Paxfire Responds: Says It Doesn't Hijack Searches, Will Seek Sanctions Against Lawyers

from the then-what-does-it-do? dept

Last week, we wrote about a lawsuit filed against Paxfire for supposedly teaming up with ISPs hijacking browser searches for profit. The idea was that search terms never made it to the search engine in question, but rather automatically directed users to pages paid for by marketers. That is, if you searched for “Apple” via your browser search, rather than having that search Bing (if Bing is your search engine) for “Apple,” it would automatically take you to an Apple page — and the search would never even touch Bing. The story was based on a New Scientist story about some researchers highlighting these practices and a class action lawsuit filed over the practices. New Scientist has updated the story to note that:

all the ISPs involved have now called a halt to the practice. They continue to intercept some queries ? those from Bing and Yahoo ? but are passing the searches on to the relevant search engine rather than redirecting them.

However, Paxfire’s CEO sent us an email in which he not only refutes the entire story, but claims that he’s planning to seek Rule 11 sanctions against the lawyers who filed the class action lawsuit:

This lawsuit is without merit, and harmful to our business and that of our partners. Let me respond to the two major accusations in the lawsuit.

“First, the lawsuit alleges that Paxfire collects, analyzes and sells user information. This is completely false and has absolutely no basis in fact.

“Paxfire does not and has never distributed or sold any information on users, either individually or collectively. Paxfire does not analyze end user searches, does not hold any history or database of user browsing or search, and does not profile users in any way. Moreover, Paxfire has no plans to change this policy. To repeat: We never, ever collect, monitor, store or sell personal data on users, collectively or as individuals, and we never have.

“Second, Paxfire does not hijack searches or ‘impersonate search engines.’

“This would be fundamentally contrary to our service mission, which is to improve the user experience by helping users arrive at their intended website after having mistyped a web address. We are all about helping customers navigate the web, and not about searches. We partner closely with our ISP customers to ensure the service is operated not only in full accordance with the law and end user agreements, but also in a way that provides a good user experience. For example, when we have to guess the intended destination from a bad address, our results page includes an explanation of how they landed there and provides an option to opt-out of the service.

“Finally, we want to make clear that while it is without merit, this lawsuit and its allegations are extremely harmful to our reputation and those of our partners. Under Rule 11 of the Federal Rules of Civil Procedure, a party has an obligation to ensure a foundation for his or her allegations. Clearly, this was not done adequately by the plaintiff in this case. Accordingly, Paxfire intends to seek the full sanctions available to it under the law, to vindicate the organization and to make it whole from the damages caused by this lawsuit.

It appears that they’re saying they didn’t hijack searches so much as hijack typo searches, and they claim they do it nicely. I guess we’ll find out the details as any lawsuit goes on, but I find it highly unlikely that even if Paxfire prevails that it will be able get Rule 11 sanctions. It’s pretty rare for such sanctions to be used, and the conduct has to be pretty egregious.

Filed Under: , ,
Companies: paxfire

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Paxfire Responds: Says It Doesn't Hijack Searches, Will Seek Sanctions Against Lawyers”

Subscribe: RSS Leave a comment
ofb2632 (profile) says:

Too fine of a line

“It appears that they’re saying they didn’t hijack searches so much as hijack typo searches”

Hijacking ANY search, even if it is a typo search, is hijacking. Any explanation to the contrary is merely ‘lawyer talk’… I wish judges would use the VERY simple analogy to see the truth… if it looks like a duck, swims like a duck, and quacks like a duck, it IS a duck.

Hulser (profile) says:

Re: Too fine of a line

Hijacking ANY search, even if it is a typo search, is hijacking.

Your statement would make sense if entering a URL into the address field of a browser qualified as a “search”. But it doesn’t. When you enter someone’s phone number into your mobile phone, is that a “search”? No. You already know exactly who you want to talk to and how to reach them; you’re just telling the phone to actually make the call. Similarly, when you enter a URL into a browser, you’re just telling the browser to actually navigate to the page. There is not search.

anotstupid says:

Re: Re: Too fine of a line

I don’t think you understand how search works. Or software. Or the internet. Or phones.

When you type a number into your phone, it connects to that number directly.

When you type a string into your URL bar, your browser does the following:

1. It checks to see if it is a properly formatted address. If so, it queries a DNS, then connects to the proper server.

2. If it is _NOT_ a properly formatted address, it sends the string to whatever search engine your browser has as a default search engine.

If the behavior that is discussed in this article is implemented, then there is a break between 1 and 2, whereby the DNS of the ISP that you are using _LIES_ and says that your shittily formatted address is, in fact, a proper address, and then redirects you to a different page.

I doubt that you will read any of this, but let me just put this in black and white for the purposes of internet memorialization:

You are either stupid, paid to have this opinion, or both.

DannyB (profile) says:

Re: Re: Re:2 Too fine of a line: "If it is _NOT_ a properly formatted address"

If you disabled the internal search engines in your browser, then you definitely would not want the hijacking that occurred between 1 and 2.

The ISP would not LIE, your browser would proceed to step 2 and realize — hey, you don’t have an internal search engine, and display an error page — as you want.

If you didn’t want the error page, then why did you disable search engines in your browser?

If you wanted the ISP’s lying DNS and hijacking, then it should be OPT IN rather than OPT OUT.

Hulser (profile) says:

Re: Re: Re: Too fine of a line

2. If it is _NOT_ a properly formatted address, it sends the string to whatever search engine your browser has as a default search engine.

This is not necesarilly the case with every browswer out there. It may be that these days, it’s quite common for an ISP or a browser to include functionality that will redirect an invalid URL to a proprietary page, but this hasn’t alwasy been so and it’s not part of the standards. My quibble with your statement is not the morality or legality of redirecting an invalid URL; it’s with the use of “search” in reference to this behavior.

When your average person enters in a URL into a browser, they don’t think of this as a “search”. In spite of the fact that this may result in a search depending on their ISP or browser, they think of this as what it is, a command to navigate to a certain page. Looking at this another way, if did a survey and asked people to describe a web search, I’d bet that the vast majority would describe going to or some other specific site and typing in a search term, not entering a URL into the address field of a browser.

You are either stupid, paid to have this opinion, or both.

Well, this is a first. I’ve never been called a shill here before. I think you do a disservice to the Techdirt community with your assumption that I’m being paid for my posts. I don’t doubt that there are shills who post comments here, but reacting to an opinion that happens to differ from yours with this kind of accusation brings down the entire conversation. I am not being paid for my posts. Besides, if you read my comments carefully, I am not defending what Paxfire is doing. I’m merely making the distinction between a search and redirecting an invalid URL.

ComputerAddict (profile) says:

Re: Re: Re:2 Too fine of a line

While it may not have always been so that browsers included searchs as part of the URL bar, it has been 3-4 years since the Majors have included this feature (IE, Firefox, Safari, Chrome, Opera). Power users expect the functionality, and new users use it without knowing. Users expect when reading the features on these browser’s homepages to work when they install them. As far as what the “average” person thinks they are doing when entering URLs and searches. In my experience in the IT field, I’ve seen just as many people type searches into the address bar as I have seen people type URL’s into (including someone typing in into the URL bar, only to turn around and type the URL of where they really wanted to go in the first place into google’s search bar).

Whether it is standards or not, Browsers should behave as they were intended by their coders. To modify their behavior without informing the end user like “Do you want us to help you get to pages you may mis-spell? Yes or No, Remember my choice” is irresponsible. It sets a bad precedent that could open up far more spammy / spyware ridden hijackings in the future.

Hulser (profile) says:

Re: Re: Re:3 Too fine of a line

In my experience in the IT field, I’ve seen just as many people type searches into the address bar as I have seen people type URL’s into

Yep. I’ve seen the same thing. It completely mystifies me that people don’t grasp such a simple concept, but I too have seen people entering in a URL into the Google search field. None the less, my point stands: there is a clear distinction between doing a search and entering in a URL, even if the concept has been intermingled over the years.

To modify their behavior without informing the end user like “Do you want us to help you get to pages you may mis-spell? Yes or No, Remember my choice” is irresponsible.

Too bad the “Yes or No, Remember my choice” functionality wasn’t built into the web from the start. Hindsight is 20/20 and all that.

TheStupidOne says:

Re: Re: Re: Too fine of a line

I just typed into the address bar of my browser. I was connected to

While this situation may not be exactly as described (ie Google probably owns and has a redirect), but if a website I typed in does not exist, but it is obvious that I want to get a website and not a search, what is wrong about the ISP redirecting me to a site that it believes I wanted along with an explanation of what happened and giving me a chance to opt out?

Anonymous Coward says:

Re: Re: Re: Too fine of a line

If you have a secondary DNS, say, for a work VPN you are connected to, the first DNS is supposed to return a very specific code that the requested entry was not found, then your computer sends the DNS lookup to your secondary DNS, then the next, and so on.

Anyone who uses a VPN for work and has to connect to Intranet sites internal to their organization are completely hosed by any provider who monetizes their DNS in this way. i didn’t mis-type crap, I’m trying to get to a provate server. of course there is no entry in your DNS, its PRIVATE!

There is no fine line: I was trying to access a perfectly legitimate URL over VPN. My ISP takes my request and, in violation of networking standards, takes me to another destination completely. That is hijacking.

The only workaround I have seen worth a darn is in Google’s Chrome browser, where there is only one bar for both search and URLs. If you type an Intranet address into Chrome it returns a Google search AND it performs a DNS check to see if you mean to go to a specific site. If the DNS check finds a site, you are offered a choice of a search or going directly to http://whatever.

Hulser (profile) says:

Re: Re: Re:2 Too fine of a line

There is no fine line: I was trying to access a perfectly legitimate URL over VPN. My ISP takes my request and, in violation of networking standards, takes me to another destination completely. That is hijacking.

I would agree that this is hijacking. (And really fucking annoying.) My original point was that this isn’t search hijacking. I can see where many people might actually find some value in this service. To a novice computer user, a 404 page is confusing or at least not very user freindly. But to computer savvy people, it’s just annoying. Don’t assume that because you don’t recognize the URL I typed in, I automatically want you to do a search. As you point out, it could be a site on your Internal network and you’re just not connected via the VPN. I don’t want an internal address to go into someone’s log files. My point is that while I can see the value of invalid URL redirection, I think it should be either opt-in or at the very least very easy opt-out

Hulser (profile) says:

Re: Re: Re: Too fine of a line

My phone searches the numbers it has as I type one so yes that can be a search.

Right, your phone searches for the number, not you. This may be splitting hairs, but I think in the minds of most people who are entering a known phone number into their phone, they’re not doing a search, they’re simply entering in a phone number. Besides, I’d describe this behavior as more of an auto-complete feature rather than a search.

John Fenderson (profile) says:

Re: Re: Too fine of a line

Your statement would make sense if entering a URL into the address field of a browser qualified as a “search”.

I disagree. Whether the use itnent was to search or not is irrelevant. It’s still hijacking, because they are intentionally breaking important mechanisms of the internet. If I put in a nonexistent domain, internet standard specify a very specific response that lots of software absolutely relies on.

If a third party, especially without my knowledge and consent, alters this behavior to make the malformed domain name resolve to something they have hijacked. And they’ve broken my internet. ISPs who do this or allow it to be done are, imo, breaking their contract with their users: to provide internet service. They are, instead, providing a broken service that doesn’t not adhere to standards and therefore, technically, is not true “internet service.”

It’s a very mild form of fraud, as you aren’t getting what you’re paying for.

A Dan (profile) says:

Doesn't sound like searches

Many people have their browsers set to search Google or some other engine if they type an invalid address into the address bar. Those often only work if they get a 404. It sounds like these guys are just doing what almost every annoying internet provider does and redirecting 404 errors. I don’t think that deserves a class-action lawsuit, however annoying it may be.

To be clear: That wouldn’t be hijacking searches. It would be redirecting 404 errors, which are not directed at any provider in particular at that point in the process.

Scooters (profile) says:

Re: Doesn't sound like searches

I concur with this. Brighthouse, here in Indiana, redirects 404 pages with their own “Buy! Buy! Buy!” page, while putting up links to search engines.

To me, this is no different than advertising some cable companies put on their guides.

It’s annoying, but certainly not illegal.

Unfortunately, we now live in an “IP” world where we, consumers, must now pay for our own (bleeping) advertisement.

Josh in CharlotteNC (profile) says:

Re: Re:

If you use OpenDNS, you will find that they redirect on domains not found or incomplete entries. Many ISPs also use this sort of thing.

That doesn’t make it right. It breaks the accepted DNS standards, and thus can cause some applications to fail or produce unexpected results – and that’s exactly why it was caught, since it was hijacking Google searches.

Google Chrome browser takes incomplete addresses typed into the address bar as searches.

That is a known and expected feature of the product, and is clearly stated and promoted, and is completely agnostic to the particular word or phrase. Are these ISPs clearly telling users that they’ll redirect certain search terms to a marketing company?

It really doesn’t sound like paxfire is doing anything particularly nasty.

That’s what was said about Phorm.

hegemon13 says:

RTFA, Mike

“It appears that they’re saying they didn’t hijack searches so much as hijack typo searches, and they claim they do it nicely.”

No, it pretty clearly says that they redirect typo addresses, NOT searches. That is, when you mis-type the URL in your browser bar and the domain cannot be found, they direct you to a page that lists similar URLs to what you typed. In other words, instead of a 404-Not Found error, you get helpful suggestions to get you to the right place.

Nearly EVERY DNS provider does this now, from OpenDNS to the major ISPs. I know that Time Warner does this for my home internet. It’s not hijacking anything. It’s simply displaying a more useful landing page when the DNS server encounters an unresolveable address.

John Fenderson (profile) says:

Re: RTFA, Mike

It’s not hijacking anything. It’s simply displaying a more useful landing page when the DNS server encounters an unresolveable address.

In what sense is this not hijacking anything? Instead of getting the response which you are supposed to get, you get their obnoxious “landing” page.

Which means that if you are relying on the error that internet standards promise you, you are hosed. Your software will think that the DNS lookup succeeded when, in fact, it failed. Your ISP just broke the internet for you. That this is now common practice doesn’t make it any less wrong.

The awful thing is that they could have provided the same functionality (as,indeed, modern browser do) without breaking anything.

ISPs (and Google) who do this are pretty much just giving you the finger and chuckling at how you accept degraded service for their unmitigated greed.

Yes, this subject gets my blood boiling, just as much as DPI does. This kind of hijacking is worthless to anyone except the provider.

Nicedoggy says:

Yah right.

Also about hijacking, some exit TOR nodes are inserting their own ads on webpages, specially if you connect to Russian exit nodes, maybe others are doing to, I just noticed the Russian ones, when Privoxy blocked an entire page and when it changed the exit node to one in Germany it load the page.

Paxfire may be betting that there are no way one can identify something being redirected, they would be wrong.

From what I read they were in fact inserting their own content into others pages requests and that is a big no, no.
Now the surprising part, they have been doing this for ages now, in 2008 people even found security vulnerabilities on that, that could put people at risk. Paxfire apparently even tried to get BIND to put their code in it.

Tools to identify DNS hijacking:
TOR and Privoxy(Since privoxy automagically blocks almost all ad links but puts a big white place holder in case you want to see that ad and you can access the same page from multiple exit points you can compare to see if the page served in one is different from the other)

Nicedoggy says:


Paxfire’s privacy policy says that it may retain copies of users’ “queries”, a vague term that could be construed to mean either the domain names that they look up or the searches they conduct, or both. The redirections mostly occur transparently to the user and few if any of the affected ISP customers are likely to have ever heard of Paxfire, let alone consented to this collection of their communications with search engines.


That privacy policy sure don’t look right to me.

out_of_the_blue says:

Weasel: "when we have to guess the intended destination from a bad address..."

They NEVER “have to”, they’ve gone to some effort to do so for purposes of inserting advertising. As above, even if many ISPs do it, it’s not ethical — or legal, they just CAN.

2nd, I think Paxfire can be totally stymied by adding their name into your “hosts” file, if you have one. That completely prevents (or, to be accurate, /should/ if the system is honest) a browser from even seeing a site, just puts up its internal “can’t connect” message.

Tom The Toe says:

What is telling in their response

“when we have to guess the intended destination from a bad address, our results page includes an explanation of how they landed there and provides an option to opt-out of the service.” The fact that I never had the chance to opt in in the first place tells me they are doing something wrong in sending me someplace I had no intention of being.

Rich Kulawiec (profile) says:

Re: What is telling in their response

That last sentence is precisely right: anything, anywhere, anytime on the Internet that requires “opt-out” is abusive.

And those responsible know this is true, which is why they’re sneakily forcing it down users’ throats: if what they had was truly good and truly desired, they wouldn’t have to do that. They KNOW that what they’re doing (which is monetizing NXDOMAIN, an inherently dishonest and fraudulent act) is wrong, they KNOW that people don’t want it, they KNOW that it breaks things…but because they’re greedy assholes, they’re going to try to do it anyway.

A. Non says:

Again with the legal threats, Mark Lewyn?

I have no affiliation with Google, Microsoft, Comcast, and I have no financial interest whatever in this issue. But I care about it passionately because I am a consumer and a former (current?) victim of Google search hijacking by Paxfire.

This is why I have been calling since 2008 for investigation into the sleazy and probably illegal business practices of this company and its “partners”, some of which appear to be front companies— and if Mark Lewyn disagrees, let him lay out for the world the corporate ownwership of Almar Networks LLC, for example (one of the companies which came up in my investigation in 2008 into the question of who was hijacking my Google searches, and also in independent research in 2011).

In his email to Mike Masnick, Lewyn wrote “First, the lawsuit alleges that Paxfire collects, analyzes and sells user information. This is completely false and has absolutely no basis in fact.” This appears to be contradicted by the description in Paxfire’s patents related to its Paxfire Lookup Engines (PLE).

United States Patent 7631101

Sullivan, Alan T. (Leesburg, VA, US)
Lewyn, Mark (Washington, DC, US)
Gross, Phillip (Purcellville, VA, US)

A computer system … comprising a server in the DNS… provides… DNS forwarding, URL filtering,…
Based on the type of inquiry that is being made, FIG. 4 shows how the PSP will return customer specific content based upon the profile stored for that customer or ISP… DNS Proxy intercepts DNS requests at port 53 and passes on those requests to the DNS of the ISP…
The PLP can send information such as … information about the owner of IP addresses… The Profiler …can contain profile information about the ISP or the customer…The Page Builder module builds the PSP landing page in real-time in response to the profile of either the user, the ISP, or both that are stored in the Profiler…the identity of the user can then be determined by the IP address of the requester to bind a particular DNS request with a particular requester…the present invention… determines the general location of the computer of the user, for example through zip code…

From a story by Andrea Caumont which appeared in the Washington Post, 31 January 2005
So Lewyn and his co-founders, Alan Sullivan and Sezen Uysal, hit upon the idea of creating a technology that would work through Internet service providers. “Everyone will say the right place to do this is at the ISP level,” Lewyn said, because ISPs are private companies that run private networks in an unregulated environment.

What we are discussing here is in fact an excellent example of the kind of outrageous abuse of consumer rights which will continue until the US Congress recognizes that the basic problem is precisely that companies which operate network equipment are unregulated.

Mark Lewyn has often claimed that consumers can “opt out” of Paxfire hijacking. To say the least, that has not been my experience at all.

@ the US Congress, the US FTC, the US Dept of Commerce, the US Attorneys General: how can the consumer even attempt to “opt out” if when they call their ISP’s call center to ask why “Google is down”, the employees they are talking to have been mislead by Paxfire (or its business partners, maybe even their own company) about who and what is responsible for false DNS information being provided, which causes a url like to resolve to the IP address of a server which is not operated by or in any way affiliated with Google, which presents a perfect mimic of Google, but which is a perfect mimic of a genuine Google search result page. How precisely does that differ from malicious hijacking by cybercriminals?

A. Non says:

"Improved user experience"?

From a Knol by an ISP admin who says he was misled by Paxfire into passing on misinformation to consumers:
How Paxfire stole – and nobody noticed.
Joseph Harris
8 August 2008

When called to the carpet every single one of these invasive marketing firms and the ISPs that utilize them attempts to spin their activities as “improving the internet experience”.

How does it improve the consumers experience when they find they cannot search Google? Not because Google is down— that never happens— but because Paxfire’s secret DNS hijacking box is down. Which is the only way many consumers find out about Paxfire and its curious business model.

See the EFF Deeplinks blog
and the two research papers it discusses:

The researchers found evidence of multiple redirections of search requests by consumers who clearly did not know about or desire interference and profiling by Paxfire, whose purpose appears to be to create the false impression that multiple consumers are “clicking through” on some page, which causes companies to pay advertising revenue to Paxfire and its business partners. How is precisely that different from what we call clickjacking when the cybercrooks to it?

US Congress, are you listening?

A. Non says:

Paxfire does not hijack?

Mark Lewyn claims: “Paxfire does not hijack searches or ‘impersonate search engines.”

Reporters, Attorneys General: don’t be fooled by this technobabble.

The facts are perfectly simple.

If you type into your browser url bar, your browser should arrive at a server operated by Google. That is what DNS is designed to ensure happens. To check that it is working as designed, savvy consumers can check that that the IP address corresponds to the true owner of the domain named in the url.

But what Paxfire has been doing for years— and many people, including individual consumers who have been victimized have documented this— is ensuring that consumers whose ISPs (or their business partners) have installed Paxfire equipment wind up instead at a server whose IP address shows that it is not operated or affiliated in any way with Google, but which presents a perfect mimic of a Google search result page. Not just for some searches, but, at least for customers of some ISPs, apparently for ALL searches. As a consumer and a victim I documented that ALL my Google searches were being hijacked and winding up at a server which as I verified with Google has nothing to do with Google. How can that possibly be legal?

Mark Lewyn has repeatedly claimed that if such things happen, it must be an error. But there is a great deal of evidence that this hijacking is intentional.

I have been warning since 2008 that my estimate millions of American consumers are being victimized by such DNS hijacking by Paxfire equipment. The recent research papers appear to have that confirmed my 2008 estimate probably remains accurate in 2011.

So why is Paxfire still operating?

A. Non says:

If Paxfire is doing nothing wrong, why all the secrecy?

Mark Lewyn writes: “We are all about helping customers navigate the web, and not about searches.”

Simple question: why, then, in the case of consumers whose ISPs (or their business partners) have installed Paxfire equipement, when the consumer enters a search request in his browser search bar, or enters in his browser url bar, does the supposed Google search result page have an IP address which has nothing to do with Google? In my investigation into hijacking of my own Google searches in 2008, I found that one of the companies whose servers I was misdirected to was

RENO, NV 89509-7020

Almar Networks LLC
297 Kingsbury Grade, Suite D
Post Office Box 4470
Lake Tahoe, NV 89449-4470

Almar Networks LLC
Stateline, NV

And according to the government of the US State of Nevada, this company is “managed” by


I ask again: if Paxfire is doing nothing wrong, why does it hide the existence and purpose of its equipment from admins employed by (at least some of) the affected ISPs? Why does it hide its operation of the servers presenting fake “Google search result pages” behind what appear to be front companies?

I speak as a consumer, not as a lawyer, but I say again that I think it should be perfectly clear to US Congressional staffers and to lawyers working for the various US Attorneys General why investigation is warranted.

A. Non says:

Business as usual?

hegemon13 writes “it pretty clearly says that they redirect typo addresses, NOT searches”.

Not true. In many cases, as the research papers described in the EFF Deeplinks blog document, ALL searches by (almost) all consumers of certain ISPs are being hijacked and redirected to non-Google servers.

I know this from personal experience. And employees of my ISP (and at Google) verified that ALL my attempts to access the Google search engine were being hijacked and redirected to a server not owned, operated or in any way affiliated with Google. And multiple independent investigations since 2008 keep coming up with the same culprit: Paxfire.

Some others wrote that they believe that many American ISPs hijack Google search requests. Yes: they are the ones which have hired Paxfire (or possibly its business partner GlobalPops, a subsidiary of Ad-Base Systems, which is named as the worst offending ISP in one of the papers cited in the EFF Deeplinks blog.)

@ US Congress, US FTC, US Department of Commerce, US Attorneys General: you know what to do: hire tech experts to study the patents, unravel the corporate structure, follow the money.

Hans says:


If Paxfire is associated with Frontier’s “search assist”, or the DNS servers, then Mr. CEO is either misinformed, or an outright liar.

I’m a Frontier customer in WA state. If I use their DNS servers, and the bing search tool in Firefox to search for “apple” or “amazon”, it doesn’t take me to, it takes me to an “interstitial” (with a Frontier brand) saying it will send me to (or in a few seconds, with an affiliate ID likely attached.

It does this because they have hijacked the DNS entry, to wit (some dig noise omitted for brevity):

$ dig


Whereas if I use Google Public DNS I get:

$ dig @
... 3391 IN CNAME 17657 IN CNAME 19 IN A 19 IN A 19 IN A 19 IN A 19 IN A 19 IN A

That there, is called hijacking.

The interstitial page does not have a “just give me bing” link, it has a “give me more information” link which takes me to an opt-out page, which will only then take me to bing. The design is obviously trying to avoid informing the user what is going on.

Oh, and the “opt-out” feature doesn’t work. It probably requires I accept a cookie or some such nonsense, which I shouldn’t have to do to “fix” their hijacking of the internet.

Yahoo! search is similarly hijacked by redirecting the DNS entry to the same servers, but it directs to what seems to be a Frontier branded Yahoo! search page instead trying to take you straight to “apple” or “amazon”. I’m guessing their deal with Yahoo! already gets them a cut for the referral.

So, assuming the association between Frontier,, and Paxfire, I think the Rule 11 threats are just a bunch of hooey to cover his ass.

A. Non says:

Spot on, Hans!

Referring again to the EFF Deeplinks blog post and the two research papers it discusses:

and the 2008 Knol by Joseph Harris (an admin an ISP who was apparently lied to repeatedly by employees of a business partner of Paxfire, GlobalPops, which is a subsidiary of Paxfire)

The EFF pointed out in the Deeplinks blog post on this issue that after the most recent outcry the named and shamed ISPs turned off the Paxfire hijacking of Google, but may be still redirecting Bing. In the paper by Weaver et al., “Implications of Netalyzer’s DNS Measurements”, the authors name two subnets as presenting fake Google search pages to unsuspecting consumers who thought they were connecting to but instead are connected by Paxfire’s equipment to servers which are not owned, operated, or affiliated with Google:

IP:8.15.228/24 Inc. LVLT-COLOC-1-8-15-228 (NET-8-15-228-0-1) –
Development Gateway, Inc. DEVEL (NET-8-15-228-0-2) –
Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1) –

Almar Networks LLC INAP-DEN-ALLMAR-29799 (NET-69-25-212-0-1) –
Internap Network Services Corporation PNAP-12-2002 (NET-69-25-0-0-1) –

Co-Location Inc, L-3 Communications, Almar Networks LLC, and Internap Network Services Corporation all came up in my 2008 investigation (seeking answers to the question of who was hijacking ALL my Google searches). I pointed out above that according the Nevada state government, Almar Networks LLC is “managed” by Paxfire, Inc. In 2008 the servers registered by Co-Location Inc were also actually “managed” by Paxfire, Inc. (see the Knol by Joseph Harris). According to the EFF, it appears that Paxfire is also geolocating users as it hijacks their Google/Bing searches, and connecting them to specific fake Google servers (apparently actually “managed” by Paxfire, whatever that means) within these subnets. In 2008 the subnets were a bit different, but Paxfire seemed to be doing exactly the same thing back then.

My ISP in 2008 was not Frontier, but my investigations then indicated that millions of Americans who were customers of ISPs including WOW!, or who were dial-up customers of almost any ISP in the US, were being victimized each time they attempted to access the Google search engine.

Reporters, Congressional staffers, FTC staffers, States Attorneys General: please notice that Hans reports that when his browser requests (which should result a connection to a server registered to, he is connected to a server with IP, which is not owned or operated by or affiliated with, but is registered to Almar Networks, which as noted above, turns out to be “managed” by Paxfire, Inc., although this information is pretty well hidden.

Let me suggest some questions to ask Mark Lewyn: why, precisely, Mr. Lewyn, is this not hijacking? Why is this not fraud? Why the discrepancies between the description of PLE in your patent and your claim that Paxfire “does not hijack”? If PLE doesn’t hijack attempts by consumers to access the Google search engine (i.e. to connect to genuine Google servers, operated by Google, you know, the owners of the domain that the consumers typed into their browser, or expected to reach when they used their browser search bar with a setting like “Search Google”), what precisely does it do? And if that is what PLE does today to the customers of one ISP, what does PLE do today to the customers of that other ISP? And what was PLE doing last month for each of the customers for all of those ISPs? Be specific, Mr. Lewyn. Be exhaustive. Be detailed. Tell the whole truth and nothing but the truth.

More free advice for Congressional investigators: when you question this guy, think how you would question, oh, say, Bill Clinton.

Example: Lewyn carefully uses the present tense when he denies that Paxfire hijacks connections. So be sure to grill him, not just on what Paxfire (and Almar, and all the other apparent front companies) are doing on the day of his testimony, grill him on what they were all doing to unsuspecting consumers on each day from 2002 to the present. Because a little time with Google (the real one!) will uncover plenty of evidence of a recurrent pattern: every time there is an outcry over Paxfire’s trampling on consumer rights, Paxfire temporarily reconfigures its equipment until the fuss blows over, and then they go right back to hijacking ALL searches by (almost) ALL customers of the worst offending ISPs.

And be sure to grill him, under oath, on precisely what his PLE was doing on each day, so that there is no misunderstanding about the meaning of the word “hijack”. Remember, one of the “selling points” of PLE is that it is “highly configurable” and can easily be reconfigured at any time.

Another reason why consumers need inquiries which can compel truthful testimony: employees of ISPs who know about the shady (and probably illegal) business practices of Paxfire are apparently routinely warned to keep quiet, to lie by omission (or worse) to customers of the ISP who want to know:
“Why is Google down?”
“Why do I keep seeing those CAPTCHAS?” (a typical clue that Paxfire is hijacking your Google search requests)
“Why can’t I connect to genuine Google?”
We have seen that Lewyn likes to claim that “consumers can opt out” of Paxfire’s hijacking. Well, I know from personal experience that this is a flat out lie. One reason why is easy to appreciate: if Paxfire’s business partners are lying to small ISPs (or at least, to their admins), so that the ISP admins tell their own customers (consumers like me) some story about an alleged innocuous cause, or claim that I have “misconfigured” my browser, or whatever other misdirecting and incorrect explanation might be on offer, then how can the consumer possibly opt out? When employees of his ISP are repeatedly failing to explain the role of Paxfire in the hijackings— possibly because they also have been repeatedly lied too by the employees of Paxfire or its business partners. A congressional investigation which can compel truthful testimony from employees of the affected ISPs and of Paxfire and its business partners, will surely verify this.

Another reason why the claim that “consumers can opt out” is, to put it kindly, a misdirection, is that for security reasons many consumers choose to
disable cookies for most sites
disable Javascript for most sites (vulnerabilities in Javascript are frequently named as a leading cause of cross-site attacks).
But even when consumers are informed about Paxfire’s hijacking and given a webform where they can opt-out, this typically will not work without enabling Javascript or enabling Paxfire to set a permanent and uniquely identify cookie. And please don’t forget that a consumer who has already caught Paxfire hijacking his attempts to use the Google search engine, by hijacking his connection and illegtimately redirecting it to a fake Google website which mimics perfectly a Google search result page, but is actually served by a server registered to an apparent front company like Almar Networks and which is actually “managed” by Paxfire, is hardly likely to trust Paxfire enough to let Paxfire place a permanent uniquely identifying cookie in his computer!

In my opinion, it ought to be very easy to see through all these misdirections which Lewyn has used so often and which are wearing very thin indeed.

Congressional staffers, Attorneys General, FTC, DOC: Mark Lewyn seems to think you are all easily gulled. I challenge you to prove just how wrong he is. I am confident that a little serious investigation will show that the EFF is fully correct in estimating that at least 2% of the US population has been victimized by Paxfire’s years of shady (and probably illegal) business practices.

A. Non says:

Make a fuss, How to

If you, like me, are on of the 2% or more who have been victimized by Paxfire (or believe you may have been— if your ISP is one of the ones listed by EFF and if your browser ever acted like Google was “down”, or wanted you to fill out a CAPTCHA to see Google search results, you probably were), let the U.S. Senate know:

Sen Richard Blumenthal (D-Connecticut)
Judiciary Committee
702 Hart Senate Office Building,
District of Columbia 20510-0702
Phone: (202)-224-2823
Fax: (202)-224-1083

Sen. Al Franken (D-Minnesota)
Judiciary Committee
309 Hart Senate Office Building,
District of Columbia 20510-2303
Phone: (202)-224-5641
Fax: (202)-224-0044

According to the New Scientist, Sen. B said last week he intends to talk to Sen. F this week about putting on a full blown Congressional investigation. I say, go to! And ask the States Attorneys General to get in touch with Nevada to ask about the relationship between Paxfire Inc and Almar Networks LLC, and Pennsylvannia, to ask about the relationship between Paxfire Inc and Ad-Base Systems and its subsidiary GlobalPops. Follow the money! Study the patents owned by Paxfire! Read the past boasts by Paxfire CEO Mark Lewyn.

According to a story by Nate Anderson, “Small ISPs use “malicious” DNS servers to watch Web searches, earn cash”, Ars Technica, 5 August 2011, the Paxfire website (in a blurg apparently aimed at seducing greedy ISP owners):

The profit motive for Paxfire’s business partners:
“Some of our customers literally generate millions of dollars a year using the Paxfire Look-up Service… It all depends. That said, no matter how you slice and dice it, the Paxfire Look-up Service will generate good money for you.”

No worries, says Paxfire:
“What feedback you do receive typically will come from a small group of highly technical users… Even that feedback tends to fall away after just a few weeks?as they get used to the new behavior.”

This is perhaps the most outrageous claim of all: the sniveling suggestion that consumers who are insufficently “technical” deserve to be victimized. How precisely does this attitude differ from that of the con-man?

US Congress, are you listening?

Harlan Sanders says:

If anything Paxfire’s lawyers should be sanctioned for this counter suit and for wasting the court’s time by requesting sanctions against the other guy…

My ISP at work use(d) Paxfire (I’ve had paxfire’s IPs nullrouted on our router for a long time and their various DNS names as in our local DNS server) and I’ve always hated them. Contrary to what they claim there is no obvious opt out.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...