I posted about this on reddit a few weeks ago[0]. Someone in the thread said they had contacted the Better Business Bureau, but I'm not sure what their process is or how far it's gotten.
There has also been a short email thread in which their official response is this:
> Mr. [redacted],
> CMA is in the process of trying to find ways to drive income from our internet service in new ways. These new ways would allow us to expand our service offering and maintain the cost of the current residential and business internet services.
> We’ve been testing a new service which allows us to overlay / insert some local advertisement on certain web pages. A company called Route 66 is our partner. Right now, you’re barraged with a lot of internet advertising, popups, etc… This has become part of the internet experience. At the core, we’re simply trying to better customize some of this experience. And possibly give you access to highly relevant local advertising.
> Having said that, I’ve recently become a little more familiar with what some of these ads look like and how they operate. I will concede that I’m not sure they strike the perfect balance between being information and non-invasive. Like I mentioned, we’re involved in a test and the feedback we’re getting from the test is helping us to refine and improve how (or if) we’ll continue here.
So I’m stopping short of saying that we’ll be ceasing this type of internet advertising experiment. But I do want you to know that your feedback has resulted in the beginning of a pretty intense internal dialogue.
> Thanks for your feedback.
> [redacted]
> CMA Communications
It's absolute insanity and a major breach of trust that they'd inject their own content into webpages I visit. I'm permanently using a remote VPN for all outgoing traffic through CMA.
The kernel of their user-hostile decision is right here:
Right now, you’re barraged with a lot of internet advertising, popups, etc… This has become part of the internet experience. At the core, we’re simply trying to better customize some of this experience. And possibly give you access to highly relevant local advertising.
"Hey, we're just going to take a piece of the shitty ad-laden pages you visit. Maybe you'll see something you like, but chances are low and beside the point."
Addendum: as soon as they started doing this, all of my port forwarding broke. I'm not sure if this is a coincidence or if it was on their end, but the technicians were of no help.
Immediately cancel your account and switch. If you are forced to use them as an ISP due to municipal/geographical regions complain to your city manager.
The only way to slap these companies back into line is with your wallet. If you can't do that then a couple complaints to the city manager can go a lot farther than you think, especially in smaller areas where there isn't a lot of support staff in city hall.
Considering just how big the outcry was over ISPs delivering advertisements instead of an NXDOMAIN response, and how many ISPs are continuing to mess with DNS over ten years after the execrable practice started, I haven't got much faith in the power of the market. Has there been just one ISP that stopped hijacking DNS over customer complaints?
"knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period"
Injecting or replacing ads in other people's content on the wire: 'knowingly and with intent to defraud', 'exceeds authorized access', 'furthers the intended fraud'
Ad revenue from doing so: 'obtains anything of value'
Forget copyright infringement: a case could be made that CFAA applies here.
Wouldn't this depend on the TOS of the ISP?
Perhaps by signing the contract you "authorise" this.
This sort of thing doesn't surprise me any more. AFAIK DNS on every major ISP in the UK is broken, there is no NXDOMAIN. Unresolvable domains are simply redirected to a specific IP address which happens to host a page of ads and a search bar on port 80. This might not matter to most people, but it's a huge PITA when I'm testing some things.
They go as far as even replacing existing ads with their own, this seems criminal, especially when they are directly impacting google/microsoft/apple by removing their ads and replacing them with their own.
A picture speaks a thousand words here; the author did a great job supplying plentiful screenshots to emphasize how wrong this practice is. I read about this in the past but wasn't too moved until I scrolled through all those screenshots and thought, wow, this is not good for ad publishers OR brands OR anybody. This is only good for the greedy ISP.
This is an interesting problem. On a broadcast channel, when a local station attempts to replace the ads the network has put in their shows, with their own ads, the network has some leverage to shut down that process. But on the Internet there are a bunch of web sites and they don't have any leverage at all. They could do an IP filter, which is to say put up a page "This site unavailable on this ISP's network" when a request came in from a CMA communications IP block. That would cause a support headache for CMA with all their customers calling into complain. The other defense would be to create a web page that doesn't cache (it pulls the actual page content through AJAX calls gets around any local script injection). Lastly there seems to be "product" here where you bundle up an EC2 instance and some friendly software on the PC that spins up a VPN tunnel for all of your traffic.
HTTPS everywhere would solve this, and the Comcast Javascript injection - I wonder how many more people will deploy things like this before that happens?
Actually, the "HTTPS Everywhere" plugin [1] for firefox and chrome is
an incomplete solution. The reason is simple; not all sites support
HTTPS, so the plain HTTP-only sites are still vulnerable.
Injecting a script into insecure HTTP is just one of many abuses possible
by ISP's. Replacing images on the fly is another. Recompressing (degrading)
images/video is another. Messing with DNS responses is another, and so on...
A far better working solution is to use a VPN service since when it's configured
correctly, it will encrypt all traffic passing through your ISP. Of course, this
is really just moving the trust problem, rather than solving it, but at least using
a VPN service makes it your decision who to trust. I use Tunnelr.com [2] since by
reputation, similar interests, and years of traded emails, I know the people who run it.
We hope ads/no-ads arms race would end there.
But I could easily see some unscrupulous/greedy ISPs then resorting to setting up SSL proxies to MITM your ostensibly secure traffic, as some private organizations (schools, corporations) already do.
https is the wrong solution. that is for preventing others from seeing what you're sending/receiving, not verifying the integrity of what is sent/received. well, it does do that too, but it adds extra unneeded overhead by encrypting everything. Besides, the ISP can easily man-in-the-middle any connection you make and then inject their ads into the webpage, even if you use https.
The correct solution is signing the webpage (but not necessarily encrypting it). More technically, that means the server/website would hash the source of the webpage, and then send the webpage, the signed hash, and if needed, the cert it used to sign the hash. Upon receiving both the webpage and the signed hash, the browser would then check to make sure that the signature can be trusted (using a chain of trust the same way we do with certs for https pages already), hash the webpage source it received, and then verify that that hash matches the signed hash it received from the website.
It doesn't matter if any of that is sent in plaintext, because there is no sensitive information, and as long as the hashing algorithm used is strong (ie sha2 family, not md5), then the isp can do fuck all to inject javascript.
Technically, isn't this copyright violation? People who inject ads into a page are creating a derived work without permission of the rights holders. I'm sure Apple didn't okay that addition to their HTML.
It would be interesting to see a lawsuit along those lines.
It's been long enough for me to state, but I used to work for a contractor hired by CMA Communications.
ISPs of this size try and maximise as much profit out of their customers and being that a lot of CMA's sites were over provisioned and are barely able to provide telephony service without incompetence-y along the way, it is not shocking that ads being injected into pages is a new thing for them.
To see these bullshit ads showing up on random pages is far from surprising.
That's why I bought Google stock after they got into Android, as Android makes it possible for Google to now step in & protect against the MITTM attacks by ISP's blocking their ads. The OS gets the final word before it displays content to the user & it can detect & block these.
Now, they just have to deploy the fix to Android...
The sad thing about this is in many places (at least in the US) there are few if any alternatives. In my city, I can either get Time Warner Cable or AT&T DSL. I'm 20 miles from Verizon's office but FIOS is illegal in my city. So if the ISP starts screwing with the content then you have virtually no alternative.
Sprint is another (lesser?) offender -- their mobile broadband injects a script in every page that loads compressed versions of images until told otherwise. (Annoying, but at least it's well-intentioned.) I've long since blocked the IP, but it gave me a bit of a scare to see unfamiliar code in my own websites.
Yep. I rolled my eyes at this, before I even got to the meat:
"I laughed to myself briefly, thinking: “who uses Bing?”, and then realized I was a computer science grad student who had managed to get malware on a Mac, so I wasn’t in a position to judge."
[+] [-] _conehead|13 years ago|reply
There has also been a short email thread in which their official response is this:
> Mr. [redacted],
> CMA is in the process of trying to find ways to drive income from our internet service in new ways. These new ways would allow us to expand our service offering and maintain the cost of the current residential and business internet services.
> We’ve been testing a new service which allows us to overlay / insert some local advertisement on certain web pages. A company called Route 66 is our partner. Right now, you’re barraged with a lot of internet advertising, popups, etc… This has become part of the internet experience. At the core, we’re simply trying to better customize some of this experience. And possibly give you access to highly relevant local advertising.
> Having said that, I’ve recently become a little more familiar with what some of these ads look like and how they operate. I will concede that I’m not sure they strike the perfect balance between being information and non-invasive. Like I mentioned, we’re involved in a test and the feedback we’re getting from the test is helping us to refine and improve how (or if) we’ll continue here. So I’m stopping short of saying that we’ll be ceasing this type of internet advertising experiment. But I do want you to know that your feedback has resulted in the beginning of a pretty intense internal dialogue.
> Thanks for your feedback.
> [redacted]
> CMA Communications
It's absolute insanity and a major breach of trust that they'd inject their own content into webpages I visit. I'm permanently using a remote VPN for all outgoing traffic through CMA.
[0]: Didn't know exactly where the post belonged, so I put it in /r/self: http://www.reddit.com/r/self/comments/19zhl6/my_isp_is_injec...
[+] [-] rhizome|13 years ago|reply
Right now, you’re barraged with a lot of internet advertising, popups, etc… This has become part of the internet experience. At the core, we’re simply trying to better customize some of this experience. And possibly give you access to highly relevant local advertising.
"Hey, we're just going to take a piece of the shitty ad-laden pages you visit. Maybe you'll see something you like, but chances are low and beside the point."
[+] [-] devicenull|13 years ago|reply
[+] [-] _conehead|13 years ago|reply
[+] [-] pdeuchler|13 years ago|reply
The only way to slap these companies back into line is with your wallet. If you can't do that then a couple complaints to the city manager can go a lot farther than you think, especially in smaller areas where there isn't a lot of support staff in city hall.
[+] [-] HarryHirsch|13 years ago|reply
[+] [-] ConstantineXVI|13 years ago|reply
Injecting or replacing ads in other people's content on the wire: 'knowingly and with intent to defraud', 'exceeds authorized access', 'furthers the intended fraud'
Ad revenue from doing so: 'obtains anything of value'
Forget copyright infringement: a case could be made that CFAA applies here.
[+] [-] jiggy2011|13 years ago|reply
This sort of thing doesn't surprise me any more. AFAIK DNS on every major ISP in the UK is broken, there is no NXDOMAIN. Unresolvable domains are simply redirected to a specific IP address which happens to host a page of ads and a search bar on port 80. This might not matter to most people, but it's a huge PITA when I'm testing some things.
[+] [-] cramerica|13 years ago|reply
[+] [-] degenerate|13 years ago|reply
[+] [-] ChuckMcM|13 years ago|reply
[+] [-] betterunix|13 years ago|reply
They could use TLS...
[+] [-] richardwhiuk|13 years ago|reply
[+] [-] jcr|13 years ago|reply
Injecting a script into insecure HTTP is just one of many abuses possible by ISP's. Replacing images on the fly is another. Recompressing (degrading) images/video is another. Messing with DNS responses is another, and so on...
A far better working solution is to use a VPN service since when it's configured correctly, it will encrypt all traffic passing through your ISP. Of course, this is really just moving the trust problem, rather than solving it, but at least using a VPN service makes it your decision who to trust. I use Tunnelr.com [2] since by reputation, similar interests, and years of traded emails, I know the people who run it.
[1] https://www.eff.org/https-everywhere
[2] http://tunnelr.com
[+] [-] revelation|13 years ago|reply
What is the FCC good for?
[+] [-] dmiladinov|13 years ago|reply
[+] [-] joshAg|13 years ago|reply
The correct solution is signing the webpage (but not necessarily encrypting it). More technically, that means the server/website would hash the source of the webpage, and then send the webpage, the signed hash, and if needed, the cert it used to sign the hash. Upon receiving both the webpage and the signed hash, the browser would then check to make sure that the signature can be trusted (using a chain of trust the same way we do with certs for https pages already), hash the webpage source it received, and then verify that that hash matches the signed hash it received from the website.
It doesn't matter if any of that is sent in plaintext, because there is no sensitive information, and as long as the hashing algorithm used is strong (ie sha2 family, not md5), then the isp can do fuck all to inject javascript.
[+] [-] cramerica|13 years ago|reply
[+] [-] michaelfeathers|13 years ago|reply
It would be interesting to see a lawsuit along those lines.
[+] [-] tantalor|13 years ago|reply
[+] [-] afreak|13 years ago|reply
ISPs of this size try and maximise as much profit out of their customers and being that a lot of CMA's sites were over provisioned and are barely able to provide telephony service without incompetence-y along the way, it is not shocking that ads being injected into pages is a new thing for them.
To see these bullshit ads showing up on random pages is far from surprising.
[+] [-] DanBC|13 years ago|reply
Because that seems like something that Google would not tolerate.
[+] [-] johnvschmitt|13 years ago|reply
That's why I bought Google stock after they got into Android, as Android makes it possible for Google to now step in & protect against the MITTM attacks by ISP's blocking their ads. The OS gets the final word before it displays content to the user & it can detect & block these.
Now, they just have to deploy the fix to Android...
[+] [-] grecy|13 years ago|reply
It all comes down to who do you trust.
[+] [-] coldcode|13 years ago|reply
[+] [-] ancarda|13 years ago|reply
[+] [-] nkorth|13 years ago|reply
[+] [-] na85|13 years ago|reply
[+] [-] FireBeyond|13 years ago|reply
"I laughed to myself briefly, thinking: “who uses Bing?”, and then realized I was a computer science grad student who had managed to get malware on a Mac, so I wasn’t in a position to judge."
[+] [-] 6thSigma|13 years ago|reply
I looked into switching then to another ISP, but the only one available is 1.5Mbps DSL vs their 15Mbps connection now.
[+] [-] gesman|13 years ago|reply
[+] [-] tomjen3|13 years ago|reply
[+] [-] betterunix|13 years ago|reply
[+] [-] ttrreeww|13 years ago|reply