Slashdot Mirror
Charter Is Latest ISP To Plan Wiretapping Via DPI
Charter Communications has begun sending letters to its customers informing them that, in the name of an "enhanced user experience," it will begin spying on their traffic and inserting targeted ads. This sounds almost indistinguishable from what Phorm proposed doing in the UK. Lauren Weinstein issues a call to arms.
Can someone tell me whether Charter is inserting any ads? If they are, I want to complain to the Attorney General and to my CongressCritters about felony copyright infringement.
"My opinions are my own, and I've got *lots* of them!"
This might actually fly. If some content owner starts a case, they could very well make a case for an "unauthorized derivative" under the copyright rules. Then ISPs or transits must take a license for all material they modify. I for one would not allow third parties to modify my HTML.
Some things call for the proverbial nuclear response: boycotts, lawsuits, all-out opposition. This is one of them. Once one of these corporations gets away with this, it's game over for those of us who want a corner of our lives that doesn't have some lying prick forcing his way into it to sell us something, spin the information we get and otherwise screw with our reality in a way that works to somebody else's advantage at our expense.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Now I think this is a grave violation of so many rights, but I wonder, does this make the service cheaper? Currently in Texas, for me, Broadband is about $30-40 for me, but if this service pegged the service down to say $10 a month, i'd opt for it. Past that, these people deserve better.
Maybe, if your 'call to arms' is any good. And being somewhat known helps too I guess http://en.wikipedia.org/wiki/Lauren_Weinstein_(activist)
I should hope at some point, that very theory will get tested in court.
Agree completely that for an ISP to change to contents of a page I request from a 3rd party is just plain wrong. What next, redirecting you from URLs critical of them onto URLs which sing their praises? Preventing you from reading about the services of competitors?
Modifying the requested data is way too invasive, but it seems to be consistent with the whole strategy of "monetizing what your customers do". What you want is irrelevant, you're just a revenue stream.
As has been said so often, I hope things like this cause the networks to lose anything resembling common carrier status -- right now, they're just a network, so whatever you send it up to you.
Cheers
Lost at C:>. Found at C.
Second, how is this any different than Google? They track my online activity then target me with ads that I might find interesting. Am I even given the option to opt out of Google ads? (serious questions, not flame-baiting)
OK, let's cut out the middle man here, and go straight to what Charter is saying:
Translated
So, tell me, how exactly is reading my packets that much different from "spying" on me? I expect my phone carrier to not listen to my calls to decide what inserts they should put into my next bill, because telcos are supposed to have an arms length relationship with your data.
This is not nearly as inflammatory and knee-jerk as you make it out to be. They actually are reading what you do.
And, for the record, it can't be "completely anonymous" if they know to put it into my web-page. They may claim that they can't tie it to you, but, if they know to give you an ad for Depends Undergarments, at some point, they decided that you needed to receive that targeted ad.
Cheers
Lost at C:>. Found at C.
For web content that doesn't need to go over SSL/TLS, I wonder about some way of having webservers sign the HTML of the get request with their SSL key, and cache that signature, so subsequent requests of that HTML page have almost no overhead incurred.
Then, on high volume servers that are not needing the security of SSL, the core HTML page that gets to the client can be verified (using the client's CPU time) if it was modified in transit, without the server needing to spend the CPU time for SSL's overhead. If the HTML doesn't match, then offer the user a mechanism to browse the site entirely using SSL.
The only issue is for dynamic content that can't be cached, this will add a cryptographic signing step for each page.
An example:
Someone browses www.foo.com
the webserver at foo.com grabs index.html, signs it with www.foo.com's SSL key, saves the signature in a cache that is reset if someone legitimately edits index.html on the server, then sends the web browser index.html and after that, index.html's signature, perhaps in OpenPGP format. After the first signing, all the webserver is doing is sending two files (index.html and the cached signature.)
The web browser compared the received index.html to the signature, and alerts the user if it was tampered with.
As for my stuff, for low volume web servers such as my home domain, I just automatically redirect the user to the SSL server, because that stops this problem cold. If an ISP is able to intercept SSL traffic, (especially with an EV certificate), they are so advanced at crypto, they deserve to be able to insert ads.
I have a feeling that it will only be a matter of time before not just ISPs that people are subscribed on, but large volume peering nodes will try their hand at inserting ads, so might as well just force as much traffic to SSL whenever possible now, although for high volume sites, this is far easier said than done.
a cookie? how would that work? the cookie would only be sent to the website that created it. how would they see the cookie when someone goes to a different site? are they still injecting something into web pages that points to their own site, to check for the cookie? that's still bad, bad, bad.
The following web site contains some scripts which do self-analysis/ checksum calculations to determinwe whether they have been interfered unlawfully with:
Corruption detection scripts
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
(1) I don't enter that kind of data over an unencrypted link.
(2a) Google tracks my online activity when I'm not using Google's servers?
(2b) Charter pays the site that's getting their "deep inspection" ads inserted?
Time to start using it... Even if you just sign your own certificates, thus making the whole thing completely vulnerable to man in the middle attacks, these ISPs would be guilty of rather serious violations of cybercrime laws if they started sending your clients fake SSL certificates. I.e, if you just want to prevent the ISP from doing this you don't even need a secure session, you just need one they can't interfere with without incriminating themselves.
Actually, no it doesn't. Not without permission. From what I recall reading about this a couple of weeks ago in a very similar discussion (subtle way of saying "I think this story is a dupe"), if I understand what is being done correctly, there are two parts to this:
There's a specific ad provider that is involved with this, and that ad provider agrees to allow the local ISP to replace its ads with more targeted ads in exchange for a portion of the resulting ad revenue. The ad replacement, therefore, is authorized by the ad provider, who in turn is authorized by prior agreement with the website publisher.
The dirty part is the deep packet inspection, not the modification of the data stream. Attacking the latter to try to stop the former is likely to get you nowhere.
Check out my sci-fi/humor trilogy at PatriotsBooks.
One wonders how easy it would be to make an FF plugin to just replicate the cookie content.
TTD Grah : That is how it works.
TTD Grah : That is how it works.
TTD Grah : The site will not pop up everytime you go online. I'm not even sure that makes any sense. Charter sounds like they never even told their employees what the new system was about and this guys is just making it up/quickly skiming some brochure while hes chatting. Thankfully Charter is not available where I live, however I'll bet ya this will be standard operating procedure here soon..
Well, our Privacy Commissioner is wondering that.
Cheers
Lost at C:>. Found at C.
IANAL, I am not a copyright expert, etc.
With the "deep packet inspection" technologies, conceivably ISPs can just replace, in real-time, our Google AdSense pubisher IDs with their own.
Increasingly, I'd expect https sessions will be necessary for sites with any form of confidential information - not just sites with more sensitive financial, social security or other higher sensitivity levels. Consider that the ISPs are leveraging confidential session information to exploit the web sessions elsewhere. ISPs are also harvesting web traffic data and selling it to others for data mining utility. As a visitor to google, yahoo, whatever, my identity and usage is confidential information of financial value. It's time encapsulation and encryption be utilized by these firms to protect that information - otherwise they'll see further encroachment and loss of revenue due to this technique.
I do find it reprehensible that any ISP would violate the integrity of traffic I've requested from its source. It's a sense of forgery through a MITM activity I have not consented to (oh I'm sure they'll put that language in my contract so that I do consent, but you get the point).
Well, the stance that the ISP is going to take is that they are acting as an agent of the user through rights granted to them in the services agreement. The ISP is exercising those rights when the packets hit their network. They are working under the auspice that since the user has rights to alter how the copyrighted material is rendered, they can transfer those rights to ISP.
The ISP is making a second assumption, and this is the crux of the argument, that there is no material difference between changing how the HTML is rendered on the actual client and having the materials to be rendered changed slightly upstream on the ISP's network. Since the service agreement gives the ISP the ability to act as the end users agent in this matter, they will argue they are offering a service to the end user by pro actively changing packets in a manner allowed them.
The service agreement says something to the effect of "since I am using your service I also state that I would like more commercials." If an end user so chose to, they could literally insert code on their client that would serve them ads in any web page they viewed. This would be within their fair use rights, roughly the same as me choosing to put coupon pamphlets in between pages of a book I bought and am going to read. The ISP is arguing that this fair use right is transfered to them through agreement and they are just exercising this fair use as an agent of the end user.
Its a lot of bullshittery, but they may be able to pull it off under the auspice of fair use.
I currently work for a cable company that is setting up this same kind of system. The only people that know what ads are being replaced are the people controlling the ad server, which is not the ISP. We (the ISP) are being paid to set up a black box that we will route ALL port 80 traffic through. Unless you opt out, which I'm not even sure will work properly. So the ad people can be doing all kinds of things with that data. Granted, they can't link the IP Address to a customer since they have no access to our provisioning server (and I'm pretty certain every last one of us Systems Engineers would quit before allowing that to happen). But they can be doing whatever they want with that traffic and we are none the wiser. Its such a black box, the ad company does all the monitoring on the black box. We are apparently the only company that even requested that we be allowed to monitor up/down and traffic status. The real problem is that we are setting up this extra router (it is another layer 3 hop) that also acts as a server and will delay any port 80 traffic. And we're pretty much allowing them full access to do as they will with the hostage packets. We're not checking. And if someone isn't happy with what their site looks like, we'll probably just route that one around the server, still pushing everything else through. I hope Google employees are checking their AdSense images to make sure that ads are actually from Google and that they are paying Google. As shady as this whole thing is, I expect that we will have legit ads removed, but leave the 'src' of the 'img' tag.
Nice! The link mentioned in the Opt-Out section isn't even a link, you have to copy/paste it!
They've done every little stinking petty thing to make this just a little bit harder for people to opt out of it.
And, it's a cookie! You use Firefox and opt out, ok(assuming you even keep cookies!). Your roommate/spouse/family uses another browser? Guess what, they have to opt out too. And if you regularly clean out cookies, you need to go back and re-opt out.
No way to opt out at the subscriber level. Geez.
"They are not interfering with your data. What they are doing is interfering with their subscribers requested copy of that data. Their subscriber has the right to render the requested HTML in any way they see fit."
The difference here is that the end user is deciding how the html will be _rendered_, which is not in any way altering the packets themselves. The ISP should not have the right to manipulate the data coming into my browser. When the ISP does that, they are taking the choice out of the user's hands.
To use your book analogy, the bookstore is altering the book and selling it to you without letting you know what changes have been made.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
....Can someone tell me whether Charter is inserting any ads?....
If an ISP or a phone company monitors the content of a transmission, don't they become responsible for the content? Does that mean they are no longer enjoy protection from lawsuits as carriers of information have had all these years? If someone plans a crime using the phone, the phone company is not held responsible, since they don't monitor the conversation. They only provide the channel.
If an ISP DOES monitor the information, they are doing more than providing merely a channel and could theoretically be held responsible for all content that traverses their lines. If that actually happened, ISPs would quickly back off from such hare-brained content inspection and modification schemes. Maybe some rich person can hire an army of lawyers to sue an ISP for allowing forbidden porn traverse their network. Maybe, even a state attorney can try to make a name for himself.
All theory is gray
Oh, and they do offer an "opt-out" -- in the form of a website that you have to visit in the clear (no https), and fill in your information, resulting in... a cookie.
Which means that you now have to make sure to opt-out in every browser you ever use, including wget and lynx. Anything which doesn't support cookies is fucked. In particular, not everyone uses XML for AJAX -- some people use XHTML for their web services. And not all web service clients are browsers that you can stick cookies in.
And, for that matter, how are they checking the cookie? Only way I can think of would be to insert some sort of hidden iframe on every page, linking to their domain, which can then check the cookie. Therefore, even if the cookie is present in every appropriate HTTP request, they're still having to fuck with most of the internet to even be able to check that cookie.
So, to summarize: They offer "opt-out", but not really. And support net neutrality legislation.
Don't thank God, thank a doctor!