Broadband ISP CenturyLink Is Blocking Users' Internet Access Just To Show An Ad
from the ill-communication dept
US telco CenturyLink is under fire for temporarily disabling the broadband connections of broadband customers in Utah unless they click on an ad for CenturyLink security software. Even more oddly, the telco is repeatedly (and falsely) trying to blame a new Utah law for its ham-fisted behavior.
It began when a CenturyLink user in Utah posted to Twitter that his CenturyLink broadband line suddenly and mysteriously stopped working. Using what appears to be JavaScript ad injection (an already contentious practice), Centurylink then sent the user a notice stating his broadband connection would not be restored until he acknowledged receipt of the message, which appears to be a glorified advertisement for CenturyLink’s @Ease filtering and security software:
Just had @CenturyLink block my internet and then inject this page into my browser (dns spoofing I think) to advertise their paid filtering software to me. Clicking OK on the notice then restored my internet… this is NOT okay! pic.twitter.com/NtCZUeJF8I
— Rich Snapp (@Snapwich) December 9, 2018
In a blog post first spotted by regional Utah news outlets and subsequently Ars Technica, the user explains how he was initially under the impression that CenturyLink had tried to block him from visiting a phishing website, only to realize later that the ISP was really just temporarily holding his connection hostage until he engaged with a product ad:
“At first glance I was worried that I had somehow been redirected to a malicious website and that this was some kind of phishing attempt… After all, I didn’t navigate here. I attempted to do another search but still ended up at this same notice. I considered the idea that maybe my ISP had detected some kind of threat coming from my network and that’s why I was seeing this official looking page. Eventually, after reading over the page several times, I clicked “OK” and my internet was back.”
When criticized, CenturyLink repeatedly told the user and many reporters (myself included), that it had to block user access in this fashion due to a new Utah law:
Legislation requires us to notify Utah consumers of content filtering options to protect minors in a conspicuous method. To protect those most vulnerable, the most conspicuous method is a pop-up. We did not engage in DNS hijacking. – Zac
— CenturyLinkHelp Team (@CenturyLinkHelp) December 18, 2018
Except that’s false. Utah is, Techdirt readers will be aware, home of what has been a near-constant stream of ridiculous efforts to filter porn, a technically impossible task (something backers of the idea refuse to learn). And while this new law in question is dumb, it’s not quite that dumb. The law requires ISPs to inform users that filtering software is available to them as a sort of half-measure toward combating porn. ISPs can do this in a number of ways; the law specifically recommends either including mailers in user bills or sending an email.
The law does not require that ISPs sever access to the internet in order to show them ads for an ISP’s own software, something CenturyLink executives appear to have come up with on their own. That’s something the bill’s author himself confirmed when asked by the impacted user on Twitter:
I?m sorry you are having problems. SB134 did not require that ? and no other ISP has done that to comply with the law. They were only required to notify customers of options via email or with an invoice.
— Todd Weiler (@gopTODD) December 10, 2018
Users on Reddit indicate this wasn’t isolated to just this user — all Utah CenturyLink customers appear to be experiencing this unnecessary, heavy-handed nonsense. Now it’s possible CenturyLink could argue it was just over-complying to adhere to the law, but since the law is pretty clear an email is ok, this argument doesn’t hold up. More likely, CenturyLink executives either thought they’d use the law as a marketing opportunity, or wanted to bring attention to the dumb new law. Unfortunately that’s not really accomplished by behaving stupidly yourself.
Of course this is the kind of ISP behavior our since-discarded net neutrality rules were designed specifically to prevent. And while a few days of press shame may drive Centurylink away from the policy if users are lucky, that’s really no substitute for an attentive FCC that actually cares about keeping the internet free from idiotic monopoly ideas exactly like this one. The battle over net neutrality has always been about slippery slopes, and letting an ISP interrupt internet traffic to market its own products–and then lie about it–is slippery as hell.
Filed Under: ads, blocking, broadband, filters, injection, packet injection, utah
Companies: centurylink
Comments on “Broadband ISP CenturyLink Is Blocking Users' Internet Access Just To Show An Ad”
And I bet there are various marketing people reading this and asking how much will it cost to do the same?
Saw this after I saw a tweet about someone visiting a freind & they took the webpage he was going to & put it in a frame under a threat to pay up or else…
Re: Re:
So, this story’s over a week old now. Has anyone based a phishing site on it yet?
Re: Re: Re:
Not yet, but I did raise the possibilities in the tweets I made on the topic (It was me)
https://twitter.com/ktetch/status/1075442986455052294
“I’m sorry you are having problems. SB134 did not require that — and no other ISP has done that to comply with the law. They were only required to notify customers of options via email or with an invoice. “
This is the third article which dismisses the true problem: why did Utah’s legislature make this a law to begin with.
*THAT* should be the focus, not an ISP blocking the internet (a daily occurrence).
Re: Re:
I don’t know, I think pointing out they’re both stupid (which I did) works. Even if you think a law is stupid, being even DUMBER (and lying about it) isn’t any kind of solution to your complaint.
Re: Re: Re:
Make stupid laws up front and in people’s faces. That way they might do something about them instead of just sitting there.
Re: Re:
Why isn’t the problem, nor is it a mystery. Utah is a state with a massively Mormon population and being Mormon is as much a benefit to a political career (on either side of the isle) in Utah as being explicitly Christian is to Republican Candidates in most US elections.
Mormonism, like most Christ-derived religions, dislikes pornography from a moral standpoint. It also disapproves of masterbation. Porn bans have not stood up to legal challenge. But a ‘for the children’ law designed to remind consumers, like parents, the existence of optional filters to protect them from ‘objectionable’ material, via email or letter, but requires the consumer start the process, is pretty benign and so is something no one wants to spend resources fighting.
I suppose that legislating morality is an issue, but it is also one Techdirt covers regularly. This law, while strange, is not one that impacts the speech of consumers, or their viewing habits.
Given that the ISP choose instead to block the internet and blame the law for hijacking a customer’s internet session, that is news. The why and how of the blocking is important.
You must be burnt out on net neutrality. That’s understandable. But it is how corporations rule us. By violating our norms until we accept that the norms will always be violated, and the violation becomes the norm. Techdirt remains vigilant. I remain vigilant. You, clearly, refuse.
Re: Re: Re:
Must be an adventure, scoring a cup of coffee…
Re: Re:
They were also using some kind of traffic hijacking to redirect people to the page, which to me is the bigger problem. (They deny DNS hijacking but don’t say how they got the popup to appear; the only other option I know is to redirect and rewrite port 80 traffic.)
It also indicates a serious problem on the customer’s end. "Eventually I turned to a Google search on my phone only to be immediately greeted with an official looking notice"—what? Google has been encrypted for years now. How did the customer accidentally end up on a site vulnerable to the ISP’s hijacking? Google.com claims to use HSTS to force encryption; it shouldn’t have been possible.
And I didn’t see a comment about this yet: CenturyLink is giving out the customer’s account number. If they had open wifi, anyone driving by could have that number now.
Re: Re: Re:
That does not protect the initial DNS request, and the ability to put up a page if the name does not resolve.
Re: Re: Re: Re:
HSTS is meant to protect exactly that. If your browser has a record of you having gone to google.com, and it had HSTS, the browser will automatically convert all http requests to https. And DNS-redirection will cause any https connection to throw an error, because CenturyLink shouldn’t have a valid google.com cert. (Try it: put a google.com record in your hosts file that points to the IP of an unrelated https server, then go to https://google.com.)
Otherwise, any random wifi AP could redirect your bank’s DNS elsewhere and grab your password.
Re: Re: Re:2 Re:
I suspect that the errored the DNS request, and used the error page for their advert, as an error page can say anything. That would fit with their claim that they did not use DNS redirect. The way to test that would be to use any DNS server other than the ISPs. Googles is easy to remembers being 8.8.8.8 or 8.8.4.4.
Re: Re: Re:3 Re:
That doesn’t make sense. You cannot send an arbitrary error page back in response to a failed https connection. If you could, the phishers would do exactly that. And you can’t send a "page" back from a DNS request.
Re: Re: Re:
It was probably done in the same way that when you forget to pay your internet bill, they reboot your modem and give it a new IP address with a designated range that redirects all traffic to a “pay your bill” webpage.
They most likely had an account check. Anyone that had not yet checked the agree box would have the “pay your bill” webpage, but if you hit the check box, they’d reboot you back to the regular internet.
Re: Re: Re: Re:
Sure, easily done, but any https connection is supposed to throw an error if redirected to an unauthorized server. Unless you mean they’re working with a browser’s built-in captive portal detection feature somehow. (Is that standard? There were talks.)
Re: Re: Re: Re:
Which sounds like the reason why their instructions were to reset the router if the internet didn’t come back after clicking the notice.
How shortsited to think a few sales of their @ease would compensate for the users that probably ditched them for this crap.
Re: Re:
Ditch them and get internet from…?
Most communities don’t have the luxury to choose.
Re: Re: Re:
Really?
I live in a county of 200,000 people in Arizona (a state with fewer than 8 million people in it, 6 of which are in one city) – 5 miles outside a town of 15,000.
I still have 3 internet providers available. They all suck – but I’ve got competition.
Re: Re: Re: Re:
And I live within 5 miles of ASU and the only broadband ISP available at my address is Cox.
Are you counting dialup and satellite? Or are you just lucky?
Re: Re: Re: Re:
I live in a county of ~400,000 and in a township of ~20,000 and I have one broadband internet provider available. There is one other DSL provider available but they can only provide about 3-6 Mbps at my location. Your situation is quite unusual in the United States.
Re: Re:
Depends upon how their ‘security/filter’ software works. Does it also collect information and pass it back to Century Link? Does it make note of all your contacts and add them to a list to track (a la Facebook)? And as noted above, what are your other choices?
Got it too
Had this happen to me as well once I came back from out of town. Loaded up my usual daily blogs, and half of them or so loaded this page, while the other half seemed to run a bit slow.
What’s odd is that it doesn’t block all traffic, as some big name sites (google, yahoo, etc) still work, but most minor sites load the “ad”.
I’d gotten this before when I downloaded some… less than legal audiobooks once. Same method done as here, where most sites are down and showing a notice from the ISP.
Working as intended
This is how de-regulation works. Expect more hijinks like this since there isn’t any sort of consumer protection on the table.
This is the same “feature” that Century Link uses if they get copyright claims against you. You are required to click through a bunch of guilt-shaming to get your connection back. Pretty obnoxious, but what are you going to do? Get Comcast? HA!
Apple lawsuit in the making?
I wonder if Apple will sue CenturyLink over the product? They own the trademark on AtEase as a software security product, as well as on @me. There’s definitely room for product confusion here. Of course, since neither mark is being used anymore, it’s possible they don’t care, but that doesn’t sound like the Apple I know.
There’s are laws that prohibit this type of behavior–charging for a service that you then don’t provide. Usually, it’s just called fraud.
Testing the waters...
CenturyLink probably decided they would use this opportunity to test this kind of ad injection while having an “excuse”. It will probably happen again, and soon if there is not enough backlash this time.
My guess is that they will wait a period of time, then do another trial-run… wait a shorter period of time and then do another… so on and so forth until people are used to it.
If that doesn’t work out they will probably make regular ad-free internet connections more expensive while offering “cheap” connections with ad injections like this (cheap meaning almost, or exactly, same price as connections now).
Long have they looked envious at TV stuffing more and more ads into every hour and I am betting it is in their long-term strategy to stuff the internet just as full of them.
Interesting … perhaps Utah has made a mistake here.
What are the laws about 911 access, I don’t think states have much say in this.
Some people, by choice, do not have plain old telephone service and they rely upon their internet connection for telephony related functions, including 911 service that Centurylink blocked.
Re: Re:
It’s a dumb law, but it didn’t actually require CenturyLink to implement it in the way that it did.
Are we sure CenturyLink counts as broadband?
Jesus Christ.
Its not to ‘show an ad’ Its to comply with a state government mandate.
You can say the legislature ‘never intended’ for them to comply with the legislature’s mandate in this manner – but the ISP is still required to contact users to inform them about porn filter software the ISP is mandated to offer them.
This way at least no one – especially the legislature – can come back later and say ‘we didn’t know, you didn’t put enough effort in to contacting people’.
Re: Re:
They could also send the mob around to tell you, but it doesn’t make that a good or honest idea either.
This is a terrible response to a terrible law.
An ISP? Getting criticized? out of the blue is going to be pissed…
Re: Re:
Shut up, Blue. We know it’s you.
Re: Re: Re:
I’m not sure which would be more pathetic, Blue pretending to be their own fanboy/girl, or someone who actually is.
Nothing new here
I’m not seeing anything worth a story; beyond possible user stupidity.
First this is a big fat nothing of a story. Years ago when I had AT$T I would get occasional notices of service changes that disconnected the internet until I agreed. Charter did the same to me even earlier. A mandatory click through for each TOS change. That goes back to old telephone DSL days.
Second, the filter option was just that, an option.
Third, the law requires that filters be made available and that the customer be made aware. A one button click through seems as good a route as any.
Fourth: they pushed their own tool. So what. Anyone unskilled enough to set up their internet connection with an included software cd already knows that communications companies are going to push their software, be it by partnership or rebranded. The fear mongering in clicking to disable installing inferior software such as Symantec or Eset makes people install it anyway.
So why not look at the far more underhanded tactics like those install discs?!? Not a click through notification.
And really, are you so caught up in looking for something, anything, to prove the regulatory changes caused harm somewhere that you resort to this.
This has nothing to do with net neutrality! No traffic was redirected. You weren’t charged to do something previously free. You weren’t blocked from using the services of your choosing! You were prompted with a notification from the provider. One that required a simple click through to access. A process I’m sure was easier than registering to post here. Where you get a page. Another page. Go to your email for code. Enter code. Finds article again. All you had to do was click through and acknowledge you were made aware that draconian filtering was available to you. Where’s the story?