Slashdot Mirror
Charter Is Latest ISP To Plan Wiretapping Via DPI
Charter Communications has begun sending letters to its customers informing them that, in the name of an "enhanced user experience," it will begin spying on their traffic and inserting targeted ads. This sounds almost indistinguishable from what Phorm proposed doing in the UK. Lauren Weinstein issues a call to arms.
So if I blog something, and title it a 'call to arms', am I suddenly relevant too?
I want to delete my account but Slashdot doesn't allow it.
Someone needs to tell Charter that you don't "enhance" suck.
The enemies of Democracy are
Does that mean that the ISP will be altering the copyrighted material sent by the websites? Surely this would create an unauthorised derivative work?
ISPs that modify HTML content going over their network are scummy operators. It breaks web pages, it denies revenue to the websites, and is unethical in so many ways.
Now that a precedent has been set, I plan to examine and modify the direct deposit traffic found on the network. Just a few simple modifications, change the account number, add a few zeros to the amount, simple things like that.
Wonder when someone will figure out that their ad is being replaced by something else and sues?
Here is a project idea then, somebody start up a project to write a Firefox plugin that detects the inserted ads from Charter and either filter them out or replace them with something else.
As a Charter customer I can tell you that this comes as no surprise at all. They are shady as hell and their local offices are havens for the inept.
The McDonald's Corporation has begun sending letters to its customers informing them that, in the name of an "enhanced user experience," it will begin using cat poo on their hamburgers as condiments and inserting...
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
The "enhanced user experience" is nothing more than a smoke screen to spy on you, and get more ad revenue for their own personal gain. It's utter bullshit. Recently COX communications implimented nation wide DNS poisoning similiar to what versign does on domains it can't resolve.
http://support.cox.com/sdccommon/asp/contentredirect.asp?sprt_cid=e047dc81-18c4-485f-bcf3-1263d0b7b904
How to opt out of the "enhanced user experience"
How does injecting ad's into my browser "enhance" my experience? Give me more fucking bandwith you money grubbing cheap fucks, and that MIGHT enhance my experience.. I hate them.
Some things call for the proverbial nuclear response: boycotts, lawsuits, all-out opposition. This is one of them. Once one of these corporations gets away with this, it's game over for those of us who want a corner of our lives that doesn't have some lying prick forcing his way into it to sell us something, spin the information we get and otherwise screw with our reality in a way that works to somebody else's advantage at our expense.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Now I think this is a grave violation of so many rights, but I wonder, does this make the service cheaper? Currently in Texas, for me, Broadband is about $30-40 for me, but if this service pegged the service down to say $10 a month, i'd opt for it. Past that, these people deserve better.
This new system seems very simplar to Phorm, so here are details. The Phorm "Webwise" System - Richard Clayton. Seems you can avoid being monitored by blocking Phorm's cookie.
Reduce, reuse, cycle
Firefox add-in to block Phorm.
Reduce, reuse, cycle
The only way this will be any good is if any, or all, of the following are true:
1: You can opt out.
2: You ISP has gone to an ad-supported model that results in a drastic reduction of your monthly fees.
3: They are providing you with extra bandwidth free in order to carry the extra traffic they're generating to you (and not counting it against your usage caps).
Otherwise give them hell until they back off!
One is left to wonder how long before they start actually replacing ads on other sites with their own ads. After all, gangsters like this hate competition. Making you pay to get their ads, however, really sux!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Margaret Thatcher and Stephen King on the same day? What are the odds?
in a few days you could afford that 800,000 dollar DPI machine and automate the process. Within weeks all the worlds wealth will be yours! I for one welcome our slashname3 overlord...
As a Charter customer I guess now is the time for > ssh -D 9999 me@myserver.com
If anyone is using charter (or just suspicious of things), please visit our tripwire server:
http://vancouver.cs.washington.edu/, to (hopefully) detect in-flight page changes.
Test your net with Netalyzr
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
I'm not trying to troll here but these questions will surely sound like it.
Now copyright infringement is a major deal? So the RIAA was on to something when decided to try to protect their copyrighted materials after all?
You're nothing; like me.
MP3s in the incoming folder? "Charter put them there."
Child porn in the cache? "Charter put it there."
Nuclear weapon plans in email? "Charter sent it."
Seriously, WTF are they thinking? Do they really want to be named as co-defendants in every criminal or civil case brought against their customers? Because if they modified my incoming data and I was later called in to account for anything, you can bet my first line of defense would be to blame it on them.
Dewey, what part of this looks like authorities should be involved?
Second, how is this any different than Google? They track my online activity then target me with ads that I might find interesting. Am I even given the option to opt out of Google ads? (serious questions, not flame-baiting)
Isn't inserting ads into pages creating unlicensed derivative works and subverting revenue ala Gator back in the day?
I don't think anyone will argue that the RIAA shouldn't be upset that people are giving away their product for free. What people are upset about is that they are demanding extremely high fines that don't fit the crime. Where it should be a warning, or a small fine of perhaps $100, they are destroying peoples lives entirely. The punishment does not fit the crime, which is the problem.
....and the thought of that scares me. It got the attention of another blogger who sees this as a slippery slope in Canada since Bell Canada uses DPI to throttle users:
http://itnerd.wordpress.com/2008/05/13/charter-uses-dpi-to-spy-on-its-users-canada-are-you-paying-attention/
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I don't see how they can inspect content like this and retain their common carrier status.
For web content that doesn't need to go over SSL/TLS, I wonder about some way of having webservers sign the HTML of the get request with their SSL key, and cache that signature, so subsequent requests of that HTML page have almost no overhead incurred.
Then, on high volume servers that are not needing the security of SSL, the core HTML page that gets to the client can be verified (using the client's CPU time) if it was modified in transit, without the server needing to spend the CPU time for SSL's overhead. If the HTML doesn't match, then offer the user a mechanism to browse the site entirely using SSL.
The only issue is for dynamic content that can't be cached, this will add a cryptographic signing step for each page.
An example:
Someone browses www.foo.com
the webserver at foo.com grabs index.html, signs it with www.foo.com's SSL key, saves the signature in a cache that is reset if someone legitimately edits index.html on the server, then sends the web browser index.html and after that, index.html's signature, perhaps in OpenPGP format. After the first signing, all the webserver is doing is sending two files (index.html and the cached signature.)
The web browser compared the received index.html to the signature, and alerts the user if it was tampered with.
As for my stuff, for low volume web servers such as my home domain, I just automatically redirect the user to the SSL server, because that stops this problem cold. If an ISP is able to intercept SSL traffic, (especially with an EV certificate), they are so advanced at crypto, they deserve to be able to insert ads.
I have a feeling that it will only be a matter of time before not just ISPs that people are subscribed on, but large volume peering nodes will try their hand at inserting ads, so might as well just force as much traffic to SSL whenever possible now, although for high volume sites, this is far easier said than done.
"Second, how is this any different than Google?
You can choose not to use Google. You know up front, before you use their site, what Google does. You either decide if the loss of privacy is worth it or not, and then choose appropriately. You can use any number of competing search engines.
But most places have no more than three choices of broadband access, with expensive satellite connections one of them. In reality, if customers really won't stand for Charter's actions on this, it means changing their ISP to whoever their local DSL provider is.
I'm fairly sympathetic to ISP companies trying to get the most revenue out of customers in different ways, as long as its not a matter of forcing something on customers... after all, those networks, with a lot of physical infrastructure, in addition to network administration and staffing, cost a lot of money to set up and operate. And these companies are for-profit businesses, after all, not charities. But this goes way too far. This isn't just violating a customer's privacy. That's too simple. It's violating their very user experience. Not what I'd call "enhanced" at all.
Look at an analogy from the old phone company days, pre-Internet. Imagine talking on your phone to friends or family about, oh, say a camping trip, and then having an operator break into your conversation to sell you tents and sleeping bags. Not only would it annoy the hell out of you, you certainly wouldn't like the idea of always having an operator listening in on you during every phone call.
This is going to be a situation where my Congressman and Senators and various FCC functionaries get letters from me.This crosses the line.
Life is hard, and the world is cruel
I went to Charter's contact page and selected the option to chat live with a Customer Care Representative:
You have been connected to TTD JomarMe: I just read an article stating that Charter has begun sending letters to its customers informing them that, in the name of an "enhanced user experience," it will begin spying on their traffic and inserting targeted ads. Is there any truth to this?
TTD Jomar : Thank you for contacting Charter High Speed Internet Technical Support. My name is Jomar. How may I assist you today?
TTD Jomar : I'm so sorry, but this is already beyond our scope of support. Please call 1-888-438-2427 for further assistance.
Me: Thank you.
TTD Jomar : Again I apologize for the inconvenience you've experienced, but if there is anything further I can help you with please, let me know.
That kind of response doesn't sound like "Customer Care" to me.
Anyway, I called the number and spoke to someone who didn't have a clue what I was talking about. He transferred me to someone else.
The second phone rep said she hadn't heard about the new "enhanced user experience" feature, so she put me on hold to ask someone else. After she came back on the line, she said that she wasn't able to find out anything about it, so said to go to charter.net to stay informed about new features and services.
Naturally, there doesn't appear to be anything on Charter's site about the new "enhanced user experience."
the JoshMeister on Security
When ISPs can actually MODIFY data that does not belong to them, a SERIOUS boundary has been broken.
It's like the telephone company talking in place of someone on the phone.
"Hey mom" "Hi Mike, how are you?"
becomes:
"Hey mom" "HI MIKE, GET VIAGRA NOW FOR $3.99/20mg!"
2 actually,
1. Mail them a letter and tel them no, I do not agree with your data sniffing
2.
HOSTS file...
find the charter server(s) info point to 127.0.0.1 or other ip of your choice...
then have a script that files and electronic version of a small claims suit
on the IP address. Each ad replacement would be its own cause of action.
then surf away...
spammer.charter.net
got.screwed.by.charter.net
and so on...
-- I am the NRA, enough said...
I'm astonished. How is this any different from the postal service ripping out all the magazine ads and replacing them with their own ads before they get delivered to your house?
With the "deep packet inspection" technologies, conceivably ISPs can just replace, in real-time, our Google AdSense pubisher IDs with their own. Or, they could simply replace the Google AdSense Javascript snippet with something else.
I would hope that Google and other large advertising networks lead the charge against this, and that they are not partnered with any ISPs involved in this activity. A large class action lawsuit on behalf of publishers might slap sense into any ISPs using this "enhancement" to steal revenues from legitimate publishers.
I've often wished that Google would let me use SSL to access their services. Looks like this might provide them some motivation to do so. JP
In Reason We Trust
What adverts? I don't see no adverts. Do I need to install Windows to get the full user experience?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
So the end game is this. If I as a web site operator don't want anyone stealing my ad-revenue, or messing with my content all I do it add an SSL cert to my web page for $20-100 per year and a little more server meat and boom, $500K for that neat DPI box they just bought has an ROI of 0%. Let them try to decrypt 80GPS in realtime for $500K.
A representative will be with you shortly. You have been connected to TTM Mike .
TTM Mike : Hi this is Mike from Charter. How may I help you today?
Robert Hafner: I read an article online, and the followed it to the Charter webpage, which states that Charter is going to be monitoring my surfing habits and placing ads into pages I'm viewing. I am wondering how soon this will happen to me personally.
Robert Hafner: http://connect.charter.com/landing/op1.html
TTM Mike : I do apologize but let me transfer you over toour internet support line.
TTM Mike has left the session.
Please wait while we find an agent from the CHAT - DUMA - HSD Support department to assist you.
You have been connected to TTD Grah .
TTD Grah : Hi, this is Grah. Thank you for contacting Charter's High Speed Internet support. How may I be of assistance to you today?
Robert Hafner: I read an article online, and the followed it to the Charter webpage, which states that Charter is going to be monitoring my surfing habits and placing ads into pages I'm viewing. I am wondering how soon this will happen to me personally.
TTD Grah : One moment please.
Robert Hafner: http://connect.charter.com/landing/op1.html Contains the information
Robert Hafner: that I am basing this question off of.
Robert Hafner: As well as http://consumerist.com/5008801/charter-to-begin-tracking-users-searches-and-inserting-targeted-ads
TTD Grah : Yes, that is our new update.
TTD Grah : One moment please as I download the document.
TTD Grah : Charter has formed a partnership with an industry-leader in online advertising, NebuAd (www.nebuad.com). NebuAd, through their advertising network, will display targeted advertisements to Charter High-Speed® Internet customers while they are surfing the Web. NebuAd does not collect and use personally identifiable information to deliver advertising. Customers will not see more ads - just ads that are more relevant to their interests that have been expressed through their web-surfing activity.
TTD Grah : The feature will be activated automatically for Charter HSI customers beginning in June 2008 in the following four Charter markets:
Newtown, Connecticut
Fort Worth, Texas
San Luis Obispo, California
Oxford, Massachusetts
Robert Hafner: So the ads are placed directly into websites I would normally view?
Robert Hafner: How do I opt-out for an entire household, with multiple computers and browsers?
Robert Hafner: Currently the only way to opt-out is by placing a cookie under each browser of each account of each computer, which is absolutely insane.
TTD Grah : The technology can actually often distinguish between different users on a shared computer and, therefore, can serve different ads to different users. Only a portion of the ads you see will be a function of the enhanced service - you will still see some ads that are served based on other criteria.
Robert Hafner: The question was were are those ads being placed- are they replacing other ads on websites, for instance?
Robert Hafner: And if so, how is the owner of the actual website going to be compensated?
TTD Grah : This site may appear depending on what are you trying to view online.
TTD Grah : This site will give you options on what to have according to what you need.
Robert Hafner: What site are you referring to?
TTD Grah : Say for example, you are surfing because you wish to purchase shoes online, this site will pop up and give you options to chose from.
TTD Grah : That is how it works.
TTD Grah : That is how it works.
TTD Grah : The site will not pop up everytime you go online.
Robert Hafner: So this only affects my traffic to
According to the letter I got you can opt out. The FAQ is here http://connect.charter.com/landing/op1.html
It *seems* to be well dodgy nevertheless. I am still waiting for FiOS then i am gone...
Stephen King died again?! He just keeps dying and coming back to life and dying and coming back to life...
Well he is Stephen King after all.1 in 133,225?
That is all.
When asked for comment, Old Scratch replied "Screw you, Smidge! Don't go trying to pin this one on me! I have SOME scruples!"=Smidge=
(1) I don't enter that kind of data over an unencrypted link.
(2a) Google tracks my online activity when I'm not using Google's servers?
(2b) Charter pays the site that's getting their "deep inspection" ads inserted?
Time to start using it... Even if you just sign your own certificates, thus making the whole thing completely vulnerable to man in the middle attacks, these ISPs would be guilty of rather serious violations of cybercrime laws if they started sending your clients fake SSL certificates. I.e, if you just want to prevent the ISP from doing this you don't even need a secure session, you just need one they can't interfere with without incriminating themselves.
Well, they don't have your HTML. They have a copy of your HTML.
Your original HTML is still residing on the server where you put it. They are not interfering with your data.
What they are doing is interfering with their subscribers requested copy of that data. Their subscriber has the right to render the requested HTML in any way they see fit. They can use a different CSS file that resides on their box or some other network location. They can choose not to render graphics, flash, or allow JavaScript to run.
The provider, being in contract with the subscriber, is allowed to act as their agent while the packets are being transmitted over their part of the network. During this time, the ISP exercises that contracted ability, and injects code into the packets.
The ISP will tell the subscribers that this right is part of the contract, and if they don't agree to it - they don't get service. The ISP will also tell you to shove it up your ass - you can refuse requests made from their subscribers if you don't like what they do on their network.
According to your stance, the end user doesn't have the right to modify your HTML from what was intended. This, ironically, is the same exact stance that internet marketing companies take when confronted with browser plug-ins that effectively remove their code. Unfortunately for us, we can't have it both ways. Either we are allowed to alter how the packets are rendered, allowing us them to inject into packets due to powers granted them by their user terms and conditions, or they cannot - setting a precedent that would open the floodgates to client side packet altering and rendering changes.
Another point of argument they are going to make is that they aren't messing with your copyrighted web pages because they aren't distributing it without permission. When a user makes a request for your page, and your server fulfills that request, you have distributed the materials yourself. They are merely making a "derivative work" from that material.
I'm not saying I'm down with this at all. Frankly its a scummy tact and I hope their business dies. But this is what they are going to argue, we should get ready for it.
The https protocol is fundamentally broken because of a serious flaw in the way it was designed. It is impossible to use virtual hosts with separate certs via https. This has pretty significant ramifications in terms of the number of additional IP addresses it would require for everyone to switch to https.
The alternative, of course, would be for the HTTP protocol to be redesigned to either A. allow an unencrypted request containing only the host part to be followed by a switch to an encrypted stream on the fly or B. allow an encrypted request with a generic host key to be followed by a switch to the host key of a specific VHOST on the fly after identifying the host but before making the actual request. Unfortunately, both of these are completely upside down from the way the HTTP protocol works, which sends the most specific request data first, followed by the host data. This is because support for VHOSTS was basically hacked onto the HTTP standard. Poorly.
While such a thing would be nice in theory, in practice, unless we move to IPv6 first, it isn't practical.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Living in an area around St. Louis, MO wherein charter is the only broadband ISP that carries service in the area, many of my neighbors along with myself are forced into choosing between charter and dial-up services. Charter throttles its traffic at strange times in the day, grinds traffic to a halt at strange times for seemingly no reason, and provides its customers with very vague answers or none at all. This is not the way an ISP should treat the customers. Charter is a monopoly ISP in my area and we all suffer for it. This new information regarding DPI is no suprise to me. Just another lousy thing that I have to deal with now. :(
I've just called and canceled my Charter subscription today. I'm not even in the effected areas, I just wholly disapprove of my Slashdot addiction being monitored. Plus, I pay 150 bucks a month and don't even get HBO... I hope ATT is more in tune with their customers.
Might be cheaper to hire lawyers. I don't know. But it is probably going to be Google and everyone else whose content is violated by Charter that stops them rather than customers complaining. The hubris of cable companies is legend.
In Reason We Trust
Ya, I don't want to see *any* ads, unless I choose to look for them. I want to surf the Internet "as it is", without any "help" from Charter trying to "enhance my enjoyment".
I understand that vendors want an Internet presence, and many want it done cheaply, meaning Ad supported. But the Internet isn't really about advertising and selling things, it's about Information (which may include the former).
ISPs and Vendors, please stop trying to turn the Net into an interactive version of broadcast TV. If you can't make money without interfering, then go away.
It must have been something you assimilated. . . .
I don't use Google, yet they seem to have no problem inundating my web experience with ads.
If you don't like the site you visit using Google Ads, tell them that. When they come back and tell you that they're paying for the site with Google Ads, see if that helps clarify the difference between Google Ads and Charter Ads.
*#$%!#$!!!!
Why can't a major telco just sell a friggin' PIPE?!?!?!
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
There's going to be major problems with this, depending on how its set up.. If they start replacing ads on pages, Google or other Ad-serving companies will definitely sue (as they are subverting their advertising revenue; akin to your local TV station replacing SuperBowl ads with their own). If they are inserting their ads into a page without actually replacing other content (ads or other) they get into content issues; they don't have the right to monetize content that they do not own.. However if they actually become an ad-serving company (other websites to have thier ads served by Charter) this could be viable.. Only due to their large subscriber base.. Privacy issues aside, of course..
I suggest you do the same.
"My opinions are my own, and I've got *lots* of them!"
Obviously this is a "bad thing" but I predict "good things" for consumers out of this. Consumers will learn they can avoid extra ads by using https. Content providers will learn they can improve their customer's experience by removing ISP ads by using https. Sites will have to have signed certificates, and users will have to import them. Phishing ends (well of course not because of Cook's Law and the web becomes a much safer place, because no more unencrypted traffic!
And seriously -- we've got the bandwidth -- why not encrypt it all now? Maybe not mobile bandwidth, but ok, we'll live. Maybe this is the draconian kickin the ass we need to get more serious about our own privacy??
Nothing great was ever achieved without enthusiasm
I'm rather more trustful of http://arstechnica.com/news.ars/post/20080513-charter-enhances-internet-service-with-targeted-ads.html/ Ars Technica's coverage...
"My opinions are my own, and I've got *lots* of them!"
3. Ignore the not-insignificant additional load added by HTTPS.
HTTPS is an option, but not a very good one for this problem. something more efficient is needed, though i have no idea what.
upon the advice of my lawyer, i have no sig at this time
So create an RFC with the goal to provide multiple site protection from one Certificate.
They are computers. They do what we tell them to. We now have wildcard certs for things like *.yahoo.com.
How about a certificate which handles the company providing the HTTP server? One certificate which installs onto the server and delivers certificates for the specified hosts.
And don't tell me this is not possible -- read the first sentence.. I'm saying make it possible..
This means shared web sites can't make the switch to HTTPS just yet. However, those web sites that own a specific IP address can do it. The more that at least begin to use or allow HTTPS, the better.
Right now if you visit Slashdot's HTTPS URL it redirects you back to clear HTTP. That's where we need to start changing things. Someone who specifically wants their web requests in HTTPS where it can be delivered, should get it.
At least my page delivers in HTTPS, even if it is just a self-signed certificate that causes the browser to ask if you want to do this. I need to get a real signed certificate soon.
now we need to go OSS in diesel cars
Stephen King is obviously the last unknown cylon.
Method of processing duck feet
Because if they do, the only acceptable answer to this "opt out" bullshit is along the lines of "fuck yourself with both fists." If I pay an ISP and they start slipping ads into my data, they'll get dropped like a hot rock and there will be a flaming bag of shit on the local branch's doorstep the next morning.
If they're free, well, you get what you pay for.
Yeah, just got the memo too. Im not too happy about it either, wonder if there is a possible way to make this more automative. Any coders have any ideas? http://www.nebuad.com/privacy/optout.php Is the place to download the cookie for all ISPs that are now usign NebuAD.
Honestly, how damn hard can it be. Wrap the whole thing in something that'll send the desired host, STARTTLS and negotiate the SSL connection, then send the HTTP request once the SSL layer is established? This sounds like s SoC project to do on apache, firefox and konqueror and hopefully the rest would follow.
Live today, because you never know what tomorrow brings
Saw this yesterday on hackaday. Looks like they're making a lot of friends.
http://www.xkcd.com/354/
With the "deep packet inspection" technologies, conceivably ISPs can just replace, in real-time, our Google AdSense pubisher IDs with their own.
Increasingly, I'd expect https sessions will be necessary for sites with any form of confidential information - not just sites with more sensitive financial, social security or other higher sensitivity levels. Consider that the ISPs are leveraging confidential session information to exploit the web sessions elsewhere. ISPs are also harvesting web traffic data and selling it to others for data mining utility. As a visitor to google, yahoo, whatever, my identity and usage is confidential information of financial value. It's time encapsulation and encryption be utilized by these firms to protect that information - otherwise they'll see further encroachment and loss of revenue due to this technique.
I do find it reprehensible that any ISP would violate the integrity of traffic I've requested from its source. It's a sense of forgery through a MITM activity I have not consented to (oh I'm sure they'll put that language in my contract so that I do consent, but you get the point).
Server Name Identification in RFC 3546 is supposed to help with this, if it ever gets adopted.
Now it's web serfing.
now we need to go OSS in diesel cars
That depends.
What may be going on is that the substituted ads only appear on web sites that contract with NebuAD to do this. The advantage to those web sites is they can make the ads more focused on your interests, which lets them get more ad clicks, and they split some of that increased revenue with NebuAD, which in turn splits some of it with your ISP for their part in doing the tracking of your interests. It's the tracking that goes beyond the web sites using NebuAD. Otherwise they would not need to get your local ISP into the act. Without your local ISP involved, they can still track you to some degree by having the NebuAD partner web sites share the data about your visits within their site. But to track all of your web serfing, they have to do DPI via your ISP (or by the previous methods which involved spyware on your computer).
I don't know if they plan to go beyond that and actually insert or modify ads on other web sites. If they do, then we do need to get the DMCA hammer out and use it hard. Cable companies are already aware of Mona's hammer :-)
It might still be useful to use the DMCA on the privacy invasion aspect of this. Any content acquired through DPI, if passed on to another party, does represent real copying of that content. It would be a hard case to argue, but maybe a really skilled lawyer could make the case stick. Note that while what you send to a web site could be copyrighted by you (and imply a licensed to the web site you send it to, to use it to deliver requested results), what that web site sends back can be copyrighted by them. So they may need to be in on the legal case.
One possibility is that a web site that uses another service for ads may end up having more focused ads (instead of having them inserted by your ISP) simply by that ad provider partnering with NebuAD. What is important is for us to come to understand exactly what is going on with all of this.
now we need to go OSS in diesel cars
They are going to have to do this carefully. Should they cause any variation in the rendering of a site I would assume it would be pretty easy for any site to file a copyright violation against this service.
1. set up site. Take local image of screen.
2. load site in a web browser on the ISP network.
3. If browsed image does not match the local image. File and sue the ISP provider for violating the copyright of the original site. IE they took all of the original site, reproduced it but with some ads replaced.
I'vegone to ebay to look at weird random crap, and then seen ads for it Elswhere. One was Nissan Maximas, can't remember what the other thing was.
My ISP (Wide Open West) started doing this last week. They say they have no permanent opt-out, but I continue to pursue with them.
What I am curious about, since I use VOIP, are they breaking the law? Since they are are deeply inspecting the packets, they have access to all of the data being transmitted in my phone calls. Does this break federal wiretapping regulations?
You say you want a revolution....
Anyone know of any decent alternatives to Charter in the Fort Worth area? The only other one I know of is at&t for DSL, and after the whole illegal wiretapping / spying thing I'm not eager to give them my money either. Is there (gasp!) a viable third option that I am unaware of?
When you lose something irreplaceable, you don't mourn for the thing you lost, you mourn for yourself. - Harpo Marx
Who's the chairman of Charter? Paul G. Allen, of Microsoft fame. here's his picture. If any of your out there work in food service and Paul Allen happens to come into your establishment, remember to spit in his food. Strictly for "enhanced user experience", of course.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Websites could setup certs based on keys that are very low-strength (and hence easier to process). It would be enough to stop these advertising snoops and forgers.
Oh, and they do offer an "opt-out" -- in the form of a website that you have to visit in the clear (no https), and fill in your information, resulting in... a cookie.
Which means that you now have to make sure to opt-out in every browser you ever use, including wget and lynx. Anything which doesn't support cookies is fucked. In particular, not everyone uses XML for AJAX -- some people use XHTML for their web services. And not all web service clients are browsers that you can stick cookies in.
And, for that matter, how are they checking the cookie? Only way I can think of would be to insert some sort of hidden iframe on every page, linking to their domain, which can then check the cookie. Therefore, even if the cookie is present in every appropriate HTTP request, they're still having to fuck with most of the internet to even be able to check that cookie.
So, to summarize: They offer "opt-out", but not really. And support net neutrality legislation.
Don't thank God, thank a doctor!
Well, that, and the fact that the issue is often confused by people calling it "theft". It can be a bad thing without being the same as theft.
And the fact that they prosecute entirely the wrong people, with pretty close to zero evidence. It is troubling that they probably could just pick someone out of the phone book at random and find that they're sharing files, but we're supposed to have something called "due process".
Don't thank God, thank a doctor!
Oh, and there is a spec to allow multiple vhosts on the same address with SSL enabled. I can't help but wonder if that's really more likely to get universal adoption than ipv6, though.
But really, how hard is it to simply use the same domain? I generally see vhosts as multiple addresses for the same company -- mail.google.com, images.google.com, etc. And when they are, there's no good technological reason they can't simply move those subdomains into suburls -- google.com/mail, or google.com/images.
Well, alright, there is a good reason -- in the case of Google, those are likely different IP addresses -- but that completely negates the whole virtual host problem anyway.
Don't thank God, thank a doctor!
Many websites do not have SSL Certificates, they are not cheap or free (most of the time). Trying to browse this site on https bounces you back to the unecrypted version. And, it wont prevent you from getting ads, just from get targetted ads.
It seems like everyone has surplus CPU cycles coming out of their ears. Why can't the servers just all start using SSL as standard on all URLs? Wouldn't that pretty much foil the spys?
This is not really true. There are multiple standards to solve this problem.
One is the TLS server name indication (SNI) in RFC 3546. This allows the browser to specify which VHOST it wants as it's setting up the TLS connection allowing the web server to give it the right cert.
Another approach is TLS-upgrade (RFC 2817). This allows a browser to make an unencrypted HTTP connection then upgrade to secure TLS (in the same way that encrypted SNMP and other protocols work without requiring 2 different ports). This will allow secure or insecure both over port 80.
The problem is lack of browser support (and to a degree lack of server support, but people would extend/upgrade their apache/IIS/etc installs for the added functionality *if* the browsers supported it). FF2+ and IE7+ support RFC 3546, and FF3 will introduce support for RFC2817, but it'll be many years before browser share is high enough for public web sites to consider using it.
John
Would Tor assist is blocking this type of intrusion?
"Common Carrier" status is something the ISP's want, so they don't have to be held responsible for subscribers' actions. If they demonstrate the capability and willingness to monitor subscribers' actions, they abandon any safe-harbor provisions the law now gives them.
If I was the legal eagle of an ISP, I would grasp the Marketing Steph-equivalent in my claws and squeeze until he admitted this is a bad idea.
Well, apparently, you only have to fool the majority of people for a little while.
If my web page has hand picked adds on it that I get revenue from for click throughs, and Charter inserts adds into my page that offer similar or competing brands, I, as the website owner, can suffer financially. If Charter inserts adds that my visitors find offensive and they decide against using my service, I can suffer financially. If Charter inserts adds into my website and I have a contractual obligation to provide my users with an advertisement free environment, I could be liable (even if I could pass the buck in court, it would require a significant investment to do so).
If Charter wants to advertise on my website, they can contact me about licensing. To do anything else would be infringing on my rights. Although, I am not a lawyer, I do not know exactly what rights those are, but someone, somewhere has to have run into a similar situation and created some precedence in the US.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
How about Charter customers in these markets running programs during their computers' idle cycles that search for random keywords and visit random sites? If enough people do this the data they're collecting won't be very useful. Maybe this could be packaged as a Firefox plugin or a SETI@home style screensaver?
It may be they save that for residential customers. I would definitely have a problem with ad insertion for web pages viewed in our hospital.
HTTPS anyone? Yes its more overhead. But privacy always costs something.
I would have thought that part was obvious without needing to be said. After all, even if Apache didn't support it, you could just bind a separate instance of Apache to each IP address. AFAIK, the most common use of VHOST records is handling multiple server instances on one IP number. If you're going to provide separate IPs, you might as well use separate Apache instances and give each user full control over their Apache config file. Your users will certainly be a lot happier that way.
The point is that most smaller domains use VHOSTs because their hosting provider puts them and twelve other domains on the same server with the same IP. Using the same domain instead of subdomains can help solve the problem for big companies, though it means that instead of being able to distribute load through subdomains, you have to distribute it with load balancers and beefier server infrastructure. It doesn't work at all for randomfoo.org (or whatever) sharing an IP number with joebobsblog.net.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Oh, and I also thought my intended meaning was obvious from the very next sentence that said that this has important ramifications in terms of the number of additional IP numbers that would be needed....
Check out my sci-fi/humor trilogy at PatriotsBooks.
Only exception would be if load balancers are somehow cheaper if they only look at the hostname, and not the URL. Certainly, software balancers like nginx are trivial to configure either way, so that foo.com/mail/ goes to a separate cluster than foo.com/forum/, and so on.
Don't thank God, thank a doctor!
No, if I was in that situation, I wouldn't want termination rights. I'd want damages, and/or actually forcing reasonable service out of them.
Don't thank God, thank a doctor!