Sean Reiser

ISPs inserting ads on webpages.

July 27th, 2007

I've seen this covered on slashdot and digg but haven't seen many people weigh in on it, so I figured I'd write it up with my opinions.

Back in June, there was a post from someone to thinking he was infected by spyware since he was getting additional ads from a company called "Fair Eagle" inserted on all the pages he visits. After a little analysis he found this happened from his home but not from his office and mentioned that his ISP is MoonOverAddison and it appeared that they were inserting the advertisements. At which point jaiku user Chrisr chimed in with this information:

I noticed this at work and reported it to our IT department who contacted our ISP (Redmoon, who owns MoonOverAddison). Here's what we learned.

Fair Eagle sells a hardware device that sits between the ISP and all customers. It attempts to insert the ad Javascript into all HTTP traffic. Redmoon has purchased this device, intending it for all home customers, however, it lacks any sort of configurability based on IP address so all customers, including business customers leasing T1s from them, are affected.

Redmoon installed this device knowing that the ads would alienate some customers, but not enough to make the device unprofitable.

Very shady.

Some additional research reveled this to be the likely device. Basically this device is a transparent proxy that add advertising to every web pages that passes through it. Basically the ISP becomes a piece of adware which is just slightly out of your reach.

I don't see how this device is anything but a copyright circumvention device. I am writing some AGs in the next couple of days, explaining what the device is, how it effects us and explaining how it violates the DMCA (they gave me the gun, I'm going to try and use it).

Recently, The CS folks over at the University of Washington has an integrity checker which will check your connection and determine if your ISP is adding content and tracking the information for later publication. You should head over there to make sure your ISP is behaving.

Buried in the ISP's TOS, the user is agreeing to allow this to happen, of course. The problem for these ISPs is that they are still breaking the content owner's copyright by creating a derivative work of the webpage. This effects content providers in a number of ways.

If a site is kept in business by advertising the additional ads reduces the odds that someone is clicking on an ad that supports your site, losing potential income. If a site is advertising free either through a subscription model or through social contract, this device makes it appear that the provider is violating that agreement. Vows not to accept advertise from certain businesses or industries are now moot. At the end of the day the ISP makes the profit and we, the content providers, are left holding the bag.

What worries me more then this, is what the ISPs can do next. What prevents them for changing the content owner's adsense id to theirs, or replacing the website's ads with their ads altogether? I have no problem with a user blocking ads (let's face it anyone who goes through the effort to block ads isn't clicking on them anyway), but an ISP replacing them for their own profit is another matter entirely.

I'm planning on writing a drupal module to test of this and report back in the next couple of days (I'm writing the UW folks right now). Hopefully, if enough parties are interested we can get some visibility to this problem.

Sources
http://vancouver.cs.washington.edu/
http://www.nebuad.com/publishers/publishers.php
http://digg.com/security/Are_ISPs_modifying_your_web_pages
http://yro.slashdot.org/yro/07/06/23/1233212.shtml

Posted in iSeanReiser | Permalink | Tags: BreakingTheInternet, Security, Technology

Submitted by epc (not verified) on Fri, 2007-07-27 14:07.

I replied on nextny as well, my $0.02 is that if the ad revenue mattered to me I'd block any such ISP, or alter the content delivered to that ISP to advise customers that the ISP is damaging my business (by skimming ads). You could offer customers of that ISP the option of paying for the content directly (which is unlikely to fly) or suggest alternate ISPs for the customer to use (and finally: recommend the customers to pressure the ISP to stop skimming or replacing the advertising).

It is copyright circumvention, which if that's the stated intent of the device may make its legality questionable under grokster and the DMCA. I'd also argue that any ISP which substantially changes the content served from a web site loses its common carrier status, making it liable for the content as a publisher of the content.

reply

Submitted by CrosbieFitch (not verified) on Fri, 2007-07-27 14:58.

I wouldn't get upset over a mere copyright infringement - this is far worse.

The primary rights violation is of the publishing author's right to the integrity of their works, i.e. that they not be modified and presented as the work of the original author, unless it is made very clear that they are not the original author's work, but that of another author.

A secondary rights violation occurs in terms of misrepresentation, in that the publishing author is misrepresented as endorsing a product.

Don't piss about with the petty privilege of copyright. The ISP will claim some kind of nonsense that you've authorised them to convey/transmit your work to the members of your audience that they serve. They are making no unauthorised copies, but merely delivering their content 'alongside' yours for the benefit of the users they serve.

So, focus on the integrity of your web page (their failure to clarify that it is not the original work), and their failure to make it clear that you are not endorsing their adverts.

Otherwise, I'd resort to some kind of counter-javascript, ideally demonstrating to the browser that they and the advertiser were being ill served by their ISP.

reply

Submitted by Sean Reiser on Fri, 2007-07-27 15:21

I agree this is worst then copyright and I think like a programmer and not a lawyer but I'm looking at the tools in our arsenal to fight this. I'm sure that integrity is something that would work in court here in the USA. Assuming that changing the content is creating a derivative, the DMCA would apply. Either way if I were to pursue it, there would be a lawyer involved in the planning.

reply

Submitted by jupp (not verified) on Fri, 2007-07-27 17:33.

Put a script into your page that crashes/deactivates Fair Eagles ad Javascript.

reply

Submitted by Ethan (not verified) on Sun, 2007-07-29 23:57.

This device sounds like it would make it even easier for a disgruntled ISP employee (or even a gruntled one) to replace all downloaded EXEs with a payload of her own creation.

Good thing the box isn't configurable....

reply

Submitted by nicoduka (not verified) on Mon, 2008-04-07 11:37.

I think it’s great and more power to them. If Google can monopolize on everything Javascript, I don’t see why your ISP shouldn’t also be able to do so. It’s your own damn fault for allowing cookies and/or Javascript (or Java applets, Flash, Actionscript, VBScript, ActiveX, PDF, Quicktime, or whatever else browser plugin support)… Of course, I also think the UW Web Integrity Checker is a wonderful idea. People should learn about who is influencing them and why. People should also start using inbound WAF’s that remove potentially malicious iframes or Javascript, but then allow them to be whitelisted on a case-by-case basis. I’ve heard of Palo Alto Networks, but there is also their open-source project, Whitetrash. Using (or forwarding) OpenDNS is also a plus, as would be null routing or firewalling various sensitive IP prefixes, maybe ones pulled via a DNS or BGP RBL. Point of this: don’t trust the web, but help your ISP monotize itself. They are going to need the help, what with the problems the secret working group is attempting to address - let alone the stupid threat of net-neutrality. ___________________ Submited by : Caballos

reply

Submitted by Sean Reiser on Mon, 2008-04-07 18:50

I think your missing the point... 1) you don't need cookies, javascript, etc... there's nothing preventing an ISP from using this to alter the HTML and insert advertisements directly. 2) I am not aware of google inserting advertising on any site where the content provider isn't benefiting. If I spend hours designing a site so it's visually appealing why should a random ISP insert code that destroys it? Also, am I, from the end user's point of view, endorsing the products or services that have been added to the page I'm serving? There's nothing that says the ad comes from your ISP. 3) I thinking your setting the bar too high here.. all of your planed solutions require a level of knowledge beyond someone's grandmother (the example I use from time to time). Heck, the issues you outline are beyond 90% of the users of the internet. THis isn't 1996 anymore, everyone's on the net now. 4) The end user is paying their ISP... if the ISP isn't making enough money they should up the rates (I have no problem with the approach, btw). 5) I'm pretty sure that adding advertising is against the NonComercial-NoDerivs portion of my license.

reply

Submitted by Chris (not verified) on Tue, 2008-09-09 05:08.

Is the ISP market so competitive that some are resorting to blackhat style tactics? Kinda reminds me of a naughty NetZero back in the day. Speaking of NetZero...remember when they said that their service would always be free?

reply

Submitted by anttivua (not verified) on Tue, 2008-12-16 15:32.

nice information

reply