Charter Is Latest ISP To Plan Wiretapping Via DPI

Charter Communications has begun sending letters to its customers informing them that, in the name of an "enhanced user experience," it will begin spying on their traffic and inserting targeted ads. This sounds almost indistinguishable from what Phorm proposed doing in the UK. Lauren Weinstein issues a call to arms.

Re:Scummy ISPs

[coats]

Does that mean that the ISP will be altering the copyrighted material sent by the websites?

Damned right it does. There are no ads on my web pages, for example http://www.baronams.com/products/ioapi/ [baronams.com]

Can someone tell me whether Charter is inserting any ads? If they are, I want to complain to the Attorney General and to my CongressCritters about felony copyright infringement.

Re:Scummy ISPs

[BSAtHome]

This might actually fly. If some content owner starts a case, they could very well make a case for an "unauthorized derivative" under the copyright rules. Then ISPs or transits must take a license for all material they modify. I for one would not allow third parties to modify my HTML.

Now or Never

[hyades1]

Some things call for the proverbial nuclear response: boycotts, lawsuits, all-out opposition. This is one of them. Once one of these corporations gets away with this, it's game over for those of us who want a corner of our lives that doesn't have some lying prick forcing his way into it to sell us something, spin the information we get and otherwise screw with our reality in a way that works to somebody else's advantage at our expense.

Maybe?

[Anonymous Coward]

Now I think this is a grave violation of so many rights, but I wonder, does this make the service cheaper? Currently in Texas, for me, Broadband is about $30-40 for me, but if this service pegged the service down to say $10 a month, i'd opt for it. Past that, these people deserve better.

Re:Call to arms?

[Anonymous Coward]

Maybe, if your 'call to arms' is any good. And being somewhat known helps too I guess http://en.wikipedia.org/wiki/Lauren_Weinstein_(activist)

Re:Scummy ISPs

[gstoddart]

Does that mean that the ISP will be altering the copyrighted material sent by the websites? Surely this would create an unauthorised derivative work?

I should hope at some point, that very theory will get tested in court.

Agree completely that for an ISP to change to contents of a page I request from a 3rd party is just plain wrong. What next, redirecting you from URLs critical of them onto URLs which sing their praises? Preventing you from reading about the services of competitors?

Modifying the requested data is way too invasive, but it seems to be consistent with the whole strategy of "monetizing what your customers do". What you want is irrelevant, you're just a revenue stream.

As has been said so often, I hope things like this cause the networks to lose anything resembling common carrier status -- right now, they're just a network, so whatever you send it up to you.

Cheers

Two things...

[stewbacca]

First, much like ANY transaction in any medium, the article claims your name and address is required. Why are we willing to give our name and address out for nearly any transaction, yet as soon as an online transaction calls for it, we freak out? I'm pretty sure when you signed up for Charter service, you probably gave them your name, address, phone number, checking account number, debit card, etc. etc. You probably gave them a deposit and they probably looked up your credit using, gasp, your social security number.

Second, how is this any different than Google? They track my online activity then target me with ads that I might find interesting. Am I even given the option to opt out of Google ads? (serious questions, not flame-baiting)

Re:Call to arms?

[gstoddart]

So if I blog something, and title it a 'call to arms', am I suddenly relevant too?
No, you first have to include incendiary slashdot summaries like Company X to SPY on YOU!

OK, let's cut out the middle man here, and go straight to what Charter is saying [charter.com]:

How does this service actually work?
It uses completely anonymous information and, based on your surfing and search activity on the Internet, it infers your interests in certain product or service categories, such as automobiles/sports cars, fashion/handbags, or travel/Europe, and so forth.

Translated ... we're going to inspect the contents of your packets, and infer what you are looking at. Then we will use that information to increase our revenue by supposedly giving you more relevant ads.

So, tell me, how exactly is reading my packets that much different from "spying" on me? I expect my phone carrier to not listen to my calls to decide what inserts they should put into my next bill, because telcos are supposed to have an arms length relationship with your data.

This is not nearly as inflammatory and knee-jerk as you make it out to be. They actually are reading what you do.

And, for the record, it can't be "completely anonymous" if they know to put it into my web-page. They may claim that they can't tie it to you, but, if they know to give you an ad for Depends Undergarments, at some point, they decided that you needed to receive that targeted ad.

Cheers

Plugin, or perhaps a signing routine?

[mlts]

For web content that doesn't need to go over SSL/TLS, I wonder about some way of having webservers sign the HTML of the get request with their SSL key, and cache that signature, so subsequent requests of that HTML page have almost no overhead incurred.

Then, on high volume servers that are not needing the security of SSL, the core HTML page that gets to the client can be verified (using the client's CPU time) if it was modified in transit, without the server needing to spend the CPU time for SSL's overhead. If the HTML doesn't match, then offer the user a mechanism to browse the site entirely using SSL.

The only issue is for dynamic content that can't be cached, this will add a cryptographic signing step for each page.

An example:

Someone browses www.foo.com
the webserver at foo.com grabs index.html, signs it with www.foo.com's SSL key, saves the signature in a cache that is reset if someone legitimately edits index.html on the server, then sends the web browser index.html and after that, index.html's signature, perhaps in OpenPGP format. After the first signing, all the webserver is doing is sending two files (index.html and the cached signature.)
The web browser compared the received index.html to the signature, and alerts the user if it was tampered with.

As for my stuff, for low volume web servers such as my home domain, I just automatically redirect the user to the SSL server, because that stops this problem cold. If an ISP is able to intercept SSL traffic, (especially with an EV certificate), they are so advanced at crypto, they deserve to be able to insert ads.

I have a feeling that it will only be a matter of time before not just ISPs that people are subscribed on, but large volume peering nodes will try their hand at inserting ads, so might as well just force as much traffic to SSL whenever possible now, although for high volume sites, this is far easier said than done.

Re:Sounds Like...

[brunascle]

a cookie? how would that work? the cookie would only be sent to the website that created it. how would they see the cookie when someone goes to a different site? are they still injecting something into web pages that points to their own site, to check for the cookie? that's still bad, bad, bad.

Re:Scummy ISPs

[mikael]

The following web site contains some scripts which do self-analysis/ checksum calculations to determinwe whether they have been interfered unlawfully with:

Corruption detection scripts [washington.edu]

Three answers...

[argent]

(1) I don't enter that kind of data over an unencrypted link.
(2a) Google tracks my online activity when I'm not using Google's servers?
(2b) Charter pays the site that's getting their "deep inspection" ads inserted?

SSL and HTTPS

[BlueParrot]

Time to start using it... Even if you just sign your own certificates, thus making the whole thing completely vulnerable to man in the middle attacks, these ISPs would be guilty of rather serious violations of cybercrime laws if they started sending your clients fake SSL certificates. I.e, if you just want to prevent the ISP from doing this you don't even need a secure session, you just need one they can't interfere with without incriminating themselves.

Re:Scummy ISPs

[dgatwood]

Actually, no it doesn't. Not without permission. From what I recall reading about this a couple of weeks ago in a very similar discussion (subtle way of saying "I think this story is a dupe"), if I understand what is being done correctly, there are two parts to this:

• Deep packet inspection---stores keywords based on sites you visit.
• Ad replacement---replaces existing advertisements on a page.

There's a specific ad provider that is involved with this, and that ad provider agrees to allow the local ISP to replace its ads with more targeted ads in exchange for a portion of the resulting ad revenue. The ad replacement, therefore, is authorized by the ad provider, who in turn is authorized by prior agreement with the website publisher.

The dirty part is the deep packet inspection, not the modification of the data stream. Attacking the latter to try to stop the former is likely to get you nowhere.

Re:You can opt out...

[Knara]

One wonders how easy it would be to make an FF plugin to just replicate the cookie content.

Re:My Conversation with Charter

[azzuth]

TTD Grah : Say for example, you are surfing because you wish to purchase shoes online, this site will pop up and give you options to chose from.
TTD Grah : That is how it works.
TTD Grah : That is how it works.
TTD Grah : The site will not pop up everytime you go online.

I'm not even sure that makes any sense. Charter sounds like they never even told their employees what the new system was about and this guys is just making it up/quickly skiming some brochure while hes chatting. Thankfully Charter is not available where I live, however I'll bet ya this will be standard operating procedure here soon..

Re:Call to arms?

[gstoddart]

So does that mean that rogers.com is already wiretapping its' customers in Canada?

Well, our Privacy Commissioner is wondering that [zeropaid.com].

Cheers

Re:This is what they are going to argue.

[Anonymous Coward]

According to your stance, the end user doesn't have the right to modify your HTML from what was intended.

Sure they do. End users are protected by the fact that they are modifying the HTML for personal, non-commercial use. In other words: fair use protects the end user's right to do what they want to the HTML that reaches their machine, as long as they don't modify it for commercial use and don't redistribute the modified work without authorization.

This, ironically, is the same exact stance that internet marketing companies take when confronted with browser plug-ins that effectively remove their code. Unfortunately for us, we can't have it both ways. Either we are allowed to alter how the packets are rendered, allowing us them to inject into packets due to powers granted them by their user terms and conditions, or they cannot - setting a precedent that would open the floodgates to client side packet altering and rendering changes.

Again, the end user is protected by fair use. The ISP is not. The ISP is in flagrant violation; they are modifying the work and then redistributing that modified work, and they are doing it for commercial purposes.

Another point of argument they are going to make is that they aren't messing with your copyrighted web pages because they aren't distributing it without permission. When a user makes a request for your page, and your server fulfills that request, you have distributed the materials yourself. They are merely making a "derivative work" from that material.

Sure, they have permission to distribute it as the server hands it to them. But they don't have permission to make an unauthorized derivative work from it and make a profit off it. The fact that they make the modifications without informing the end user on the page with a big "this page has been modified by Scummy ISP, Inc" makes it that much more willful and evil, and likely increases damages should anyone actually take this to court.

IANAL, I am not a copyright expert, etc.

Re:A threat to every publisher who uses AdSense, e

[scoove]

With the "deep packet inspection" technologies, conceivably ISPs can just replace, in real-time, our Google AdSense pubisher IDs with their own.

Increasingly, I'd expect https sessions will be necessary for sites with any form of confidential information - not just sites with more sensitive financial, social security or other higher sensitivity levels. Consider that the ISPs are leveraging confidential session information to exploit the web sessions elsewhere. ISPs are also harvesting web traffic data and selling it to others for data mining utility. As a visitor to google, yahoo, whatever, my identity and usage is confidential information of financial value. It's time encapsulation and encryption be utilized by these firms to protect that information - otherwise they'll see further encroachment and loss of revenue due to this technique.

I do find it reprehensible that any ISP would violate the integrity of traffic I've requested from its source. It's a sense of forgery through a MITM activity I have not consented to (oh I'm sure they'll put that language in my contract so that I do consent, but you get the point).

Re:Not so bad in the long run

[Irish_Samurai]

Well, the stance that the ISP is going to take is that they are acting as an agent of the user through rights granted to them in the services agreement. The ISP is exercising those rights when the packets hit their network. They are working under the auspice that since the user has rights to alter how the copyrighted material is rendered, they can transfer those rights to ISP.

The ISP is making a second assumption, and this is the crux of the argument, that there is no material difference between changing how the HTML is rendered on the actual client and having the materials to be rendered changed slightly upstream on the ISP's network. Since the service agreement gives the ISP the ability to act as the end users agent in this matter, they will argue they are offering a service to the end user by pro actively changing packets in a manner allowed them.

The service agreement says something to the effect of "since I am using your service I also state that I would like more commercials." If an end user so chose to, they could literally insert code on their client that would serve them ads in any web page they viewed. This would be within their fair use rights, roughly the same as me choosing to put coupon pamphlets in between pages of a book I bought and am going to read. The ISP is arguing that this fair use right is transfered to them through agreement and they are just exercising this fair use as an agent of the end user.

Its a lot of bullshittery, but they may be able to pull it off under the auspice of fair use.

Re:Scummy ISPs

[marnues]

I currently work for a cable company that is setting up this same kind of system. The only people that know what ads are being replaced are the people controlling the ad server, which is not the ISP. We (the ISP) are being paid to set up a black box that we will route ALL port 80 traffic through. Unless you opt out, which I'm not even sure will work properly. So the ad people can be doing all kinds of things with that data. Granted, they can't link the IP Address to a customer since they have no access to our provisioning server (and I'm pretty certain every last one of us Systems Engineers would quit before allowing that to happen). But they can be doing whatever they want with that traffic and we are none the wiser. Its such a black box, the ad company does all the monitoring on the black box. We are apparently the only company that even requested that we be allowed to monitor up/down and traffic status. The real problem is that we are setting up this extra router (it is another layer 3 hop) that also acts as a server and will delay any port 80 traffic. And we're pretty much allowing them full access to do as they will with the hostage packets. We're not checking. And if someone isn't happy with what their site looks like, we'll probably just route that one around the server, still pushing everything else through. I hope Google employees are checking their AdSense images to make sure that ads are actually from Google and that they are paying Google. As shady as this whole thing is, I expect that we will have legit ads removed, but leave the 'src' of the 'img' tag.

Re:"Customer Care" Response

[Boogaroo]

http://connect.charter.com/landing/op1.html

Can I choose to opt out of this enhanced service?
Yes. As our valued customer, we want you to be in complete control of your online experience. If you wish to opt out of the enhanced service we are offering, you may do so at any time by visiting www.charter.com/onlineprivacy and following our easy to use opt-out feature. To opt out, it is necessary to install a standard opt-out cookie on your computer. If you delete the opt-out cookie, or if you change computers or web browsers, you will need to opt out again.

Nice! The link mentioned in the Opt-Out section isn't even a link, you have to copy/paste it!
They've done every little stinking petty thing to make this just a little bit harder for people to opt out of it.

And, it's a cookie! You use Firefox and opt out, ok(assuming you even keep cookies!). Your roommate/spouse/family uses another browser? Guess what, they have to opt out too. And if you regularly clean out cookies, you need to go back and re-opt out.

No way to opt out at the subscriber level. Geez.

Re:This is what they are going to argue.

[Pikoro]

"They are not interfering with your data. What they are doing is interfering with their subscribers requested copy of that data. Their subscriber has the right to render the requested HTML in any way they see fit."

The difference here is that the end user is deciding how the html will be _rendered_, which is not in any way altering the packets themselves. The ISP should not have the right to manipulate the data coming into my browser. When the ISP does that, they are taking the choice out of the user's hands.

To use your book analogy, the bookstore is altering the book and selling it to you without letting you know what changes have been made.

Re:Scummy ISPs

[arminw]

....Can someone tell me whether Charter is inserting any ads?....

If an ISP or a phone company monitors the content of a transmission, don't they become responsible for the content? Does that mean they are no longer enjoy protection from lawsuits as carriers of information have had all these years? If someone plans a crime using the phone, the phone company is not held responsible, since they don't monitor the conversation. They only provide the channel.

If an ISP DOES monitor the information, they are doing more than providing merely a channel and could theoretically be held responsible for all content that traverses their lines. If that actually happened, ISPs would quickly back off from such hare-brained content inspection and modification schemes. Maybe some rich person can hire an army of lawyers to sue an ISP for allowing forbidden porn traverse their network. Maybe, even a state attorney can try to make a name for himself.

Opt-out?

[SanityInAnarchy]

JUST SAY NO to isp's that do this shit to you and don't give you at least an opt-out from it.

"Just saying no" may not be enough. This is a bit like the pharmaceutical industry -- nothing is stopping you from selling whatever herbal remedies you like, but at the very least, you have to include an FDA warning that it's not really medicine.

Oh, and they do offer an "opt-out" -- in the form of a website that you have to visit in the clear (no https), and fill in your information, resulting in... a cookie.

Which means that you now have to make sure to opt-out in every browser you ever use, including wget and lynx. Anything which doesn't support cookies is fucked. In particular, not everyone uses XML for AJAX -- some people use XHTML for their web services. And not all web service clients are browsers that you can stick cookies in.

And, for that matter, how are they checking the cookie? Only way I can think of would be to insert some sort of hidden iframe on every page, linking to their domain, which can then check the cookie. Therefore, even if the cookie is present in every appropriate HTTP request, they're still having to fuck with most of the internet to even be able to check that cookie.

So, to summarize: They offer "opt-out", but not really. And support net neutrality legislation.