ISP Inserting Content Into Users' Webpages

geekmansworld, among other readers, lets us know that the Canadian ISP Rogers is inserting data into the HTTP streams returned by the Web sites requested by its customers. According to a CBC article, Rogers admits to modifying customers' HTTP data, but says they are merely "trying different things" and testing the customer response.

No problem as used in this case

[iamacat]

It seems that the customer would be less unhappy about a warning that he is about to reach a bandwidth cap, page modifications and all, than just get a thousand dollar bill out of the blue. There is no set mechanism for the ISP to communicate with the customer over Internet, so creating one might be justifiable in this case. Write again when a (non-free) ISP injects ads or blocks competitor's websites.

Might not be your ISP

[QuantumG]

That is to say, this is a case of your ISP using packet modification to insert code into your HTTP stream, but it doesn't have to be so innocuous. It's quite possible that someone who has hacked into your ISP could do the same thing.. and not just to HTTP streams, but any TCP stream. Downloaded any executables lately? Its quite possible that a hacker could have intercepted any packet that begins with "MZ", has a non-zero value at offset 0x3c which contains a 4 byte offset into the packet that has "PE" at it. There's a windows binary, let's change the bytes at the entrypoint to do something malicious.

SSL is your friend.

If only we could get IPSEC happening.

Re:Read between the lines

[thegrassyknowl]

This could open up a whole bunch of "but I didn't download that" claims when users are caught with dubious material. They could claim that their ISP modified their download streams and point (at least some of) the blame toward the ISP.

It's all a little dubious if you ask me. I always knew it was possible to fiddle with the stream, but I didn't think anyone would bother because it could possibly break a lot of pages that are held together with fragile HTML-fu.

common carrier

[Richard_J_N]

What a really stupid thing to do. Never mind that it's unethical, they just lost their common-carrier status. Now the RIAA can sue them for contributory infringement ;-)

At least, that's my understanding of it - ISPs and postal services are legally "common carriers", i.e. they just deliver stuff; they aren't responsible for any legal ramifications of what they deliver. Eg the post service isn't liable if someone mails a forged cheque. BUT...if they demonstrate that they control, inspect, and modify what they are delivering, they might just be liable when someone uses their network to commit fraud.

Web Servers can detect this...

[nweaver]

See this old Slashdot article [slashdot.org] on how servers can detect such modifications when they happen by using a bit of Javascript as an integrity checker.

(Disclaimer, I'm one of the authors of the work)

Re:What's the problem?

[Nikker]

I am a Rogers customer right now because I am slightly out of the range of a DSL provider. My connection was erratic especially on torrents didn't matter what kind and where from. Suspicious I got a copy of Wireshark and monitored the traffic, all the packets going out appeared to be ok but all the returning packets on my torrent port were corrupted (CRC error), I brought this to their attention and they said the problem didn't exist. I told them to let their NOC know about this and they refused, they told me to send it to the general email box on their help page.

They say they are testing the waters and they are. Are they testing a way to notify people of their account or are they trying to get people comfortable with them throwing up messages on your screen while you surf? As far as I'm concerned I will cancel and go without rather than putting up with this garbage. As far as I'm concerned the only right they have is to give me the service I'm paying for. As you can probably tell I really just don't trust this company, they don't do their job very well and expect me to put up with it, as far as I'm concerned I will fight this every inch.

Re:What's the problem?

[schon]

Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit

... as well as taking the opportunity to inject advertising in the page.

Don't believe it? Take a look a the screenshot. When was the last time you saw the Yahoo! logo on Google's homepage?

An idea that Google should consider

[kauos]

I know everybody's getting mad about how Roger's dare modify their sacred html :) But lets face it, the Google homepage is a fantastic place to put such notices. It wouldn't be a terrible idea for Google to create Google ISP, an API that allows ISP's to communicate with their customer's more effectively about the current status of their internet accounts. Maybe making it a plugin to iGoogle would make it less offensive to people.

Re:No problem as used in this case

[RedWizzard]

It seems that the customer would be less unhappy about a warning that he is about to reach a bandwidth cap, page modifications and all, than just get a thousand dollar bill out of the blue. There is no set mechanism for the ISP to communicate with the customer over Internet, so creating one might be justifiable in this case.

There is a set mechanism: email. And if that's not sufficient they could easily write a little app to provided notification that could be run by users who are worried about exceeding their limit. There is no need for what they are doing. In fact what they are doing is probably copyright infringement: they are creating and distributing a derived work (the modified page) without the author's permission.

Re:I don't think so.

[FatdogHaiku]

First, IANAL. I was raised in a law enforcement home and one of my best buddies is a lawyer, so I like to think about this stuff. What I find interesting is the legal defence issue. Evidence requires a chain of custody or it is just "some stuff we found somewhere". When the ISP tampers with the stream, they provide any defendant with proof positive that it is possible that the defendant had nothing to do with whatever it is that has the prosecutor's panties in a knot. The "tree" (internet connection) is tainted and thus it is NOT possible to prove anything except that the defendants connection was compromised. You could wear a jury out questioning every person that worked for the ISP, regardless of their position... when you have no proof you go fishing for doubt. Does someone at the ISP know someone at the prosecutor's office? That's doubt. Was the customer ever rude or mean to an ISP employee? Sounds like revenge... On and on you could go.

Correct Title...

[Belial6]

ISPs commit copyright violation by delivering unauthorized derivative works.

UMTS

[Arancaytar]

O2 in Germany has been doing this for UMTS connections for a long time. They've figured that stripping whitespace and artificially compressing images before transmission will save bandwidth.

Unfortunately, their white-space stripper breaks XML-wellformedness, which makes me unable to view any of my own sites with Firefox (unless I disable application/xhtml+xml as an Accepted content type).

Re:Getting away with murder

[Kayamon]

I'm not sure what you're describing is actually possible.

There shouldn't be any observable difference between encrypted traffic and, say, a ZIP file. They're both high entropy data streams with no apparent structure to analyze. I don't see how they could distinguish your VPN from any other binary file.

Re:Read between the lines

[gnasher719]

It's all a little dubious if you ask me. I always knew it was possible to fiddle with the stream, but I didn't think anyone would bother because it could possibly break a lot of pages that are held together with fragile HTML-fu.

This is not just a bit dubious, it is plain and simple copyright infringement on a massive scale.

The owner of the web site is creating a data stream, which will 99.99% of the time be copyrighted. Even if the web site owner doesn't own the copyright or has permission to use some copyrighted work, it is still copyrighted by someone else. Modifying the page creates a new derived work. If you create a derived work without permission of the copyright owner, you commit copyright infringement.

Re:Read between the lines

[gallen1234]

I may not have a lot of money but Google has plenty. I suspect that they'll take exception to Rogers fiddling with their carefully designed home page - a page where simplicity and a clean layout are defining characteristics.

I also suspect that there's a copyright claim here somewhere. If Rogers took Google's home page and modified it then that's a derived work which they would have to have Google's permission to distribute.

Re:Read between the lines

[Casualposter]

This is interesting, because the telecommunications companies long ago ran with the "I can't control what goes over my wires" defense when the governments of various nations wanted to punish them as an accessory to crimes committed via the wires. The phone made it easier for V. and L. to conspire to murder T. The phone company claimed that it could not monitor and control every call and so the common carrier defense arose.

Now, however, there is the demonstrated ability to monitor and control and perhaps the common carrier denotation is what is being tossed aside in the pursuit of the last nickel. What is an ISP to argue when faced with copyright allegations? They can monitor the traffic to sell targeted ads but can't tell the when an illegal MP3 is being downloaded? That might not fly in a courtroom. Wouldn't the temptation to try to sell the user a similar song be too tempting to pass up? Or maybe the judge or jury doesn't get that there is a technology barrier and figures if the ISP can monitor one they can monitor them all.

How about a political move like enforcing a completely non-encrypted internet to monitor for kiddie porn? All encrypted packets could be criminalized - except to "authorized sites" like your bank.

What about the copyright on the page being mangled? I liken this type of technology as a form of vandalism, or perhaps and unauthorized derivative work. How would this be different than Amazon reprinting a Harry Potter book on demand and inserting hundreds of ads? Maybe those ads would be targeted to text on a facing page so that you'd get an advertisement for cleaning supplies every time the Nimbus 2000 flying broom was mentioned, or pet supplies every time one of the owls was mentioned. How about the death scene with Dumbledor opposite some funeral home ad?

What about anticompetitive actions? The ISP could redirect or replace traffic with that of a competitor's product. I'm sure some companies would be delighted to ensure that no one every hears of Brand-X again. How could this type of control and monitoring be used to prevent the accurate discussion of topics? AT&T is a backbone ISP and has been shown to be a good bit lax when it comes to protecting the data it carries. Could a large company or government change the internet by use of this technology to stop dissent?

The abuse potential is huge.

Then what about the privacy issues with reading every packet? Gee, Mr. Smith, why were you searching for pipes, fertilizer, and biodiesel last month?