ISP Inserting Content Into Users' Webpages

geekmansworld, among other readers, lets us know that the Canadian ISP Rogers is inserting data into the HTTP streams returned by the Web sites requested by its customers. According to a CBC article, Rogers admits to modifying customers' HTTP data, but says they are merely "trying different things" and testing the customer response.

Read between the lines

replace "trying different things" with "seeing what we can get away with" and your closer to the truth

Re:Read between the lines

And if after hours, a man puts his wii-wii in the mayonaise jar at the restaurant where he works, that's just experimenting too, to see how the customer will react.

Re:Read between the lines

Dude, I served my sentence and paid my debt to society ... it's not fair for you to keep bringing this up.

Re:Read between the lines

Actually, I think he's referring to a line whose origin I can't recall, which states something like that you will understand life much better when the only meaning of "fair/fare" you know is something you pay to ride a bus.

Re:Read between the lines

In other, unrelated news, alx5000 has been reported to have blown up a dozen Government buildings in the last 24 hours. When inquired about these events, alx5000 said to admit to modifying governmental property, but remarked he is merely "trying different things" and testing the Government response.

Re:Read between the lines

The Onion already did that. [theonion.com]

Re:Read between the lines

This could open up a whole bunch of "but I didn't download that" claims when users are caught with dubious material. They could claim that their ISP modified their download streams and point (at least some of) the blame toward the ISP.

It's all a little dubious if you ask me. I always knew it was possible to fiddle with the stream, but I didn't think anyone would bother because it could possibly break a lot of pages that are held together with fragile HTML-fu.

Re:I don't think so.

1. ISP inserts banner ads.

2. Said banner ad space is sold to an company that sells it to the highest bidder.

3. Highest bidder is a malware filled porn site.

4. Banner ad fills your IE cache with goat porn that you've never viewed. Then it seduces your goat.

5. Do not pass Go, do not collect $200.

Re:I don't think so.

5. Do not pass Go, do not collect $200.

6. Do not drop the soap.

Re:I don't think so.

First, IANAL. I was raised in a law enforcement home and one of my best buddies is a lawyer, so I like to think about this stuff. What I find interesting is the legal defence issue. Evidence requires a chain of custody or it is just "some stuff we found somewhere". When the ISP tampers with the stream, they provide any defendant with proof positive that it is possible that the defendant had nothing to do with whatever it is that has the prosecutor's panties in a knot. The "tree" (internet connection) is tainted and thus it is NOT possible to prove anything except that the defendants connection was compromised. You could wear a jury out questioning every person that worked for the ISP, regardless of their position... when you have no proof you go fishing for doubt. Does someone at the ISP know someone at the prosecutor's office? That's doubt. Was the customer ever rude or mean to an ISP employee? Sounds like revenge... On and on you could go.

Re:I don't think so.

Was the customer ever rude or mean to an ISP employee? Sounds like revenge... On and on you could go.

Excellent, a new reason to bite the head off of the customer service reps!

Re:I don't think so.

But while such garbage might be annoying, it's unlikely it would be illegal content.

You're surfing on a public computer in Iran.... a popup displays showing hardcore gay sex and red blinking text says CLICK FOR FREE GAY PORN!

Re:I don't think so.

I really don't think that ISPs are going to "insert" kiddie porn, "illegal" music or movies, or "terrorist" content in your Web page requests

You're almost certainly correct, if by "ISPs" you mean the decision makers of the ISPs, and therefore the official policies thereof.

However, what this does is fundamentally change the way they run their network thereby opening up massive vulnerabilities.

Before they decided to make it their official policy to engage in the mass of unethical behaviors this exhibits, in order to insert goat porn, or the like, into a client's browser a disgruntled employee would haver to jump through a mass of hoops (assuming they ever had any working network monitoring tools).

Now, though, since this fraudulent activity is part of their official corporate policy and therefore necessarily of their infrastructure, all it takes is changing some text which is designed to be easily modified.

That's the fundamental problem with this policy. Creating a method for potentially malicious people to insert unwanted content into the browsers of their own customers *is* the entirety of the policy.
I doubt many people think that "goat porn for the masses" is the goal of Rogers, but they are going way out of their way to make sure that doing exactly that is trivial.

I absolutely hope somebody pulls that argument and wins though, because this absolutely creates more than enough reasonable doubt.

"But we didn't put that pic of two year olds fucking on his computer"...

"Oh yeah? You created a process designed for the purpose of manipulating content and creating forgeries of web sites with deliberately falsified content in violation of every standard practice, every commonly sensible idea and every relevant ethical principle. Prove absolutely that each and every one of your employees was entirely uninvolved with this particular case, when you've spent so much time and effort ensuring that it would not only be possible, but trivial."

It's not that Rogers has a plan for gross porn distribution, it's that they've created a means, a method and a process for doing exactly that with few if any possible legitimate uses.

Re:Read between the lines

It's all a little dubious if you ask me. I always knew it was possible to fiddle with the stream, but I didn't think anyone would bother because it could possibly break a lot of pages that are held together with fragile HTML-fu.

This is not just a bit dubious, it is plain and simple copyright infringement on a massive scale.

The owner of the web site is creating a data stream, which will 99.99% of the time be copyrighted. Even if the web site owner doesn't own the copyright or has permission to use some copyrighted work, it is still copyrighted by someone else. Modifying the page creates a new derived work. If you create a derived work without permission of the copyright owner, you commit copyright infringement.

Re:Read between the lines

This is interesting, because the telecommunications companies long ago ran with the "I can't control what goes over my wires" defense when the governments of various nations wanted to punish them as an accessory to crimes committed via the wires. The phone made it easier for V. and L. to conspire to murder T. The phone company claimed that it could not monitor and control every call and so the common carrier defense arose.

Now, however, there is the demonstrated ability to monitor and control and perhaps the common carrier denotation is what is being tossed aside in the pursuit of the last nickel. What is an ISP to argue when faced with copyright allegations? They can monitor the traffic to sell targeted ads but can't tell the when an illegal MP3 is being downloaded? That might not fly in a courtroom. Wouldn't the temptation to try to sell the user a similar song be too tempting to pass up? Or maybe the judge or jury doesn't get that there is a technology barrier and figures if the ISP can monitor one they can monitor them all.

How about a political move like enforcing a completely non-encrypted internet to monitor for kiddie porn? All encrypted packets could be criminalized - except to "authorized sites" like your bank.

What about the copyright on the page being mangled? I liken this type of technology as a form of vandalism, or perhaps and unauthorized derivative work. How would this be different than Amazon reprinting a Harry Potter book on demand and inserting hundreds of ads? Maybe those ads would be targeted to text on a facing page so that you'd get an advertisement for cleaning supplies every time the Nimbus 2000 flying broom was mentioned, or pet supplies every time one of the owls was mentioned. How about the death scene with Dumbledor opposite some funeral home ad?

What about anticompetitive actions? The ISP could redirect or replace traffic with that of a competitor's product. I'm sure some companies would be delighted to ensure that no one every hears of Brand-X again. How could this type of control and monitoring be used to prevent the accurate discussion of topics? AT&T is a backbone ISP and has been shown to be a good bit lax when it comes to protecting the data it carries. Could a large company or government change the internet by use of this technology to stop dissent?

The abuse potential is huge.

Then what about the privacy issues with reading every packet? Gee, Mr. Smith, why were you searching for pipes, fertilizer, and biodiesel last month?

Re:Read between the lines

I may not have a lot of money but Google has plenty. I suspect that they'll take exception to Rogers fiddling with their carefully designed home page - a page where simplicity and a clean layout are defining characteristics.

I also suspect that there's a copyright claim here somewhere. If Rogers took Google's home page and modified it then that's a derived work which they would have to have Google's permission to distribute.

What's the problem?

Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit, so you don't overshoot it and start having to pay extra. Lets put arguments about limits aside (after all, you've agreed to a contract involving limits). It's in their interests _not_ to inform you, as you'd have to start paying them extra. But they're trying to find a more pervasive way of letting you know. How else can they do it? Via email? They'd just send it to the email address they provide you with. Who really uses isp-provided email these days? it's all webmail, so they need some window to get through to you, and maybe http is that window.

Re:What's the problem?

How else can they do it? Via email? They'd just send it to the email address they provide you with. Who really uses isp-provided email these days? it's all webmail, so they need some window to get through to you, and maybe http is that window.

Or maybe, just maybe, they could ask you for your regular email when you sign up. This is not rocket science. There is no excuse for an ISP to be arbitrarily modifying the content of a subscriber's traffic.

Re:What's the problem?

You trust your ISP enough to give them your actual email address? You, sir or madam, are a braver soul than I.

You also give them your physical street address to have the service hooked up, and every month a small piece of paper containing your checking account's account number and bank routing number. In America, they probably got your social security number too.

I'm really not afraid of what they're going to do with email compared to all of that.

Re:What's the problem?

that software is very evil

Yes. Imagine a world in which China/Bush's America/Hillary's America no longer censors the web but subtly modifies it instead. Maybe with the cooperation of Yahoo et al. All power inevitably becomes abused. What good is freedom of expression if you can't be sure your expression is your own?

Re:What's the problem?

the problem is going to be that modifying the http stream will break web applications and some secure sessions. it'll become even more of a problem as time progresses.

imho they are creating a solution to a problem that doesn't exist. there's 1000's of widgets out there they could tune to give you an almost real time view of your quota, building their own an interfering with your http traffic is not a good solution.

Re:What's the problem?

Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit, so you don't overshoot it and start having to pay extra

If that was the case... then the ISP can simply redirect all external requests to an internal page informing you as such... if for some odd reason they didn't want to use e-mail. In fact... some a local wi-max provider does just that in the event your account is overdue... a simple "you own us money" in between browsing session and poof gone.

My data on Rogers and Shaw is dated the last I checked they didn't meter. Even if they did meter odds are you're not going to go over your limit surfing the web so any injected web based waring isn't going to be that useful.

Redirection on the other hand... not so bad.

Re:What's the problem?

I am a Rogers customer right now because I am slightly out of the range of a DSL provider. My connection was erratic especially on torrents didn't matter what kind and where from. Suspicious I got a copy of Wireshark and monitored the traffic, all the packets going out appeared to be ok but all the returning packets on my torrent port were corrupted (CRC error), I brought this to their attention and they said the problem didn't exist. I told them to let their NOC know about this and they refused, they told me to send it to the general email box on their help page.

They say they are testing the waters and they are. Are they testing a way to notify people of their account or are they trying to get people comfortable with them throwing up messages on your screen while you surf? As far as I'm concerned I will cancel and go without rather than putting up with this garbage. As far as I'm concerned the only right they have is to give me the service I'm paying for. As you can probably tell I really just don't trust this company, they don't do their job very well and expect me to put up with it, as far as I'm concerned I will fight this every inch.

pcapdiff is your new friend

After the Comcast bittorrent interference, the Electronic Freedom Foundation released a tool called pcapdiff [eff.org]. The idea is you capture what your ISP sends you for a given website using wireshark/tcpdump and compare it to what your friend gets for the same site. Pcapdiff diffs the two pcap files and reports discrepencies.

On Fedora you can do "yum install pcapdiff".

It's an early release, but there's bound to be a lot more uses for pcapdiff ahead...

Re:What's the problem?

Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit

... as well as taking the opportunity to inject advertising in the page.

Don't believe it? Take a look a the screenshot. When was the last time you saw the Yahoo! logo on Google's homepage?

Re:What's the problem?

The ISP is clearly partnered with Yahoo, just like AT&T is in the US. So the service is called Rogers Yahoo High Speed Internet. It's not an ad, it's their logo.

Trying different things...

In other news, a mad internet subscriber broke into the headquarters of a Canadian ISP called Rogers. Upon entering, he hit shot two techs, broke 3 servers with a sledgehammer and then proceeded to start a fire in the CEO's office. Upon being apprehended by police, he was let go after informing them that he meant no harm and was just trying some different things to see how the company would react.

No problem as used in this case

It seems that the customer would be less unhappy about a warning that he is about to reach a bandwidth cap, page modifications and all, than just get a thousand dollar bill out of the blue. There is no set mechanism for the ISP to communicate with the customer over Internet, so creating one might be justifiable in this case. Write again when a (non-free) ISP injects ads or blocks competitor's websites.

Re:No problem as used in this case

It seems that the customer would be less unhappy about a warning that he is about to reach a bandwidth cap, page modifications and all, than just get a thousand dollar bill out of the blue. There is no set mechanism for the ISP to communicate with the customer over Internet, so creating one might be justifiable in this case.

There is a set mechanism: email. And if that's not sufficient they could easily write a little app to provided notification that could be run by users who are worried about exceeding their limit. There is no need for what they are doing. In fact what they are doing is probably copyright infringement: they are creating and distributing a derived work (the modified page) without the author's permission.

Copyright infringement

Copyright infringement, I like it.

Even better, the CBC article concludes with a reference to the Telecommunications Act, which states that "a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public."

Rogers has a long history of playing as dirty as it can get away with. If the old pattern repeats as before, Canadian regulators will respond and Rogers will be forced to back down, leaving everyone -- regulators, investors, competitors, consumers -- slightly more pissed off with it than before.

Neveryoumind...

According to a CBC article, Rogers admits to modifying customers' HTTP data, but says they are merely "trying different things" and testing the customer response.

Oh, well, that's ok then, if you are only trying different...HEY! Wait a minute! You can't do that. Why, I oughta....

Oblig xkcd

Are they doing that with Oven Mitts [xkcd.com]? No?! Lame....

Hey Rogers!

I got your "customer response" right here.

Seriously, when it becomes acceptable for the phone company to break into my conversation with "Did you know that Geico can save you ton of money on car insurance?" then my ISP can screw around with my Web pages. Otherwise, get your sticky paws OFF me, you damn dirty apes.

Might not be your ISP

That is to say, this is a case of your ISP using packet modification to insert code into your HTTP stream, but it doesn't have to be so innocuous. It's quite possible that someone who has hacked into your ISP could do the same thing.. and not just to HTTP streams, but any TCP stream. Downloaded any executables lately? Its quite possible that a hacker could have intercepted any packet that begins with "MZ", has a non-zero value at offset 0x3c which contains a 4 byte offset into the packet that has "PE" at it. There's a windows binary, let's change the bytes at the entrypoint to do something malicious.

SSL is your friend.

If only we could get IPSEC happening.

Didn't we just talk about this?

It seems we just had a story that talked about Rogers.
Will ISP Web Content Filtering Continue To Grow? [slashdot.org]

(No, this one words it differently. -- Inserted by your friends at the NSA)

You've been rogered.

I propose turning their company name into a verb, "roger", which means to manipulate internet data without the receiver's permission. Everytime you exclaim, "I've been rogered!" or "They rogered my data!" the Rogers company name will hold on to its well-earned place in history. And yes, "roger" already means something else quite similar. With either definition, something is being inserted where it probably shouldn't go.

Re:You've been rogered.

As in, "you've just been Rogered arseways by your ISP?"

Re:You've been rogered.

You may not know this, but "Rogers" is already synonymous with "taking it up the arse" up here in Canada. After all, who else charges $210/month for 500MB of wireless data transfer? Or creates a 3G broadband network but refuses to allow actual 3G phones to access it (restricting you to this huge BRICK of a wireless "modem" they provide you)? Or raising their prices almost 30% in the last 2 years?

I just wish someone like Google or Microsoft sues Rogers into oblivion for this crap. I'm pretty sure impersonating another corporation's official communications (loading the Google homepage, for example) is fraud.

I have not experienced this

I am a Rogers [V1AGR4] customer, and I [MORTGAGE RATES FALL AGAIN!] think you're all just overreacting [VISTA - THE BEST WINDOWS YET!].

Now let's have no more talk about this bizarre coverup.

Getting away with murder

So.... why aren't there any high profile lawsuits against Rogers yet?

First they throttle BitTorrent traffic. Then, when BitTorrent users encrypted their connections, all encrypted traffic was throttled, making VPN connections unbearably slow.

The only reason I can think of that they're getting away with this is that...uh...people in Ontario don't telecommute at all?

Why is everybody letting Rogers get away with these shenanigans? Rogers' practises must be costing some business users serious money. I simply don't understand.

Okay, I know...

This is a dupe, but it's worth commenting on.

The fundamental problem I see with this is that the ISP is changing the content of webpages to suit their own interests. There are a myriad of problems here, regardless of whether or not the customer accepts it:

1. Copyright law: technically, the modified web page is a derived work. The ISP can now be held liable for copyright infringement if, say, Google, or the New York Times objects. The potential revenues sinkhole from copyright litigators is far greater than what any ISP could bear.
2. There are ethical problems with an ISP artificially inflating the size of webpages, especially if they charge for the bandwidth.
3. This smacks of 1984-esque censorship. Once it becomes commonplace for an ISP to change a web page, how long before government uses this for nefarious purposes.
4. Consider how the above may be abused: a political rival logs onto Google, and the ISP replaces the normal content with child porn. Enter the police and 10 to 20 years in prison...
5. If I can't trust my ISP to deliver an unmodified webpage, the only alternative is to use https for everything. While I'm personally favorable to such a thing, I realize it will disenfranchize a lot of part time and small time web operators who don't have the sophistication to setup an https server properly. Thus, one of the great egalitarian aspects of the web dies.

In light of the fact that a certain ISP blocked access to union websites, this is an alarming event indeed. Democracy depends on the free flow of information, and I'm thinking that it might be appropriate to make such a practice illegal, if only for the sake of preserving democracy. It will first be used for commercial gain, and later, leveraged as a political tool.

common carrier

What a really stupid thing to do. Never mind that it's unethical, they just lost their common-carrier status. Now the RIAA can sue them for contributory infringement ;-)

At least, that's my understanding of it - ISPs and postal services are legally "common carriers", i.e. they just deliver stuff; they aren't responsible for any legal ramifications of what they deliver. Eg the post service isn't liable if someone mails a forged cheque. BUT...if they demonstrate that they control, inspect, and modify what they are delivering, they might just be liable when someone uses their network to commit fraud.

Web Servers can detect this...

See this old Slashdot article [slashdot.org] on how servers can detect such modifications when they happen by using a bit of Javascript as an integrity checker.

(Disclaimer, I'm one of the authors of the work)

Yep.

And I wonder how many times they're going to insert this story into Slashdot.

Web sites need to enable HTTPS properly

Web sites need to enable HTTPS properly over their entire site. Then your ISP can do nothing more than just prevent the secure connection from being established. And if they do that, they break all kinds of stuff like shopping checkout and access to bank accounts.

Right now, Slashdot's own HTTPS URL [slashdot.org] just redirects to the HTTP URL. This needs to be changed to just leave things in the HTTPS mode. Eventually this should be changed so that HTTP redirects to HTTPS. Google [google.com] does the same boneheaded redirection.

Well I have a thing or two to say about that

As much as I don't like Canada, the totally awesome Rogers ISP is not doing something wrong here. Thats all I have to say. PS, buy a Playstation 3 at 20% off by mentioning the code ROGERS ISP ROCKS at your local S-mart

Does HTML 5 have a provision for checksums?

Looks like it should. We probably also need a new standard for lightly encrypted pages. Light enough to not put undue strain on the server but heavy enough to make it impractical to modify pages on the fly.

Correct Title...

ISPs commit copyright violation by delivering unauthorized derivative works.

Title is wrong; what else is wrong?

Rogers are clearly not inserting content into users' web pages, as the title claims. They are inserting content into pages viewed by users.

So I have little faith in the claim that they are "intercepting http." What is more likely is that the default proxy server they provide is inserting the content. While it may make little difference to the average user, as the "normal" setup uses the proxy, it seems to me that there's a huge difference between supplying a proxy and intercepting and manipulating http traffic; that is, hijacking TCP port 80. The proxy I can easily avoid by using a direct connection to the internet; TCP hijacking, I can't.

Rogers has a history, and I have unresolved anger.

Ted Rogers is like a mini-Gates of the Toronto region.

"The little cable company that could." They practically invented negative billing, starting their reign of aggravating barely-legal business practice as far back as the early 80's with the stupid bundling of the new pay-channels. They successfully lobbied to crack open the Bell monopoly so that they could compete on the phone market. Everybody believed their bullshit campaign and as a result, everybody pays many times more for phone service which has fallen from one which was affordable and which worked hard-core in favor of the consumer, (if Bell tried to screw you around, a quick call to the CRTC, and they'd be nodding yes-sir to you. Monopolies are great in this way because the public can very easily punish them through government pressure to do the right thing if they start getting greedy and evil), --phone service through bell and all the competitors has since devolved into a system which is now expensive, punitive, crappy and generally mean-spirited, (all contrary to the whole 'competition breeds excellence' meme which should be obvious for the falsehood that it is to anybody with a brain but which somehow remains an elusive truth; I blame the same American ideological propaganda which has landed us in Iraq and which is responsible for rolling black-outs and for people whose lives suck because they can't afford medical insurance. Thanks, guys! Keep on championing the lie while you take it in the rear.) (Ahem. Did I say all of that out loud? DO pardon me.)

Anyway. . .

Rogers argued that it had the right to use Bell's cable system because it had been built in part with public money, and then they turned around and refused to share its own cable system because they claim to have made it with private money. --All claims which are so riddled with lawyer-logic as to make anybody aware of the situation hopping mad, especially when one considers the huge tax-breaks and government hand-outs Rogers managed to weasel away with; they use the publicly-funded telephone pole system, on public land, to hang its infrastructure, over-charge for their rotten service, don't share and don't pay their taxes. Nice job! --The whole thing reeks, but they got away with it because the public was asleep and easily fooled by promises that, "With competition, your phone bills will go down!" Stupid, stupid Torontonians! Even as a teenager I could see the way the wind was blowing, and yet today few even grasp that they've been screwed. Sigh.

Rogers is one of those companies which has been sneaky and crafty and generally foul from the get-go. This latest move is entire par for their course. I don't own a television and I don't use a cell phone partly because of players like Rogers. Anybody ignorant enough to sign up with Rogers deserves exactly what they get.

-FL

UMTS

O2 in Germany has been doing this for UMTS connections for a long time. They've figured that stripping whitespace and artificially compressing images before transmission will save bandwidth.

Unfortunately, their white-space stripper breaks XML-wellformedness, which makes me unable to view any of my own sites with Firefox (unless I disable application/xhtml+xml as an Accepted content type).

Re:Dupe

This is not a dupe, it's merely your isp inserting outdated data in to your webpage because Slashdot didn't pay your ISP the brand new anti-crapification fee.