ISP Inserting Content Into Users' Webpages

geekmansworld, among other readers, lets us know that the Canadian ISP Rogers is inserting data into the HTTP streams returned by the Web sites requested by its customers. According to a CBC article, Rogers admits to modifying customers' HTTP data, but says they are merely "trying different things" and testing the customer response.

Read between the lines

[timmarhy]

replace "trying different things" with "seeing what we can get away with" and your closer to the truth

Re:Read between the lines

[Anonymous Coward]

And if after hours, a man puts his wii-wii in the mayonaise jar at the restaurant where he works, that's just experimenting too, to see how the customer will react.

Re:Read between the lines

[Anonymous Coward]

Dude, I served my sentence and paid my debt to society ... it's not fair for you to keep bringing this up.

Re:Read between the lines

[fosterNutrition]

Actually, I think he's referring to a line whose origin I can't recall, which states something like that you will understand life much better when the only meaning of "fair/fare" you know is something you pay to ride a bus.

If you can stick two Wiis in your mayo jar...

[patio11]

... your jar is probably a little too big. And you're a vicious bastard -- do you have any idea how hard I'm looking to find one for retail price right now, to say nothing of two?

Re:

[S.O.B.]

So that's what's in the special sauce.

Re:Read between the lines

[alx5000]

In other, unrelated news, alx5000 has been reported to have blown up a dozen Government buildings in the last 24 hours. When inquired about these events, alx5000 said to admit to modifying governmental property, but remarked he is merely "trying different things" and testing the Government response.

Re:Read between the lines

[PayPaI]

The Onion already did that. [theonion.com]

Re:Read between the lines

[thegrassyknowl]

This could open up a whole bunch of "but I didn't download that" claims when users are caught with dubious material. They could claim that their ISP modified their download streams and point (at least some of) the blame toward the ISP.

It's all a little dubious if you ask me. I always knew it was possible to fiddle with the stream, but I didn't think anyone would bother because it could possibly break a lot of pages that are held together with fragile HTML-fu.

I don't think so.

[Frosty Piss]

This could open up a whole bunch of "but I didn't download that" claims when users are caught with dubious material. They could claim that their ISP modified their download streams and point (at least some of) the blame toward the ISP.

Of course this is a disturbing trend, and from what I read about Rogers Cable, I'm not surprised. But I have to seriously question if your scenario would come to pass. I really don't think that ISPs are going to "insert" kiddie porn, "illegal" music or movies, or "terrorist" c

Re:

[gmagill]

I think he means that *I* could claim that all that goat porn I downloaded was 'inserted' by my ISP, that I am not a pervert.

Re:I don't think so.

[ScrappyLaptop]

1. ISP inserts banner ads.

2. Said banner ad space is sold to an company that sells it to the highest bidder.

3. Highest bidder is a malware filled porn site.

4. Banner ad fills your IE cache with goat porn that you've never viewed. Then it seduces your goat.

5. Do not pass Go, do not collect $200.

Re:I don't think so.

[splutty]

5. Do not pass Go, do not collect $200.

6. Do not drop the soap.

Re:I don't think so.

[FatdogHaiku]

First, IANAL. I was raised in a law enforcement home and one of my best buddies is a lawyer, so I like to think about this stuff. What I find interesting is the legal defence issue. Evidence requires a chain of custody or it is just "some stuff we found somewhere". When the ISP tampers with the stream, they provide any defendant with proof positive that it is possible that the defendant had nothing to do with whatever it is that has the prosecutor's panties in a knot. The "tree" (internet connection) is tainted and thus it is NOT possible to prove anything except that the defendants connection was compromised. You could wear a jury out questioning every person that worked for the ISP, regardless of their position... when you have no proof you go fishing for doubt. Does someone at the ISP know someone at the prosecutor's office? That's doubt. Was the customer ever rude or mean to an ISP employee? Sounds like revenge... On and on you could go.

Re:I don't think so.

[Jah-Wren Ryel]

Was the customer ever rude or mean to an ISP employee? Sounds like revenge... On and on you could go.

Excellent, a new reason to bite the head off of the customer service reps!

Re:

[Storlek]

What about ads that hijack the computer with malicious ActiveX controls that hook the computer to a botnet? Adbrite had to deal with that not too long ago; an advertiser was hacking their ad scripting code to insert some fairly unpleasant stuff onto pages.

Re:

[thegrassyknowl]

I didn't imply kiddie porn or anything of the like. I said "dubious". Dubious depends on locality and context.

What you find acceptable I might find dubious.

are a lot of corrupt people working all over the place. There are a lot of funky rules in regard to what people are and aren't allowed to look in various countries.

There is nothing to say that a disillusioned worker at an ISP couldn't have himself a little fun by somehow hiding an iframe or something into the extra data that displays the contents of a

Re:I don't think so.

[lena_10326]

But while such garbage might be annoying, it's unlikely it would be illegal content.

You're surfing on a public computer in Iran.... a popup displays showing hardcore gay sex and red blinking text says CLICK FOR FREE GAY PORN!

Re:

[afidel]

It doesn't have to be illegal to cause you legal headaches. Example: You're surfing a perfectly normal site with no expectations of adult banner ads, but your session is hijacked by your ISP with a less than reputable ad provider. Up pops a banner ad with a risque model just as your female coworker pops into your cube to ask a question. Now you and your company are potentially facing a lawsuit for a hostile work environment. I wonder is Websense et al can detect this type of manipulation in order to protect

Re:I don't think so.

[Darby]

I really don't think that ISPs are going to "insert" kiddie porn, "illegal" music or movies, or "terrorist" content in your Web page requests

You're almost certainly correct, if by "ISPs" you mean the decision makers of the ISPs, and therefore the official policies thereof.

However, what this does is fundamentally change the way they run their network thereby opening up massive vulnerabilities.

Before they decided to make it their official policy to engage in the mass of unethical behaviors this exhibits, in order to insert goat porn, or the like, into a client's browser a disgruntled employee would haver to jump through a mass of hoops (assuming they ever had any working network monitoring tools).

Now, though, since this fraudulent activity is part of their official corporate policy and therefore necessarily of their infrastructure, all it takes is changing some text which is designed to be easily modified.

That's the fundamental problem with this policy. Creating a method for potentially malicious people to insert unwanted content into the browsers of their own customers *is* the entirety of the policy.
I doubt many people think that "goat porn for the masses" is the goal of Rogers, but they are going way out of their way to make sure that doing exactly that is trivial.

I absolutely hope somebody pulls that argument and wins though, because this absolutely creates more than enough reasonable doubt.

"But we didn't put that pic of two year olds fucking on his computer"...

"Oh yeah? You created a process designed for the purpose of manipulating content and creating forgeries of web sites with deliberately falsified content in violation of every standard practice, every commonly sensible idea and every relevant ethical principle. Prove absolutely that each and every one of your employees was entirely uninvolved with this particular case, when you've spent so much time and effort ensuring that it would not only be possible, but trivial."

It's not that Rogers has a plan for gross porn distribution, it's that they've created a means, a method and a process for doing exactly that with few if any possible legitimate uses.

Re:Read between the lines

[gnasher719]

It's all a little dubious if you ask me. I always knew it was possible to fiddle with the stream, but I didn't think anyone would bother because it could possibly break a lot of pages that are held together with fragile HTML-fu.

This is not just a bit dubious, it is plain and simple copyright infringement on a massive scale.

The owner of the web site is creating a data stream, which will 99.99% of the time be copyrighted. Even if the web site owner doesn't own the copyright or has permission to use some copyrighted work, it is still copyrighted by someone else. Modifying the page creates a new derived work. If you create a derived work without permission of the copyright owner, you commit copyright infringement.

Re:

[Lijemo]

I would argue that the differences are:

1. the person doing the surfing has requested the alteration ("show me the cache of this page, with the words I searched hilighted") and thus knows they are getting an altered page
2. It's very clear which parts were added/altered by google (the top frame, and the highlights) and which parts are the original content (everything else)
3. They will remove a page from their cache, or refrain from caching a site in the future, if asked to do so by the copyright holder

So, in my

Re:Read between the lines

[Casualposter]

This is interesting, because the telecommunications companies long ago ran with the "I can't control what goes over my wires" defense when the governments of various nations wanted to punish them as an accessory to crimes committed via the wires. The phone made it easier for V. and L. to conspire to murder T. The phone company claimed that it could not monitor and control every call and so the common carrier defense arose.

Now, however, there is the demonstrated ability to monitor and control and perhaps the common carrier denotation is what is being tossed aside in the pursuit of the last nickel. What is an ISP to argue when faced with copyright allegations? They can monitor the traffic to sell targeted ads but can't tell the when an illegal MP3 is being downloaded? That might not fly in a courtroom. Wouldn't the temptation to try to sell the user a similar song be too tempting to pass up? Or maybe the judge or jury doesn't get that there is a technology barrier and figures if the ISP can monitor one they can monitor them all.

How about a political move like enforcing a completely non-encrypted internet to monitor for kiddie porn? All encrypted packets could be criminalized - except to "authorized sites" like your bank.

What about the copyright on the page being mangled? I liken this type of technology as a form of vandalism, or perhaps and unauthorized derivative work. How would this be different than Amazon reprinting a Harry Potter book on demand and inserting hundreds of ads? Maybe those ads would be targeted to text on a facing page so that you'd get an advertisement for cleaning supplies every time the Nimbus 2000 flying broom was mentioned, or pet supplies every time one of the owls was mentioned. How about the death scene with Dumbledor opposite some funeral home ad?

What about anticompetitive actions? The ISP could redirect or replace traffic with that of a competitor's product. I'm sure some companies would be delighted to ensure that no one every hears of Brand-X again. How could this type of control and monitoring be used to prevent the accurate discussion of topics? AT&T is a backbone ISP and has been shown to be a good bit lax when it comes to protecting the data it carries. Could a large company or government change the internet by use of this technology to stop dissent?

The abuse potential is huge.

Then what about the privacy issues with reading every packet? Gee, Mr. Smith, why were you searching for pipes, fertilizer, and biodiesel last month?

Re:

[thinkertdm]

Now this is only the beginning. It is only a matter of time before other ISP's start doing the same thing, and you can't stop them. Here's why: 1. Comcast and other ISP's have more money they you do. Loads more. Sure, you may have a case on legal grounds, but they have the money. What are you going to do, stand in front of the CEO of comcast and say "pwease mr, don't do this!" Good luck with that. 2. Think you are going to drop whatever ISP is doing it and jump to the other one? Most places only ha

Re:Read between the lines

[gallen1234]

I may not have a lot of money but Google has plenty. I suspect that they'll take exception to Rogers fiddling with their carefully designed home page - a page where simplicity and a clean layout are defining characteristics.

I also suspect that there's a copyright claim here somewhere. If Rogers took Google's home page and modified it then that's a derived work which they would have to have Google's permission to distribute.

Re:

[TheLinuxSRC]

"I suspect that they'll (Google) take exception to Rogers fiddling with their carefully designed home page - a page where simplicity and a clean layout are defining characteristics."

You appear to be correct [webpronews.com] sir.

Re:

[ottothecow]

If enough ISPs "try new things" (see also, comcast + bittorent), people will finally pull their heads out of their asses and realize the importance of net neutrality.

What's the problem?

[squidinkcalligraphy]

Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit, so you don't overshoot it and start having to pay extra. Lets put arguments about limits aside (after all, you've agreed to a contract involving limits). It's in their interests _not_ to inform you, as you'd have to start paying them extra. But they're trying to find a more pervasive way of letting you know. How else can they do it? Via email? They'd just send it to the email address they provide you with. Who really uses isp-provided email these days? it's all webmail, so they need some window to get through to you, and maybe http is that window.

Re:What's the problem?

[patternmatch]

How else can they do it? Via email? They'd just send it to the email address they provide you with. Who really uses isp-provided email these days? it's all webmail, so they need some window to get through to you, and maybe http is that window.

Or maybe, just maybe, they could ask you for your regular email when you sign up. This is not rocket science. There is no excuse for an ISP to be arbitrarily modifying the content of a subscriber's traffic.

Re:What's the problem?

[Valdrax]

You trust your ISP enough to give them your actual email address? You, sir or madam, are a braver soul than I.

You also give them your physical street address to have the service hooked up, and every month a small piece of paper containing your checking account's account number and bank routing number. In America, they probably got your social security number too.

I'm really not afraid of what they're going to do with email compared to all of that.

Re:

[Brian Gordon]

Because they're using software made for inserting ads into or rewriting the HTTP stream, and that software is very evil. I think it's a very neat idea that's also very scary.

Re:What's the problem?

[weorthe]

that software is very evil

Yes. Imagine a world in which China/Bush's America/Hillary's America no longer censors the web but subtly modifies it instead. Maybe with the cooperation of Yahoo et al. All power inevitably becomes abused. What good is freedom of expression if you can't be sure your expression is your own?

Re:

[Zeinfeld]

Isn't this already solved through public key cryptography (i.e. message signing in PGP/GPG)?

Its what SSL is for.

Now we could have done message level security like some people proposed, but we didn't. SSL will defeat this type of attack fine, even with a domain validated cert. A self signed cert could be intercepted and replaced by this type of scheme - unless an SSH like scheme was used to check to see if the cert was the same as seen last time or a DKIM like domain key was used.

If Rogers really want

Re:What's the problem?

[timmarhy]

the problem is going to be that modifying the http stream will break web applications and some secure sessions. it'll become even more of a problem as time progresses.

imho they are creating a solution to a problem that doesn't exist. there's 1000's of widgets out there they could tune to give you an almost real time view of your quota, building their own an interfering with your http traffic is not a good solution.

Re:

[cayenne8]

Well, the article mentioned they said "they are merely "trying different things" and testing the customer response."

Typical Response: Fuckin' Stop It!!!

Re:

[owlnation]

The problem...?

The obvious one... consensus, agreement, privacy, respect, customer focus, precedent... etc...

That all seems pretty rational to me.

Re:

[taniwha]

what's the problem? it's like you make a phone call and every minute some third party chimes in and starts telling you how much you've spent ... besides you just know that next year they will start telling you about McDonald's latest burger

Re:

[AccUser]

the ISP is trying to inform you you're reaching your limit

The ISP is inserting data into the page. Suppose they add a logo, a hit the mosquito advert, and a movie trailer - will they 'charge you for that bandwidth?

Re:What's the problem?

[zakezuke]

Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit, so you don't overshoot it and start having to pay extra

If that was the case... then the ISP can simply redirect all external requests to an internal page informing you as such... if for some odd reason they didn't want to use e-mail. In fact... some a local wi-max provider does just that in the event your account is overdue... a simple "you own us money" in between browsing session and poof gone.

My data on Rogers and Shaw is dated the last I checked they didn't meter. Even if they did meter odds are you're not going to go over your limit surfing the web so any injected web based waring isn't going to be that useful.

Redirection on the other hand... not so bad.

Re:What's the problem?

[Nikker]

I am a Rogers customer right now because I am slightly out of the range of a DSL provider. My connection was erratic especially on torrents didn't matter what kind and where from. Suspicious I got a copy of Wireshark and monitored the traffic, all the packets going out appeared to be ok but all the returning packets on my torrent port were corrupted (CRC error), I brought this to their attention and they said the problem didn't exist. I told them to let their NOC know about this and they refused, they told me to send it to the general email box on their help page.

They say they are testing the waters and they are. Are they testing a way to notify people of their account or are they trying to get people comfortable with them throwing up messages on your screen while you surf? As far as I'm concerned I will cancel and go without rather than putting up with this garbage. As far as I'm concerned the only right they have is to give me the service I'm paying for. As you can probably tell I really just don't trust this company, they don't do their job very well and expect me to put up with it, as far as I'm concerned I will fight this every inch.

pcapdiff is your new friend

[schwaang]

After the Comcast bittorrent interference, the Electronic Freedom Foundation released a tool called pcapdiff [eff.org]. The idea is you capture what your ISP sends you for a given website using wireshark/tcpdump and compare it to what your friend gets for the same site. Pcapdiff diffs the two pcap files and reports discrepencies.

On Fedora you can do "yum install pcapdiff".

It's an early release, but there's bound to be a lot more uses for pcapdiff ahead...

Re:What's the problem?

[schon]

Let's get rational for a second here; the ISP is trying to inform you you're reaching your limit

... as well as taking the opportunity to inject advertising in the page.

Don't believe it? Take a look a the screenshot. When was the last time you saw the Yahoo! logo on Google's homepage?

Re:What's the problem?

[jerw134]

The ISP is clearly partnered with Yahoo, just like AT&T is in the US. So the service is called Rogers Yahoo High Speed Internet. It's not an ad, it's their logo.

Re:

[MightyYar]

How else can they do it?

Well, off the top of my head:

• Ask you for an email to send notices to when you sign up.
• Ditto for instant message
• SMS your phone
• Automatic phone call
• Offer a little icon for your taskbar/dock/etc
• RSS feed
• Screensaver with your current stats
• Send a midget in an "Alf" costume to your door with flowers and candy

Yawn

[TopSpin]

I saw Orange doing this on their wireless network in Lyon about 3 years ago. Have also seen it on various hotel networks.

Still get my personal uplink from a small, privately owned ISP that doesn't have anything like enough on-staff talent to wiggle into every aspect of my traffic. About 1/2 has fast as any given nearby Comcast cable uplink. Costs about $20 more a month too. For all that you can take your trafficshaped, mutiliated $29.95/month interweb pipe and <censored>

If you're going to line up

Trying different things...

[Z80xxc!]

In other news, a mad internet subscriber broke into the headquarters of a Canadian ISP called Rogers. Upon entering, he hit shot two techs, broke 3 servers with a sledgehammer and then proceeded to start a fire in the CEO's office. Upon being apprehended by police, he was let go after informing them that he meant no harm and was just trying some different things to see how the company would react.

Re:

[basic0]

Good luck. I listen to Prime Time Sports with Bob McCown every day, and apparently even well-known, award-winning air talent doesn't have any level of access to Uncle Ted or the 10th floor of the Rogers building. McCown claims he's never met Ted Rogers in the ~10 years he's been working for him. I imagine his office is like something out of the movie "Sneakers".

When people "experiment"

[grilled-cheese]

Babies come from people "experimenting" too.

Re:

[ScrewMaster]

Yeah, but we pretty much know what the "customer response" is going to be in that case.

Semi-dupe

[Bogtha]

More discussion here. [slashdot.org]

Ahhh The Internets - Those Crazy Tubes...

[NeverVotedBush]

Are like the wild west.

I wonder if advertisers will start talking about blacklisting ISPs that modify content? Or maybe try to find some way to charge them extra?

Re:

[gknoy]

If advertisers blacklisted ISPs, wouldn't that make those ISPs users have a better experience? Sounds like a win-win. ;)

No problem as used in this case

[iamacat]

It seems that the customer would be less unhappy about a warning that he is about to reach a bandwidth cap, page modifications and all, than just get a thousand dollar bill out of the blue. There is no set mechanism for the ISP to communicate with the customer over Internet, so creating one might be justifiable in this case. Write again when a (non-free) ISP injects ads or blocks competitor's websites.

Re:

[Bellum Aeternus]

Automated phone calls would probably work too.

Re:

[iamacat]

When was the last time you picked up a call with unknown Caller ID?

Re:

[iamacat]

You have an interesting life. Personally, I am just annoyed by listening to personal bankers and insurance agents who profess inordinate interest in my finances or financial security of my family.

Re:

[arkhan_jg]

Thing is, now you know they have the ability, equipment and willingness to modify your datastream...

Write again when a (non-free) ISP injects ads or blocks competitor's websites.

How would you know whether they are, or not?

Re:No problem as used in this case

[RedWizzard]

It seems that the customer would be less unhappy about a warning that he is about to reach a bandwidth cap, page modifications and all, than just get a thousand dollar bill out of the blue. There is no set mechanism for the ISP to communicate with the customer over Internet, so creating one might be justifiable in this case.

There is a set mechanism: email. And if that's not sufficient they could easily write a little app to provided notification that could be run by users who are worried about exceeding their limit. There is no need for what they are doing. In fact what they are doing is probably copyright infringement: they are creating and distributing a derived work (the modified page) without the author's permission.

Copyright infringement

[starfishsystems]

Copyright infringement, I like it.

Even better, the CBC article concludes with a reference to the Telecommunications Act, which states that "a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public."

Rogers has a long history of playing as dirty as it can get away with. If the old pattern repeats as before, Canadian regulators will respond and Rogers will be forced to back down, leaving everyone -- regulators, investors, competitors, consumers -- slightly more pissed off with it than before.

Neveryoumind...

[Bonewalker]

According to a CBC article, Rogers admits to modifying customers' HTTP data, but says they are merely "trying different things" and testing the customer response.

Oh, well, that's ok then, if you are only trying different...HEY! Wait a minute! You can't do that. Why, I oughta....

Oblig xkcd

[RuBLed]

Are they doing that with Oven Mitts [xkcd.com]? No?! Lame....

Re:

[Azarael]

Or better yet, Upside-Down-Ternet http://www.ex-parrot.com/~pete/upside-down-ternet.html/ [ex-parrot.com]

Hey Rogers!

[ScrewMaster]

I got your "customer response" right here.

Seriously, when it becomes acceptable for the phone company to break into my conversation with "Did you know that Geico can save you ton of money on car insurance?" then my ISP can screw around with my Web pages. Otherwise, get your sticky paws OFF me, you damn dirty apes.

Might not be your ISP

[QuantumG]

That is to say, this is a case of your ISP using packet modification to insert code into your HTTP stream, but it doesn't have to be so innocuous. It's quite possible that someone who has hacked into your ISP could do the same thing.. and not just to HTTP streams, but any TCP stream. Downloaded any executables lately? Its quite possible that a hacker could have intercepted any packet that begins with "MZ", has a non-zero value at offset 0x3c which contains a 4 byte offset into the packet that has "PE" at it. There's a windows binary, let's change the bytes at the entrypoint to do something malicious.

SSL is your friend.

If only we could get IPSEC happening.

Didn't we just talk about this?

[statemachine]

It seems we just had a story that talked about Rogers.
Will ISP Web Content Filtering Continue To Grow? [slashdot.org]

(No, this one words it differently. -- Inserted by your friends at the NSA)

I'm not punching you in the nose...

[erroneus]

...I'm merely trying different things to see what sort of response I would get from people.

I'm sorry, but in the US, the ISP needs to be brought up on Federal Criminal charges of interfering with commerce on a local, state, federal and international level.

You've been rogered.

[Seor Jojoba]

I propose turning their company name into a verb, "roger", which means to manipulate internet data without the receiver's permission. Everytime you exclaim, "I've been rogered!" or "They rogered my data!" the Rogers company name will hold on to its well-earned place in history. And yes, "roger" already means something else quite similar. With either definition, something is being inserted where it probably shouldn't go.

Re:You've been rogered.

[reidconti]

As in, "you've just been Rogered arseways by your ISP?"

Re:

[MightyMartian]

Or "Man, did you see that guy taking it up the roger?"

Re:

[The Master Control P]

"Hey, man, is something wrong with your server?"

"Roger, roger!"

Re:You've been rogered.

[p0tat03]

You may not know this, but "Rogers" is already synonymous with "taking it up the arse" up here in Canada. After all, who else charges $210/month for 500MB of wireless data transfer? Or creates a 3G broadband network but refuses to allow actual 3G phones to access it (restricting you to this huge BRICK of a wireless "modem" they provide you)? Or raising their prices almost 30% in the last 2 years?

I just wish someone like Google or Microsoft sues Rogers into oblivion for this crap. I'm pretty sure impersonating another corporation's official communications (loading the Google homepage, for example) is fraud.

If Rogers is trying different things....

[8127972]

.... Then I think I will try a different ISP. After all, what is good for the goose is good for the gander right?

I have not experienced this

[eap]

I am a Rogers [V1AGR4] customer, and I [MORTGAGE RATES FALL AGAIN!] think you're all just overreacting [VISTA - THE BEST WINDOWS YET!].

Now let's have no more talk about this bizarre coverup.

Getting away with murder

[javacowboy]

So.... why aren't there any high profile lawsuits against Rogers yet?

First they throttle BitTorrent traffic. Then, when BitTorrent users encrypted their connections, all encrypted traffic was throttled, making VPN connections unbearably slow.

The only reason I can think of that they're getting away with this is that...uh...people in Ontario don't telecommute at all?

Why is everybody letting Rogers get away with these shenanigans? Rogers' practises must be costing some business users serious money. I simply don't understand.

Okay, I know...

[gillbates]

This is a dupe, but it's worth commenting on.

The fundamental problem I see with this is that the ISP is changing the content of webpages to suit their own interests. There are a myriad of problems here, regardless of whether or not the customer accepts it:

1. Copyright law: technically, the modified web page is a derived work. The ISP can now be held liable for copyright infringement if, say, Google, or the New York Times objects. The potential revenues sinkhole from copyright litigators is far greater than what any ISP could bear.
2. There are ethical problems with an ISP artificially inflating the size of webpages, especially if they charge for the bandwidth.
3. This smacks of 1984-esque censorship. Once it becomes commonplace for an ISP to change a web page, how long before government uses this for nefarious purposes.
4. Consider how the above may be abused: a political rival logs onto Google, and the ISP replaces the normal content with child porn. Enter the police and 10 to 20 years in prison...
5. If I can't trust my ISP to deliver an unmodified webpage, the only alternative is to use https for everything. While I'm personally favorable to such a thing, I realize it will disenfranchize a lot of part time and small time web operators who don't have the sophistication to setup an https server properly. Thus, one of the great egalitarian aspects of the web dies.

In light of the fact that a certain ISP blocked access to union websites, this is an alarming event indeed. Democracy depends on the free flow of information, and I'm thinking that it might be appropriate to make such a practice illegal, if only for the sake of preserving democracy. It will first be used for commercial gain, and later, leveraged as a political tool.

common carrier

[Richard_J_N]

What a really stupid thing to do. Never mind that it's unethical, they just lost their common-carrier status. Now the RIAA can sue them for contributory infringement ;-)

At least, that's my understanding of it - ISPs and postal services are legally "common carriers", i.e. they just deliver stuff; they aren't responsible for any legal ramifications of what they deliver. Eg the post service isn't liable if someone mails a forged cheque. BUT...if they demonstrate that they control, inspect, and modify what they are delivering, they might just be liable when someone uses their network to commit fraud.

Re:

[Jeff DeMaagd]

I don't think ISPs have common carrier status for that service.

Web Servers can detect this...

[nweaver]

See this old Slashdot article [slashdot.org] on how servers can detect such modifications when they happen by using a bit of Javascript as an integrity checker.

(Disclaimer, I'm one of the authors of the work)

1997 called...

[Spy der Mann]

They want their geocities ads back.

Oblig Ghostbusters quote

[devnullkac]

The effect? I'll tell you what the effect is, it's pissing me off!

Yep.

[Black Parrot]

And I wonder how many times they're going to insert this story into Slashdot.

Web sites need to enable HTTPS properly

[Skapare]

Web sites need to enable HTTPS properly over their entire site. Then your ISP can do nothing more than just prevent the secure connection from being established. And if they do that, they break all kinds of stuff like shopping checkout and access to bank accounts.

Right now, Slashdot's own HTTPS URL [slashdot.org] just redirects to the HTTP URL. This needs to be changed to just leave things in the HTTPS mode. Eventually this should be changed so that HTTP redirects to HTTPS. Google [google.com] does the same boneheaded redirection.

Re:

[shish]

IIRC slashdot's HTTPS works fine, but is subscriber-only~

Well I have a thing or two to say about that

[CrazyJim1]

As much as I don't like Canada, the totally awesome Rogers ISP is not doing something wrong here. Thats all I have to say. PS, buy a Playstation 3 at 20% off by mentioning the code ROGERS ISP ROCKS at your local S-mart

If there is anything this should show is.....

[3seas]

that this isp is not very concerned with privacy of its clients.

Say you have a friend over or someone you don't know using your open wireless, now all of the sudden there is this message they see giving them information about you.
I honestly cannot believe they haven't considered this possibility. If they haven I highly recommend that if you are a customer you need to change isps right away.

This also should show that ISPs can indeed spy on you and your web surfing and sell that information about you or leak

I thought Rogers didn't have a limit?

[crivens]

I thought Rogers didn't have a limit? Maybe they could just send you an email rather than hijacking your data.

Does HTML 5 have a provision for checksums?

[ceoyoyo]

Looks like it should. We probably also need a new standard for lightly encrypted pages. Light enough to not put undue strain on the server but heavy enough to make it impractical to modify pages on the fly.

Correct Title...

[Belial6]

ISPs commit copyright violation by delivering unauthorized derivative works.

Title is wrong; what else is wrong?

[gvc]

Rogers are clearly not inserting content into users' web pages, as the title claims. They are inserting content into pages viewed by users.

So I have little faith in the claim that they are "intercepting http." What is more likely is that the default proxy server they provide is inserting the content. While it may make little difference to the average user, as the "normal" setup uses the proxy, it seems to me that there's a huge difference between supplying a proxy and intercepting and manipulating http traffic; that is, hijacking TCP port 80. The proxy I can easily avoid by using a direct connection to the internet; TCP hijacking, I can't.

Re:

[yuna49]

Many ISPs "hijack" outbound port 80 connections and transparently proxy them. I'm not sure how you think you'd avoid this proxy unless you yourself are using a proxy that listens on some port other than 80 and is located on a network outside your ISP's.

I routinely configure office networks to do this with iptables+squid. It gives their administrators a log of requests in case they need to check up on what sites their employees have visited. It also enables us to add some security features to the network

Rogers has a history, and I have unresolved anger.

[Fantastic Lad]

Ted Rogers is like a mini-Gates of the Toronto region.

"The little cable company that could." They practically invented negative billing, starting their reign of aggravating barely-legal business practice as far back as the early 80's with the stupid bundling of the new pay-channels. They successfully lobbied to crack open the Bell monopoly so that they could compete on the phone market. Everybody believed their bullshit campaign and as a result, everybody pays many times more for phone service which has fallen from one which was affordable and which worked hard-core in favor of the consumer, (if Bell tried to screw you around, a quick call to the CRTC, and they'd be nodding yes-sir to you. Monopolies are great in this way because the public can very easily punish them through government pressure to do the right thing if they start getting greedy and evil), --phone service through bell and all the competitors has since devolved into a system which is now expensive, punitive, crappy and generally mean-spirited, (all contrary to the whole 'competition breeds excellence' meme which should be obvious for the falsehood that it is to anybody with a brain but which somehow remains an elusive truth; I blame the same American ideological propaganda which has landed us in Iraq and which is responsible for rolling black-outs and for people whose lives suck because they can't afford medical insurance. Thanks, guys! Keep on championing the lie while you take it in the rear.) (Ahem. Did I say all of that out loud? DO pardon me.)

Anyway. . .

Rogers argued that it had the right to use Bell's cable system because it had been built in part with public money, and then they turned around and refused to share its own cable system because they claim to have made it with private money. --All claims which are so riddled with lawyer-logic as to make anybody aware of the situation hopping mad, especially when one considers the huge tax-breaks and government hand-outs Rogers managed to weasel away with; they use the publicly-funded telephone pole system, on public land, to hang its infrastructure, over-charge for their rotten service, don't share and don't pay their taxes. Nice job! --The whole thing reeks, but they got away with it because the public was asleep and easily fooled by promises that, "With competition, your phone bills will go down!" Stupid, stupid Torontonians! Even as a teenager I could see the way the wind was blowing, and yet today few even grasp that they've been screwed. Sigh.

Rogers is one of those companies which has been sneaky and crafty and generally foul from the get-go. This latest move is entire par for their course. I don't own a television and I don't use a cell phone partly because of players like Rogers. Anybody ignorant enough to sign up with Rogers deserves exactly what they get.

-FL

UMTS

[Arancaytar]

O2 in Germany has been doing this for UMTS connections for a long time. They've figured that stripping whitespace and artificially compressing images before transmission will save bandwidth.

Unfortunately, their white-space stripper breaks XML-wellformedness, which makes me unable to view any of my own sites with Firefox (unless I disable application/xhtml+xml as an Accepted content type).

Re:Dupe

[A beautiful mind]

This is not a dupe, it's merely your isp inserting outdated data in to your webpage because Slashdot didn't pay your ISP the brand new anti-crapification fee.

Re:

[Brian Gordon]

You're going to get modded funny and I'm going to groan :/
update: modded funny 1 minute into my 2 minute posting timeout for the GP post! grooan

Re:

[iamacat]

So DVD players violate content owner's rights by displaying menus on top of the video? This would fall well within fair use. More so than numerous adblocking plug ins for various web browsers anyway.

Re:

[ScrewMaster]

Not quite the same thing, and you know it, particularly because the DVDCCA maintains strict control of what players can do and explicitly authorizes that behavior. And Ad-block plugins are a choice to modify content made by the consumer of that content. That's hugely different from the data transport mechanism modifying said content on the fly to suit its own needs ... it is not what we pay for when we send our Internet bills every month. You might also want to check on where fair use applies (and where it

Re:

[The Master Control P]

Bullshit. After you hit "play," there is exactly one non-error condition where the player will overlay a menu on your video stream: You hit a menu button, which means you requested it. This is equivalent to having a cochlear implant whose audio processor inserts "obey your corporate masters" underneath everything your hear: Data you don't want, being forced on you by someone between the data source and you.

Re:Misuse of content? Next Step:

[davidsyes]

government honey nets....

Imagine being given wrong directions, misleading or misinforming.

This could be merely the first step in domestic warfare upon civilians. In the case of the US, bitching about China conducting IT warfare against the US... sheesh, the US ADMITTED (IIRC) that it would seek out technical capabilities in this area. Doesn't matter anymore who started it. The whiny bitching in the papers is pathetic. All governments do this, so the US is not the only nor the last target.

But, Rogers is prob

Re:

[jlarocco]

That's all most customers want. Which is the problem. Delivering exactly what customers want is no way to stay in business these days.

So it seems, anyway.

Re:

[compro01]

i wouldn't put it past them to do that.