Code injection: A new low for ISPs

Beyond underhanded, Comcast and other carriers are inserting their own ads and notifications into their customers’ data streams

Code injection: A new low for ISPs

Imagine you’re on the phone with your doctor, discussing a very sensitive and private matter that requires your full attention. Suddenly in the middle of a sentence, your mobile phone provider injects a recording saying you’ve used 90 percent of your minutes for the month and to press 1 to contact customer service, and repeats the message until you either hit 1 or hit 2 to cancel.

Or you’re on a call with a buddy, talking about your favorite sports team. Suddenly you get several text messages with “special offers” from companies that sell jerseys and other sporting goods.

Unconscionable, right? Yet both scenarios play out on the Internet, in various degrees of insidiousness.

The first example above happens to an unfortunately large number of U.S. Internet users on a daily basis. Comcast and other ISPs “experimenting” with data caps inject JavaScript code into their customers’ data streams in order to display overlays on Web pages that inform them of data cap thresholds. They’ll even display notices that your cable modem may be eligible for replacement. And you can't opt out.

Think about it for a second: Your cable provider is monitoring your traffic and injecting its own code wherever it likes. This is not only obtrusive, but can cause significant problems with normal Web application function. It’s abhorrent on its face, but that hasn’t stopped companies from developing and deploying code to do it.

The second example is essentially how Google makes its money. You search for something (say, “Red Sox”) and you’ll see search results accompanied by ads for Red Sox tickets and merchandise. Web trackers do the same, which is why, if you searched for widgets on Amazon, you’ll see ads for widgets on completely unrelated websites. Of course, the difference in these examples is that you were purposefully seeking out these items, not merely discussing them with another person. This is an important distinction. (Remember: Gmail notes what you’re talking about in your email and produces ads based on that content; then again, you’re using the Gmail service for free.)

Either example is bad enough, but if we combine the two, we have a monster. We have an ISP that can and does inject its own code into data streams from third-party websites to deliver messages to its users. These could be the aforementioned data cap notifications or ads that hover above the website or even interstitial ads that cover half the page and frustrate the user, but appear to be served by the website that was visited, not the service provider. Of course, the ISP actively snoops on its users’ browsing to display those ads.

This, folks, is part of why we need strong Net neutrality regulations. It’s not only about preventing ISPs from becoming Internet gatekeepers and extortionists; it’s also about eliminating practices like these that are violations not simply of privacy, but of human decency. Not that violating human decency has ever stopped a big ISP. Heck, Rogers, a Canadian ISP, injects pleas to sign back up for its TV packages when you cancel. That's disgusting.

The fact is those in the know can avoid all of this. Using HTTPS Everywhere and SSL/TLS in general will foil these machinations (unless the ISP is pulling a Lenovo and cribbing SSL certificates -- don’t think they haven’t thought about that). You can also use Tor or a VPN or both, and you can use browser utilities like Ghostery to prevent Web tracking and all manner of other behind-the-scenes nastiness that abounds on the modern Web.

It’s rarely the knowledgeable users who are affected by these underhanded practices. It’s the vast majority who bear the brunt, folks who shouldn’t need to understand how and why SSL/TLS works in order to have some form of protection from their own ISP. We have fraud protection laws for a reason: to protect unknowing citizens from predatory practices and practitioners. Frankly, I can think of few better examples of predatory practitioners than ISPs in the United States.

Copyright © 2015 IDG Communications, Inc.