Charter Is Latest ISP To Plan Wiretapping Via DPI 309
Charter Communications has begun sending letters to its customers informing them that, in the name of an "enhanced user experience," it will begin spying on their traffic and inserting targeted ads. This sounds almost indistinguishable from what Phorm proposed doing in the UK. Lauren Weinstein issues a call to arms.
Re:Scummy ISPs (Score:5, Interesting)
Can someone tell me whether Charter is inserting any ads? If they are, I want to complain to the Attorney General and to my CongressCritters about felony copyright infringement.
Re:Scummy ISPs (Score:5, Interesting)
Now or Never (Score:5, Interesting)
Some things call for the proverbial nuclear response: boycotts, lawsuits, all-out opposition. This is one of them. Once one of these corporations gets away with this, it's game over for those of us who want a corner of our lives that doesn't have some lying prick forcing his way into it to sell us something, spin the information we get and otherwise screw with our reality in a way that works to somebody else's advantage at our expense.
Maybe? (Score:1, Interesting)
Re:Call to arms? (Score:1, Interesting)
Re:Scummy ISPs (Score:5, Interesting)
I should hope at some point, that very theory will get tested in court.
Agree completely that for an ISP to change to contents of a page I request from a 3rd party is just plain wrong. What next, redirecting you from URLs critical of them onto URLs which sing their praises? Preventing you from reading about the services of competitors?
Modifying the requested data is way too invasive, but it seems to be consistent with the whole strategy of "monetizing what your customers do". What you want is irrelevant, you're just a revenue stream.
As has been said so often, I hope things like this cause the networks to lose anything resembling common carrier status -- right now, they're just a network, so whatever you send it up to you.
Cheers
Two things... (Score:4, Interesting)
Second, how is this any different than Google? They track my online activity then target me with ads that I might find interesting. Am I even given the option to opt out of Google ads? (serious questions, not flame-baiting)
Re:Call to arms? (Score:5, Interesting)
OK, let's cut out the middle man here, and go straight to what Charter is saying [charter.com]:
Translated
So, tell me, how exactly is reading my packets that much different from "spying" on me? I expect my phone carrier to not listen to my calls to decide what inserts they should put into my next bill, because telcos are supposed to have an arms length relationship with your data.
This is not nearly as inflammatory and knee-jerk as you make it out to be. They actually are reading what you do.
And, for the record, it can't be "completely anonymous" if they know to put it into my web-page. They may claim that they can't tie it to you, but, if they know to give you an ad for Depends Undergarments, at some point, they decided that you needed to receive that targeted ad.
Cheers
Plugin, or perhaps a signing routine? (Score:3, Interesting)
Then, on high volume servers that are not needing the security of SSL, the core HTML page that gets to the client can be verified (using the client's CPU time) if it was modified in transit, without the server needing to spend the CPU time for SSL's overhead. If the HTML doesn't match, then offer the user a mechanism to browse the site entirely using SSL.
The only issue is for dynamic content that can't be cached, this will add a cryptographic signing step for each page.
An example:
Someone browses www.foo.com
the webserver at foo.com grabs index.html, signs it with www.foo.com's SSL key, saves the signature in a cache that is reset if someone legitimately edits index.html on the server, then sends the web browser index.html and after that, index.html's signature, perhaps in OpenPGP format. After the first signing, all the webserver is doing is sending two files (index.html and the cached signature.)
The web browser compared the received index.html to the signature, and alerts the user if it was tampered with.
As for my stuff, for low volume web servers such as my home domain, I just automatically redirect the user to the SSL server, because that stops this problem cold. If an ISP is able to intercept SSL traffic, (especially with an EV certificate), they are so advanced at crypto, they deserve to be able to insert ads.
I have a feeling that it will only be a matter of time before not just ISPs that people are subscribed on, but large volume peering nodes will try their hand at inserting ads, so might as well just force as much traffic to SSL whenever possible now, although for high volume sites, this is far easier said than done.
Re:Sounds Like... (Score:3, Interesting)
Re:Scummy ISPs (Score:5, Interesting)
Corruption detection scripts [washington.edu]
Three answers... (Score:4, Interesting)
(2a) Google tracks my online activity when I'm not using Google's servers?
(2b) Charter pays the site that's getting their "deep inspection" ads inserted?
SSL and HTTPS (Score:4, Interesting)
Re:Scummy ISPs (Score:5, Interesting)
Actually, no it doesn't. Not without permission. From what I recall reading about this a couple of weeks ago in a very similar discussion (subtle way of saying "I think this story is a dupe"), if I understand what is being done correctly, there are two parts to this:
There's a specific ad provider that is involved with this, and that ad provider agrees to allow the local ISP to replace its ads with more targeted ads in exchange for a portion of the resulting ad revenue. The ad replacement, therefore, is authorized by the ad provider, who in turn is authorized by prior agreement with the website publisher.
The dirty part is the deep packet inspection, not the modification of the data stream. Attacking the latter to try to stop the former is likely to get you nowhere.
Re:You can opt out... (Score:5, Interesting)
One wonders how easy it would be to make an FF plugin to just replicate the cookie content.
Re:My Conversation with Charter (Score:2, Interesting)
TTD Grah : That is how it works.
TTD Grah : That is how it works.
TTD Grah : The site will not pop up everytime you go online.
Re:Call to arms? (Score:3, Interesting)
Well, our Privacy Commissioner is wondering that [zeropaid.com].
Cheers
Re:This is what they are going to argue. (Score:2, Interesting)
IANAL, I am not a copyright expert, etc.
Re:A threat to every publisher who uses AdSense, e (Score:3, Interesting)
Increasingly, I'd expect https sessions will be necessary for sites with any form of confidential information - not just sites with more sensitive financial, social security or other higher sensitivity levels. Consider that the ISPs are leveraging confidential session information to exploit the web sessions elsewhere. ISPs are also harvesting web traffic data and selling it to others for data mining utility. As a visitor to google, yahoo, whatever, my identity and usage is confidential information of financial value. It's time encapsulation and encryption be utilized by these firms to protect that information - otherwise they'll see further encroachment and loss of revenue due to this technique.
I do find it reprehensible that any ISP would violate the integrity of traffic I've requested from its source. It's a sense of forgery through a MITM activity I have not consented to (oh I'm sure they'll put that language in my contract so that I do consent, but you get the point).
Re:Not so bad in the long run (Score:3, Interesting)
The ISP is making a second assumption, and this is the crux of the argument, that there is no material difference between changing how the HTML is rendered on the actual client and having the materials to be rendered changed slightly upstream on the ISP's network. Since the service agreement gives the ISP the ability to act as the end users agent in this matter, they will argue they are offering a service to the end user by pro actively changing packets in a manner allowed them.
The service agreement says something to the effect of "since I am using your service I also state that I would like more commercials." If an end user so chose to, they could literally insert code on their client that would serve them ads in any web page they viewed. This would be within their fair use rights, roughly the same as me choosing to put coupon pamphlets in between pages of a book I bought and am going to read. The ISP is arguing that this fair use right is transfered to them through agreement and they are just exercising this fair use as an agent of the end user.
Its a lot of bullshittery, but they may be able to pull it off under the auspice of fair use.
Re:Scummy ISPs (Score:5, Interesting)
Re:"Customer Care" Response (Score:3, Interesting)
Nice! The link mentioned in the Opt-Out section isn't even a link, you have to copy/paste it!
They've done every little stinking petty thing to make this just a little bit harder for people to opt out of it.
And, it's a cookie! You use Firefox and opt out, ok(assuming you even keep cookies!). Your roommate/spouse/family uses another browser? Guess what, they have to opt out too. And if you regularly clean out cookies, you need to go back and re-opt out.
No way to opt out at the subscriber level. Geez.
Re:This is what they are going to argue. (Score:2, Interesting)
The difference here is that the end user is deciding how the html will be _rendered_, which is not in any way altering the packets themselves. The ISP should not have the right to manipulate the data coming into my browser. When the ISP does that, they are taking the choice out of the user's hands.
To use your book analogy, the bookstore is altering the book and selling it to you without letting you know what changes have been made.
Re:Scummy ISPs (Score:4, Interesting)
If an ISP or a phone company monitors the content of a transmission, don't they become responsible for the content? Does that mean they are no longer enjoy protection from lawsuits as carriers of information have had all these years? If someone plans a crime using the phone, the phone company is not held responsible, since they don't monitor the conversation. They only provide the channel.
If an ISP DOES monitor the information, they are doing more than providing merely a channel and could theoretically be held responsible for all content that traverses their lines. If that actually happened, ISPs would quickly back off from such hare-brained content inspection and modification schemes. Maybe some rich person can hire an army of lawyers to sue an ISP for allowing forbidden porn traverse their network. Maybe, even a state attorney can try to make a name for himself.
Opt-out? (Score:4, Interesting)
Oh, and they do offer an "opt-out" -- in the form of a website that you have to visit in the clear (no https), and fill in your information, resulting in... a cookie.
Which means that you now have to make sure to opt-out in every browser you ever use, including wget and lynx. Anything which doesn't support cookies is fucked. In particular, not everyone uses XML for AJAX -- some people use XHTML for their web services. And not all web service clients are browsers that you can stick cookies in.
And, for that matter, how are they checking the cookie? Only way I can think of would be to insert some sort of hidden iframe on every page, linking to their domain, which can then check the cookie. Therefore, even if the cookie is present in every appropriate HTTP request, they're still having to fuck with most of the internet to even be able to check that cookie.
So, to summarize: They offer "opt-out", but not really. And support net neutrality legislation.