parties in no time. You could outlaw both existing parties, do what you will to media, etc, eventually two parties would again consolidate to the point of "yeah, but if you vote for the third guy, you're throwing your vote away."
A polar bear is a cartesian bear after a coordinate transform.
This violates two laws. First the ECPA. In order to modify a web page you have to intercept it. Ok, maybe the ISP can get out of this by getting you to wave this as part of your term of service agreement. Further, even if you could catch them in the act and get the government to prosecute, the fines would go to the government. There is no Gold here.
Second, it violate the copyright act! The right to create derived works is one of the exclusive rights of copyright holders!
Dude, 99, i was visiting sites that were full ads from the ISP hosting your website, what would be different now, that they do this dynamically on the way to the end point user, instead of static inline in your code???
This violates two laws. First the ECPA. In order to modify a web page you have to intercept it. Ok, maybe the ISP can get out of this by getting you to wave this as part of your term of service agreement. Further, even if you could catch them in the act and get the government to prosecute, the fines would go to the government. There is no Gold here.
Second, it violate the copyright act! The
right to create derived works
is one of the exclusive rights of copyright holders! Secondly, the right to create derived works is separate from the right to copy. So even though it could be argued that the author has waved the right to copy by putting the page on the web (you have to copy to display the page, and that is the purpose of the web), this does not waive the exclusive right to create derived works. I am sure that all the proffessionally created web pages have not waved their derived works rights. If this were the case, you would see non fair use knock offs of professional web pages on the web all the time and you don't. Thirdly, the right to create derived works belongs to the WEB page creator, not to the viewer. The web page creator is not a party to the terms of service agreement, so the terms of service agreement can not wave this exclusive right! Fourthly, the copyright act has
civil penalties. They range from $750 to $30,000. OK, if the judge goes for the low end this could be chicken feed. But not if you have a lot of counts!. $750 times 10,000 counts is a lot of money. In addition the amount can go up to $150,000 if the infringement is willfull which this kind clearly is. In addition you get
attorneys fees. Just to be on the safe side our troll could warn the ISP. They will probably stupidly ignore it, or they would not have setup this scheme in the first place. They probably think they are protected by the terms of service agreement. They are not.
Ok, lets set up the troll. We need to find or create a web page with a lot of traffic and it would be helpfull if the author were sympathetic to the rights of computer users. Groklaw comes to mind, but I can not remember seeing any advertising there. Can anyone think of some good candidates?
Ordinarily, I am against trolls but this is an opportunity for the Good guys to profit from one! As well as reform some bad ISP behavior!
Commies as in common carriers.
What do you mean they cut the power? How can they cut the power, man? They're animals!
I honestly don't know how easy this would be to implement, but how about we start using a new meta tag on our web sites that contains a (dynamically generated) hash of the HTTP content for each page being sent (probably easier said than done). The client browser would then check against the hash with the content it received and notify the user in some fashion if the two hashes differ.
I know this would increase the resources needed for each and every page sent/received, but maybe (client side anyway) you could create a white list of sites that you want to verify that you are indeed viewing the unadulterated page (I.e., bank webpages, etc.).
SD
*Copyright violation is illegal without this step, but you can sue for a whole lot more money if it's registered.
(The "ol" tag seems to be broken. Please imagine the numbers.)
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
I concurr that this will hurt those websites who use pay-per-click systems in a purely financial sense, but ONLY if the ads that the ISP is injecting REPLACE those already on the page. Simply inserting more ads would, in my opinion (and IANAL, by the way), only hurt the authors/owners of the sites with regard to brand confusion / defamation etc, and even then, only if the injected material is sufficiently random in selection that such contradictory adverts would make it onto the page. This MAY allow for suits against the injectors from this POV, but how do they go about identifying what ads were injected into their pages, when it can't be detected at their servers end?
If the pay-per-click ads were REPLACED, on the other hand, then yes, there COULD be potential for a loss of income suit.
Non-pay-per-click advertising, though, would not have any scope for a loss of income suit as, if the model is that the website author/owner gets paid based on the number of times the ad was served, they won't notice any drop in revenue as their ad provider's ads are still being served (regardless of whether the injectors replace or simply add to them), despite the client end possibly not getting them.
At this point, however, I should clarify that I am a layman with regard to online advertising as it is something I've never used (either as a webmaster, or as a consumer). I see the ads (and yes... the volume on many sites can be infuriating, but I have enough software running on my PC that I can't be @r$s#d to add to it with ad-blockers. I run a pop-up blocker, but the ads that don't pop up, I've trained myself to ignore over the years!), but I don't click on them. If I want to buy something online... well... I'll look at the website of a retailer (either traditional brick-and-mortar or online only) that I've come to know and trust (usually by means of word-of-mouth / visiting their stores, etc), and when I can't find anything suitable on sites such as those, there's tried and tested [Insert your search engine of choice] to fall back on.
Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
When will this zombie...er, urban legend die (at least in the US?)
... and that was a ruling by the US Supreme Court. ... so DSLs don't escape either.
Cable Internet Service Not Common Carrier
Corollary:
FCC Reclassifies DSL, Drops Common Carrier Rules
IMHO the Slashdot titles are mistaken. The decision doesn't say they're not a common carrier. It just clarifies what type of common carrier they are.
So they don't have to provide wholesale access to their lines? Fine. Do/can they refuse to give their competitors a retail subscription? (Say: Covad opens an office somewhere they don't have their own net deployed and orders cable internet for it from Comcast. Does Comcast refuse to install it?) If not, they're still a common carrier.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way