Charter Is Latest ISP To Plan Wiretapping Via DPI

Charter Communications has begun sending letters to its customers informing them that, in the name of an "enhanced user experience," it will begin spying on their traffic and inserting targeted ads. This sounds almost indistinguishable from what Phorm proposed doing in the UK. Lauren Weinstein issues a call to arms.

Call to arms?

[Gothmolly]

So if I blog something, and title it a 'call to arms', am I suddenly relevant too?

Scummy ISPs

[bestinshow]

Does that mean that the ISP will be altering the copyrighted material sent by the websites? Surely this would create an unauthorised derivative work?

ISPs that modify HTML content going over their network are scummy operators. It breaks web pages, it denies revenue to the websites, and is unethical in so many ways.

Now that a precedent has been set...

[slashname3]

Now that a precedent has been set, I plan to examine and modify the direct deposit traffic found on the network. Just a few simple modifications, change the account number, add a few zeros to the amount, simple things like that.

Wonder when someone will figure out that their ad is being replaced by something else and sues?

A plugin needed perhaps?

[DnemoniX]

Here is a project idea then, somebody start up a project to write a Firefox plugin that detects the inserted ads from Charter and either filter them out or replace them with something else.

As a Charter customer I can tell you that this comes as no surprise at all. They are shady as hell and their local offices are havens for the inept.

Re:Maybe?

[Anonymous Coward]

does this make the service cheaper?

No, it won't. Next question please.

Sounds Like...

[Nom du Keyboard]

Sounds like how Microsoft Genuine Advantage is presented as good thing for all Windows users.

The only way this will be any good is if any, or all, of the following are true:

1: You can opt out.

2: You ISP has gone to an ad-supported model that results in a drastic reduction of your monthly fees.

3: They are providing you with extra bandwidth free in order to carry the extra traffic they're generating to you (and not counting it against your usage caps).

Otherwise give them hell until they back off!

One is left to wonder how long before they start actually replacing ads on other sites with their own ads. After all, gangsters like this hate competition. Making you pay to get their ads, however, really sux!

Double-Standard

[LilGuy]

I'm not trying to troll here but these questions will surely sound like it.

Now copyright infringement is a major deal? So the RIAA was on to something when decided to try to protect their copyrighted materials after all?

Revoke common carrier status now

[Just Some Guy]

MP3s in the incoming folder? "Charter put them there."

Child porn in the cache? "Charter put it there."

Nuclear weapon plans in email? "Charter sent it."

Seriously, WTF are they thinking? Do they really want to be named as co-defendants in every criminal or civil case brought against their customers? Because if they modified my incoming data and I was later called in to account for anything, you can bet my first line of defense would be to blame it on them.

Re:Maybe?

[Intron]

If you want internet access and are satisfied with this, then I will sell you $100 Red Sox tickets for $10. It will look just like you are at Fenway, but you will actually be seeing the game with ads on a TV screen.

Re:Two things...

[eNygma-x]

It's different because you are going to Google's website. I'm chosing to use them. But for someone to inject their ads on a site that does not belong to them pisses me off.

Arguing your analogy

[DesScorp]

"Second, how is this any different than Google?

You can choose not to use Google. You know up front, before you use their site, what Google does. You either decide if the loss of privacy is worth it or not, and then choose appropriately. You can use any number of competing search engines.

But most places have no more than three choices of broadband access, with expensive satellite connections one of them. In reality, if customers really won't stand for Charter's actions on this, it means changing their ISP to whoever their local DSL provider is.

I'm fairly sympathetic to ISP companies trying to get the most revenue out of customers in different ways, as long as its not a matter of forcing something on customers... after all, those networks, with a lot of physical infrastructure, in addition to network administration and staffing, cost a lot of money to set up and operate. And these companies are for-profit businesses, after all, not charities. But this goes way too far. This isn't just violating a customer's privacy. That's too simple. It's violating their very user experience. Not what I'd call "enhanced" at all.

Look at an analogy from the old phone company days, pre-Internet. Imagine talking on your phone to friends or family about, oh, say a camping trip, and then having an operator break into your conversation to sell you tents and sleeping bags. Not only would it annoy the hell out of you, you certainly wouldn't like the idea of always having an operator listening in on you during every phone call.

This is going to be a situation where my Congressman and Senators and various FCC functionaries get letters from me.This crosses the line.

This marks the end of what was the Internet

[a4r6]

When ISPs can actually MODIFY data that does not belong to them, a SERIOUS boundary has been broken.
It's like the telephone company talking in place of someone on the phone.

"Hey mom" "Hi Mike, how are you?"
becomes:
"Hey mom" "HI MIKE, GET VIAGRA NOW FOR $3.99/20mg!"

A threat to every publisher who uses AdSense, etc.

[GeorgeK]

I'm astonished. How is this any different from the postal service ripping out all the magazine ads and replacing them with their own ads before they get delivered to your house?

With the "deep packet inspection" technologies, conceivably ISPs can just replace, in real-time, our Google AdSense pubisher IDs with their own. Or, they could simply replace the Google AdSense Javascript snippet with something else.

I would hope that Google and other large advertising networks lead the charge against this, and that they are not partnered with any ISPs involved in this activity. A large class action lawsuit on behalf of publishers might slap sense into any ISPs using this "enhancement" to steal revenues from legitimate publishers.

Re:Revoke common carrier status now

[mlts]

This brings up another concern. Even though Charter/Phorm is not being malevolent, just greedy... what happens if their proxy server/ad server gets hijacked or compromised? Such a server would make a big target for thieves because of the gains.

Should something that injects ads gets compromised, a malware distributer now would have unfettered access to every single Charter subscriber. A compromised ad server could be done in such a way where only a relatively few people at random would get exposed to zero day exploit code.

What was intended as a money stream would make an identity theft ring very happy, with not just being able to add new members to botnets, but to log traffic of subscribers for either use for ID theft, or perhaps extortion.

What is ironic is that damage caused by an ad injection server would be immediately blamed on the destination website, and in a court of law, criminal charges can be pressed and likely made to stick (because juries won't consider ad injector "services" as reasonable doubt.) Civil charges almost certainly will be able to be won. A compromised ad injecting server could easy go for months if not longer, escaping detection, as there would be zero proof that it was the ad injection "service" that did this.

Again, I posted earlier about having some facility to sign Web pages without needing the overhead of full SSL... perhaps someone should look into this, so high volume websites can still serve pages with little overhead, but offer immediate detection if the page is modified in transit.

This is what they are going to argue.

[Irish_Samurai]

Well, they don't have your HTML. They have a copy of your HTML.

Your original HTML is still residing on the server where you put it. They are not interfering with your data.

What they are doing is interfering with their subscribers requested copy of that data. Their subscriber has the right to render the requested HTML in any way they see fit. They can use a different CSS file that resides on their box or some other network location. They can choose not to render graphics, flash, or allow JavaScript to run.

The provider, being in contract with the subscriber, is allowed to act as their agent while the packets are being transmitted over their part of the network. During this time, the ISP exercises that contracted ability, and injects code into the packets.

The ISP will tell the subscribers that this right is part of the contract, and if they don't agree to it - they don't get service. The ISP will also tell you to shove it up your ass - you can refuse requests made from their subscribers if you don't like what they do on their network.

According to your stance, the end user doesn't have the right to modify your HTML from what was intended. This, ironically, is the same exact stance that internet marketing companies take when confronted with browser plug-ins that effectively remove their code. Unfortunately for us, we can't have it both ways. Either we are allowed to alter how the packets are rendered, allowing us them to inject into packets due to powers granted them by their user terms and conditions, or they cannot - setting a precedent that would open the floodgates to client side packet altering and rendering changes.

Another point of argument they are going to make is that they aren't messing with your copyrighted web pages because they aren't distributing it without permission. When a user makes a request for your page, and your server fulfills that request, you have distributed the materials yourself. They are merely making a "derivative work" from that material.

I'm not saying I'm down with this at all. Frankly its a scummy tact and I hope their business dies. But this is what they are going to argue, we should get ready for it.

Re:Why no SSL on (for example) google.com?

[Haeleth]

SSL costs CPU time (that's part of why it's secure). When you have a busy site like Google, that CPU time costs money. They won't implement encryption until the Spy-SPs hurt their bottom line enough to make it worth their while.

(And even then, there may be cheaper solutions to this particular problem, such as signing pages instead of encrypting the whole lot.)

Not so bad in the long run

[fishdan]

Obviously this is a "bad thing" but I predict "good things" for consumers out of this. Consumers will learn they can avoid extra ads by using https. Content providers will learn they can improve their customer's experience by removing ISP ads by using https. Sites will have to have signed certificates, and users will have to import them. Phishing ends (well of course not because of Cook's Law [quotationspage.com] and the web becomes a much safer place, because no more unencrypted traffic!

And seriously -- we've got the bandwidth -- why not encrypt it all now? Maybe not mobile bandwidth, but ok, we'll live. Maybe this is the draconian kickin the ass we need to get more serious about our own privacy??

Re:This is what they are going to argue.

[Irish_Samurai]

If they were acting as an agent of the end user, and the end user wanted to put ads on any HTML they rendered on their client (absurd, I know), the end user would be making derivative works on their client. The ISP is trying to argue that since they are acting as an agent of the end user, they are removing the need for the client application to insert the code. They are going to put forth that there is no material difference between rendering on the client and rendering slightly upstream as an agent of the client.

It is a stretch in logic, but it is what they are going to try and argue.

Re:Enhanced user experience

[Anonymous Coward]

"If you live in the Madison, WI area, attend the Madison Broadband Telecommunications Regulatory Board Meeting this Thursday (May 15, 2008) at 5:30pm in Room 103A of the City-County building (210 MLK Blvd). Complain during the Public Comment part of the meeting, which is immediately after Call to Order and Roll Call. I plan to be there.
"

the UKs Phorm activistes are always looking for more information as regards Phorm, and NebuAd (they have offices the UK awaiting the outcome of the Phorm trials [threat]).

we have a lot of info regarding Phorm but not that much for the NebuAd.

the Phorm Public meeting was video taped upto a point by the attendees , but we missed the _vital_ and very informative (some might say embarising for the Phorm CEO etc) Q&A section at the end, as we were informed that they would release the full unedited professional video taken as soon as it was re-encoded for online use.

guess what, they never released it....

if you get a chance to take video footage of this NebuAd public meeting, make sure you get every single minute of it,and sound recordings perhaps, for use later proof of any revealing facts and quotes, especially regarding the tech operation and webmaster opt out options....

see the cable forum Phorm thread to see some of the tech points you might also ask NebuAd directly.
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated.html [cableforum.co.uk]

if any and all of you do get a chance to take video footage, please make it available and known to the
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated.html [cableforum.co.uk] thread so we can also use its contents for our UK NebuAd fight when it comes.

No longer common carriers

[haapi]

"Common Carrier" status is something the ISP's want, so they don't have to be held responsible for subscribers' actions. If they demonstrate the capability and willingness to monitor subscribers' actions, they abandon any safe-harbor provisions the law now gives them.

If I was the legal eagle of an ISP, I would grasp the Marketing Steph-equivalent in my claws and squeeze until he admitted this is a bad idea.