ISPs Inserting Ads Into Your Pages

TheWoozle writes "Some ISPs are resorting to a new tactic to increase revenue: inserting advertisements into web pages requested by their end users. They use a transparent web proxy (such as this one) to insert javascript and/or HTML with the ads into pages returned to users. Neither the content providers nor the end-users have been notified that this is taking place, and I'm sure that they weren't asked for permission either."

Suprise!

[dotHectate (975458)]

It's not like we pay them for our internet access or anything.

Oh wait, we do... crap.

Re:Suprise!

[Qzukk (229616)]

I thought my ISP was doing this but when I called to complain the helpful tech support person told me that the sites I was visiting must have added new ads to them, since they would never do such a thing. Thanks for reassuring me, John!

So, slashdot, why are you running 50 ads at the top of every page? I thought when I subscribed I wouldn't have to see these anymore, but since you don't have a friendly guy I can call to talk to about it, I'll have to assume you're trying to screw me over here.

Re:Suprise!

[pipatron (966506)]

Don't worry! Your Free Market(tm) will take care of this! You can always chose not to have internet, or lay your own fiber! Completely realistic options. It's not my fault you can't afford that. You should have started an ISP just like everyone else!

Re:Suprise!

[tha_mink (518151)]

Reminds me of how back when cable TV started up the idea is that you were paying for more channels and you wouldn't have to deal with ads. Looks like some things never change.

Actually, I'm more pissed as a content provider then I am as a consumer. How dare they! If I wanted advertising on my content, I'd put it there, and get paid for it. For me, this is totally stealing from content providers and not just annoying to consumers. I mean, isn't that like making money off of other peoples content? Wouldn't that be more like a telephone company forcing you to listen to an add before you place or receive a call? Imagine....

Phone rings and you pick up....

(You) - Hello? (Automated Hell) - Hello, this is A-T-And T, we have a call for you, but first, we'd like you to enjoy a message from our sponsors...
(You) - Click!

Fuck that! Stealing content...bullshit.

Re:Suprise!

[OnlineAlias (828288)]

I am pissed that they are even addressing my http stream through proxy. Technically, that is eavesdropping my session. Not to mention that just looking for the place to insert the ad will most certainly screw up many web applications. Once an ISP crosses this line there is no limit on what they can do. Things like feeding you a bogus SSL cert while making it appear perfectly legit and decrypting your traffic, redirecting entire web sites, blocking content without your knowledge...it goes on and on. The ISP even having this information in their logs starts a huge slippery slope.

Everyone, immediately call a lawyer and run away from any ISP that does this. You have been warned.

Re:

[phoenix321 (734987)]

I'm pretty sure, SSL was created *especially* to combat man-in-the-middle attacks. Inserting data in http streams at ISP level is no different than intercepting packets at TCP level and crafting some forgery in them.

I don't think you can use bogus SSL certs, IF you already use your own.

So my first and only advice to this "crisis" is

--> Use SSL-only web hosting for even the most basic set of pages. ---

With SSL-encrypted traffic no other node or ISP can ever know what's inside your packets and can therefor

DNS hijacking does allow defeat of SSL

[jmorris42 (1458)]

> To have a man-in-the-middle, all you need is a certificate signed by an authority that your computer trusts. The ISP can surely get that.

Give this man a cookie, or at least a mod point.

Once they manage to get your browser loaded up with a CA they control it is game over. Imagine, you type www.chase.com into your browser. Remember, THEY also operate your DNS. They resolve www.chase.com to an address they control and generate a certificate linking www.chase.com to that IP. Meanwhile their proxy server connects to the real https://www.chase.com/ [chase.com] and retrieves the homepage. Then their faked out server reencrypts the content and their inserted ad and sends it on to your browser which displays it with the lock intact.

This is what the various secure DNS proposals are intended to address. DNS hijacking allows almost any abuse in the higher layers.

Re:Suprise!

[N7DR (536428)]

I tell you, I am highly ticked off that, at least where I live, there's no way to get a broadband ISP who promises to deliver one thing: a pipe. That's all I want: a pipe. I can't be alone. Just give me a pipe and leave me to use it the way I want to. Don't filter my e-mail. Don't redirect my DNS queries. Don't disallow traffic to/from ports. Don't block pings. Just give me a pipe. What's so hard about that? Good grief, if you want to, you can even charge me extra.

I am almost always against laws (which are often worse than the ill they are trying to right), but it seems to me that there ought to be some sort of regulation that requires ISPs (since they are mostly effectively monopolies) to offer a transparent pipe for those who want to avoid all their obnoxious practices.

Re:Suprise!

[Timothy Brownawell (627747)]

Clearly you're not familiar with CALEA. They not only log your traffic, they store all the packets so the courts can request them later.

Um, how? Even a 10Mbit pipe is 108GB / day. So how much bandwidth does a typical ISP use, and where do they get enough storage to remember it all?

Re:Suprise!

[usurper_ii (306966)]

And let's just say that the ISP could save every packet from every user on the ISP...let's just think of the size of that porn collection. Think about...huge quantities of porn; a vast sea of it. The amount of porn that most slashdotters can only dream about.

Re:Suprise!

[kalidasa (577403)]

Funny, I was under the impression that there was a lawsuit about some Microsoft technology that added links to other content providers' pages that argued that the practice was a violation of copyright (because by altering your content, they are in effect creating their own derivative work without your permissions). Couldn't you just slap them with a DMCA takedown notice?

Re:Suprise!

[gnuman99 (746007)]

No. This is NOT GeoCities. GeoCities added adverts to the websites you hosted with them. You knew EXACTLY what they do in return for "free" webspace. This is like getting a colo box so you can reach your customers better (ie. not relying on the shared webhost), make sure you have clean pages to attract customers then some fucker comes along and sticks adds on *your* page without *your* permission.

What GeoCities does is OK. The content provider has to agree.

What some ISPs do in return for free internet is OK too (add popups or whatever) - at least that what used to happen. In this case customers KNOW that the popups are from the ISP. But popups *must* be separate from the webpage, not in it.

But if you come along and *insert* ads on my pages and thus benefit from my work, I have no choice but to sue. That is copyright violation. Period. They are costing the content provider money.

Re:Suprise!

[Tim C (15259)]

Like creating a derivative work? This is taking someone else's work in transit from server to client, inserting other content into it, then sending this modified version on to the client instead.

This isn't like creating a derivative work, it is creating a derivative work. They're even profiting from it, as they're selling the ad space thus created.

Re:

[Hognoxious (631665)]

Unless it's pa par pa par pa par pa par papapar pa par pa par pa par ... PAH! [youtube.com] That never gets old.

Re:Suprise!

[Reaperducer (871695)]

Yes they have. It's called "product placement", and it's getting more invasive.

More invasive? Time to go back to the history books, Sonny.

Things used to be much worse. Advertisers would have their logos splashed all over TV shows and movies. On TV news they would be on the anchor desks, in the backgrounds, even on the clothes the anchors would wear.

There's a great exhibit in the Old Louisiana State Capitol [glasssteelandstone.com] that is an old TV news set from the 50's. The news was called something like "The Esso Seven O'Clock News" and there's a big Esso logo on the front of the desk, and I think one on the microphone as well as other places.

Quite an eye-opener. At least modern product placement is subtle. I think we're just getting more sensitive to it.

Re:Suprise!

[speaker of the truth (1112181)]

It seems to be more and more common to see games in PC and console games

I'd be asking for a refund if this weren't the case!

What about code validation?

[throup (325558)]

I know this won't be everyone's primary concern, but what happens to all of those pages carefully crafted to adhere to a specific standard eg HTML 4.01, XHTML 1.1 or whatever else you may choose? Surely, unless these uninvited contributions also adhere to that specific standard, we have no hope of producing standards-compliant documents.

Re:

[dascandy (869781)]

Turn that around and you could sue them for "destruction of property" for wrecking your pages, "violation of contract" for not giving you webhosting or something similar.

Re:What about code validation?

[Jamu (852752)]

I had that with my old ISP (Virgin.net). I wrote a simple webpage in HTML 4.01, checked it was valid with W3C's Markup Validation Service, and then uploaded it. When I checked it there was script just after the html element but before the head. Not what I wanted to see on a page that not only asserted I knew something about writing HTML, but also had the W3C validation link at the bottom.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><s cript src="http://www.virgin.net/js/random_ad.js" language="javascript"></script>
<!-- Document is valid. However, Virgin.net inserts a <script> element here -->
<head>
<...

Re:What about code validation?

[Ant P. (974313)]

I found something funny with using XHTML 1.1. Certain free hosting sites are totally oblivious to its existence, so if you rename all your pages to *.xhtml their injected ads magically disappear.

Re:What about code validation?

[Bogtha (906264)]

Unfortunately, Internet Explorer is also oblivious to XHTML 1.1's existence, which means you'll be turning away the majority of your visitors (assuming typical demographics).

On the one hand...

[niceone (992278)]

On the one hand I'd be really annoyed* if my ISP did this to me, on the other hand maybe there are some people who wold prefer ads and a cheaper monthly fee?

And on the third hand... isn't this going to break a whole bunch of websites? I'm having a hard time imagining how they could do it without major side effects.

(* I'd be wanting to stuff a few ads up their HTTP stream, I can tell you)

Re:On the one hand...

[Dutch_Cap (532453)]

And on the third hand... isn't this going to break a whole bunch of websites? I'm having a hard time imagining how they could do it without major side effects.

Don't worry, I'm sure it's been thoroughly tested with Internet Explorer.

Re:On the one hand...

[bruns (75399)]

From my experience (I've worked at and built enough ISPs) that even if they find a way to potentially reduce the customers cost per month (ie: through ads), they won't pass the savings to the customer - ever.

Why? Profit. It's a great motive.

I've seen this at least a year ago

[wtanaka (13113)]

http://wtanaka.com/node/62 [wtanaka.com]

It was especially annoying when the ad insertion code didn't quite work right and caused web pages to break.

I've known about this for a while...

[Saint Aardvark (159009)]

When I worked at the helpdesk of a small ISP [dowco.com], we were approached by this company [adzilla.com] to see if we were interested in letting them test their ad-inserting proxy server on our customers. I protested that it was scummy and might lead to legal trouble (I was guessing) over changing pages in-flight, but my bosses didn't listen. That was back in 2002 or 2003, and I left shortly after to take another job. No idea what's going on there now.

I'm moving to a new ISP [uniserve.com] since my current one [www.shaw.ca] has started blocking port 25 in and out. I run my own mail server, so I appreciate that Uniserve's TOS [uniserve.com] explicitly allow servers (clause #19). However, they also explicitly say that they insert ads:

65. UNISERVE shall have the right, without notice, to insert advertising data into the Internet browser used by a UNSERVE customer, and transferred to a UNISERVE customer over UNISERVE's network, so long as this does not involve UNISERVE establishing the identity of the customer to whom such data is sent.

Needless to say I'm not happy about that, but in Vancouver my choices are limited: Telus (who'll censor web pages [thetyee.ca] if they belong to a union striking against them), Shaw, or a handful of small ADSL ISPs that all seem to be much the same. Uniserve seems the best of a bad bunch.

Re:I've known about this for a while...

[Mr. Slippery (47854)]

However, they also explicitly say that they insert ads:

As a content provider, I didn't give them any licence to create derivative works. Creating versions of my pages with ads, is clearly creation of a derivative work.

But of course, it's much more important for copyright law to prevent me from copying a CD for a friend, then to prevent some large ISP from violating my moral rights [wikipedia.org] by whoring out my content.

Re:I've known about this for a while...

[KiahZero (610862)]

U.S. Copyright law is about a utilitarian bargain between content creators and content consumers - in exchange for creating the content, the creators are given a limited monopoly on certain actions. Moral rights don't really have a foundation in American law.

Re:

[Thing 1 (178996)]

Can they insert ads into an https stream? Let's everyone just start using that protocol.

Belkin sucks!

[Werrismys (764601)]

One belkin ADSL modem actually did this. Every couple of days or couple of thousand port 80 request it displayed their ad instead.

They later issued a new firmware that disabled this. But not before I had issued them a "fuck off" feedback. I have never bought another belkin product since and I strongly urge no-one else to do so either. Fuck them.

Links to Belkins suckiness (Re:Belkin sucks! )

[Werrismys (764601)]

Belkin hardware sucks: http://www.google.fi/search?hl=fi&q=belkin+router+ adware [google.fi]

Yes I know their hardware sucks for other reasons also.

Re:

[FrostedWheat (172733)]

I second that. We had a KVM of Belkin in the office ... it acheaved a level of suckiness I've rarly seen in the computer world. Most days it would just stop working, or the keyboard would stop working and a few times got into an endless loop switching between computers. How hard can it be to make a KVM? In the end it was easier setting up two keyboards, mice and screens :-/

When I bought one for home I went out of my way to get a non-Belkin model, ended up with some no-name brand and it works flawlessly. C

Opt Out Link

[cybermage (112274)]

The company that runs the box the ISP installed provides an opt-out option. Go to this page [nebuad.com] and click opt-out.

I think their behavior with this product is reprehensible. Pass the link on to anyone you know who is affected and encourage them to call their ISP and complain every day until it's removed. If all their call center does is get complaints, they'll reconsider whether it's making them any money.

Data corruption

[gilesjuk (604902)]

This is one angle to pursue, you have requested a page and the page you receive has been altered by the proxy, therefore "corrupted" the data.

If this continues then someone can write a plugin for Firefox to stop the adverts.

Time to rebuild the freenets.

[by Anonymous Coward]

Back at the start of the net, many people started to build their own little networks (e.g. the "freenets", which existed long before freenet) and make connections with their neighbours. This activity was wiped out when ISPs started providing service at less than cost in order to build their business, making freenets not worth the investment. Now we are back at the stage where ISPs are trying to make money and messing up the service. It's time to restart building those networks and move off the commercial ISPs. Does anybody know any good places to start this? I'm ready to interconnect with my neighbours. How do we arrange sensible cheap long distance interconnectivity?

What about freenetworks.org [freenetworks.org]? Are Wifi Coops [wificoop.org] any good? Any others?

Copyright Bonanza

[Doc Ruby (173196)]

The content in my pages is copyright implicitly, even if I don't register or even declare it in the pages. The right my ISP has to copy it is only for the purpose of publishing it in the transaction I have explicitly permitted: publishing it on URL requests.

If my ISP copies it for any other purpose, like inserting ads, or copies it into (or as) some other context, like an ad page, it's violating my copyright.

Every copyright violation - every page - makes them liable for a fine. That can really stack up, and costs a lot more than each page view generates in ad revenue.

Unless I've signed away my copyright in some contract with the ISP. Which I personally haven't. Nor should you.

If you have retained your copyright, and your ISP violates it, you should look forward to them handing over their business ownership to pay the damages. Email your lawyer from your other account and get the ball rolling. Why should corporate copyright holders have all the fun?

How to take advantage of this

[IdahoEv (195056)]

It would seem pretty straightforward to document uses of your website to sell ads, so that you could sue ISPs for copyright violation. This seems pretty straightforward to me.

1) Generate a unique id for every webpage transmitted. php's uniq() function would be fine. Embed it in the page.
2) Generate a checksum before transmitting the page. Save the id and the checksum, perhaps in a mysql database, when transmitting the page.
3) Embed a javascript that can compute the checksum of the document at the user's end. Have it transmit the checksum back to the server.
4) If the checksum doesn't match, have the javascript transmit the content of the page and it's headers, and perhaps even a traceroute, back to the server.
5) Server stores all of the above in a "pages corrupted in transmission" log.

Log analysis should then give you a list of ISPs who have consistently corrupted your pages, details on what they inserted, and documented # of violations with date and time. You can take this documentation to the court and say "Look! Earthlink/Megapath/AT&T/Whoever has illegally copied my website to market their own advertisements 12,432 times in the last year!". Demand remuneration.

6) Profit!
7) Reduce ISP's willingness to fsck with other people's content and thereby make the world a better place.

8) (Optionally) Have your own javascript strip their ad and/or put a banner at the top that notes "Your ISP has attempted to illegally insert their own advertising into our website, thereby making money off you and me without either of our permission. We strongly suggest you switch internet service providers." -- try to get user pressure on the ISP.

I'm about to head out on a 10-day vacation. When I get back, if one of y'all hasn't written this yet I'll start on it myself.

Re:How to take advantage of this

[Nimey (114278)]

How about people like me who have the Adblock extension?

Of course, I also have Noscript, so I'd not even register in your scheme.

Re:

[kailoran (887304)]

The right my ISP has to copy it is only for the purpose of publishing it in the transaction I have explicitly permitted: publishing it on URL requests.

A proxy makes a copy for reasons other than publishing the content in the current transaction, so (nitpicking) it would mean it is ilegall.

Anyway. I'm not sure if copyright should be the law preventing this, I'd much rather have it illegal under some sort of privacy or wiretapping law. I mean, UPS doesn't stick adverts inside mail, and what the ISP is do

Copyright infringement

[Anon E. Muss (808473)]

The customers of these asshole ISP's may not be able to stop them, but web site owners might. HTML code is frequently copyrighted. Injecting Javascript into a web page creates an unauthorized derivative work. Some webmaster needs to start sending DMCA takedown notices to ISP's using these ad injection proxies.

Phone service providers are doing this too

[suv4x4 (956391)]

So if you mom is suddenly very excited on the phone about the latest washing powder or insists that you shave only with 5-blade Gillette for best results, you should know better.

There should be legal questions

[erroneus (253617)]

These ISPs are modifying the content of another source. They alter the format or content or appearance of the requested data or information. Potentially, they endanger the quality of the service being provided on the other end. This is an offense against net neutrality.

Content providers who earn income from their own web activity should be among the first to file suit against these ISPs. I imagine network TV companies would be VERY offended if advertisments were inserted over, in or around their own presented material and web based business should be expected to have the same offense taken.

Smells to me...

[Kjella (173770)]

...like a copyright infringment. The ISP takes the work, creates a derivate, then distributes that derivate to you. Clearly the page is distributed as a whole even though it's made up of parts, you'd certainly relate porn ads to a company if they appeared on that company's webpage which means it's absolutely not its own work. It's like a book club embedding ad pages in the books before shipping them to members.

Distribution is an exclusive right of the copyright holder.
That they change the content means all paragraph 512 limitations are out the window.
The fair use test (commercial, creative work, almost whole work (all the non-ad content), kills ad revenue) is a 0-4 slam dunk against.

So tell me exactly, what's protecting the ISP from an "allofmp3" style lawsuit for a few trillion, since every web page is a $150,000 lawsuit in itself? Whoever in the legal department who approved this should be terrified.

Go Somewhere Else?

[Joel Rowbottom (89350)]

Ok, mod me down for this if you will, but why not just vote with your feet and go to a different ISP?

In these days of webmail and portable email addresses/domain names, why don't more people do this? It's still a buyer's market, and there's still lots of mom-and-pop ISPs who'll be glad of your business.

All the talk of 'taking legal action' smacks to me as being what's typically wrong with the entire attitude of everyone today. Compensation culture and all that - where there's blame there's a claim.

Re:

[name*censored* (884880)]

>>Ok, mod me down for this if you will, but why not just vote with your feet and go to a different ISP?

Not always feasible - for one thing, many many areas have a limited number of ISPs available in their area - some rural regions may only have access to one broadband provider. Also, big companies only understand one type of complaint, and that's litigious type of complaint. If everyone moves to the only other ISP in town, this *other* ISP will destroy the first, and then immediately start putting

Don't just stand for it!

[GFree (853379)]

Exercise your GOD-GIVEN RIGHT to stop using the offending ISP take your business elsewhere and.

Failing that, exercise your GOD-GIVEN RIGHT to walk into the ISP's main offices with an automatic shotgun.

I figure that either way, you're not gonna be using that ISP any longer.

Fair play.

[OgGreeb (35588)]

We should start sending multi-page advertisements with our ISP payments embedded in the middle, to monetize the untapped revenue stream available when the ISPs want to get paid.

Ads == harassment

[Tom (822)]

Some time soon, we will cross the line where my opinion becomes a majority opinion: That any and all unasked for advertisement is harassment and should carry criminal penalties accordingly. Double the punishment if it masquerades as something else (i.e. fake grassroots campaigns, product placement, etc.)

Alternatively, lift all restrictions on advertisement. Then we'd at least have nude girls and hardcore porn on every wall and window, instead of beer and washing powder.

Re:ISP comparisons need to note this

[Anon E. Muss (808473)]

Hit them where it hurts: right where people are deciding which ISP to go with.

That only works if there is actual competition. In most large cities, customers have only two choices. They can go with cable modem service from Some Big Cable Company or DSL service from Some Big Telecom Company. Both usually suck. People living in smaller communities often have no choice at all.

Re:ISP comparisons need to note this

[Alain Williams (2972)]

Ah, one way in which competition is better in the UK. You can be broadband off a cable company (if you subscribe) or over the British Telecom 'phone lines - in which case you have dozens of ISPs to choose from.

I may not often agree with Gordon Brown: but him objecting to Sarkozy's attempt to remove 'competition' as a basic tenet of the EU was 100% correct. Protectionism, in the long term, hurts all consumers.