Dear ZDNet: Comcast Has Been Sketchily Injecting Messages Into User's Browsers For Years

from the old-news-bad-news dept

Comcast has been dutifully modeling its behavior in such a way so as to fill up Techdirt's story pages for years now. So, when we come across a story somewhere discussing how Comcast is doing some bad new thing, it's tempting to simply assume it's true and move on. Such might be the case for some readers of ZDNet's recent post about how Comcast was injecting notices into browsers warning of potential copyright infringement.

The cable and media giant has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material -- such as sharing movies or downloading from a file-sharing site. Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner's code on his GitHub page, told ZDNet in an email that this could cause major privacy problems.
Well, sure, this is horrible, and it is a privacy issue -- but it isn't new. In fact, Comcast as been doing some flavor of this sort of browser injection for the better part of a decade. The company started this practice way back in 2009, using the tactic to warn users of potential malware infections, and there was even discussion about expanding the use for other security purposes in 2011. More specifically on browser injections being used as a copyright warning system, our own Karl Bode noted in 2013 that this was all specifically laid out in Comcast's six-strike plan. Per Karl's post, Comcast isn't even alone in using this tactic.
Comcast has now put information on their implementation of six strikes online. According to the nation's largest broadband company, their version of the program will involve a persistent nagging pop up that continues to alert the user after the fourth warning. Time Warner Cable, who outlined their version of the plan to me last November , stated they're using a similar pop up warning system that blocks browsing until users acknowledge receipt of "educational" copyright materials.
None of that is to say that the privacy and security concerns aren't very real, of course, and ZDNet does a nice job of discussing those concerns. But it's not new. Perhaps the better conversation to be had is why anyone in their right minds would think that Comcast deserves anyone's trust to the level where users' browsers should be injected with copyright violation notices in a system rife with abuse from pretty much every player involved.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 25 Nov 2015 @ 4:28pm

    disable javascript !

    This is one more reason why it's very important to turn off Javascript in your browser -- assuming that it can still be done(it's been getting harder and harder on newer browser versions). But be warned: many sites don't work properly without Javascript (Techdirt does, but just barely).

    Though it's possible that Comcast -like many websites- will just switch to another display method on Javascript-disabled browsers. Perhaps like inserting a banner image in the middle of any web page.

    But compared to Comcast's numerous other below-the-belt shenanigans, like injecting forged reset packets into a user's data stream to cripple Bittorrent, this privacy & neutrality violation seems mild.

    As the usual mission-creep sets in, Comcast could even use this method for selling advertising space and delivering ad banners right into everyone's browser.

    reply to this | link to this | view in chronology ]

    • icon
      madasahatter (profile), 25 Nov 2015 @ 6:02pm

      Re: disable javascript !

      Disabling JS has not changed over the last several versions of Chrome.

      Using a different method of displaying ads as suggested may actually be illegal. It is definitely in the extremely stupid realm thus ComCast will probably do it.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Nov 2015 @ 10:51am

      Re: disable javascript !

      It's also a good idea to disable unencrypted traffic on any browser you want to be secure. The easy way is to set your browser's http proxy to 127.0.0.1:1 and leave the SSL proxy blank (for chromium: --proxy-server=http=socks4://127.0.0.1:1).

      reply to this | link to this | view in chronology ]

  • identicon
    Sam smith, 25 Nov 2015 @ 5:46pm

    Random Comcast injections

    Comcast injects pop-ups in to other websites too. If you connect to their xfinity hotspots (they pirate your connection and broadcast their own public hotspot from your rented cable modem), they ~once per day pop-up an xfinity logo in the middle of the other sites' webpages.

    It's a very annoying popup that does nothing besides remind you to surf TLS pages exclusively.

    This is nothing more than an ad for letsencrypt. The lack of security on the internet is astounding.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous, 25 Nov 2015 @ 6:28pm

    Mediacom Too

    They've injected in terms of service updates, bandwidth warnings, and optional equipment upgrade requests for years now.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2015 @ 6:39pm

    If you are a Comcast subscriber do not install the free antivirus they provide Norton with constant guard.

    reply to this | link to this | view in chronology ]

    • identicon
      Telzey, 27 Nov 2015 @ 9:30am

      Re:

      Regarding what you've posted and this quote from the article:

      "The company (Comcast) started this practice way back in 2009, using the tactic to warn users of potential malware infections, "

      ...I had this problem a few years ago, a popup warning that my computer might be at risk and I was to call Xfinity (Comcast) for important information that would save my computer. There was literally no way to make it go away, no X box in the corner to close it.

      The only way to stop it was to call the number. Comcast used my call as a way to capture me on the phone to pitch their crappy Constant Guard software. The Comcast guy was very earnest and said I was getting the pop up because my computer was, and I quote, "probably already compromised", and that only buying Constant Guard for a monthly fee of $12.99 was the way to fix it and stop the pop ups.

      I told the Comcast weasel that I knew Comcast was injecting the pop up as an ad and that it was NOT any indication of a malware infection because I'd done my research online, and ordered him to fix is so that Comcast would stop injecting their stupid ad into my browser. I'm and older woman, which means I'm part of a demographic that usually automatically believes what the nice, young tech gentleman who seems to have my best interest at heart says... he kept telling me the pop up meant I ("probably") had a malware infection and that he was trying to help me save my computer.

      I pay for ESET Smart Security, I would recommend it to anyone, and I'm not buying Norton, especially not for a nice, chunky monthly fee from Comcast.

      He finally glumly agreed to stop the ad injection, and it never happened again after that... this is a guy who stated categorically that Comcast was not injecting an ad, that it was a malware warning only meant to help me.

      It makes me sick to think of all the older people who fall for this crap because they do not know any better.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2015 @ 7:57pm

    With JavaScript off the connection to this site is secure. I guess with advertising being what it is, and most sites depending on it, I need to leave it off all of the time, and quit commenting on sites that require it to be on.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Nov 2015 @ 5:05am

      Re:

      This is one of the reasons I hang around Techdirt, as it's one of the few remaining sites that does not require cookies or javascript or logging in ... or supporting/enriching Mark Zuckerberg. And the page's source code is not too complex to follow (whose reading is required in order to view the 'deleted' comments)

      It's a sad state of affairs that in the internet today, spoofing a browser's user-agent is a requirement on so many sites in order to avoid getting redirected to a scold page telling you to "update" your browser in order to be let in. Though it would indeed be nice if browsers let users spoof the screen resolution as well, so as not to be automatically redirected to the "mobile" page (which Twitter does to punish people with large screens in non-standard resolutions)

      OK, morning rant over.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Nov 2015 @ 12:01pm

    Same old story. This injection technology started out by claiming to be about keeping users safe and secure from malware and viruses. Then mission creep set in and suddenly it's being used for copyright and advertisements.

    It's reminds me of the direction mass surveillance is heading in. It started out being about safety and security from terrorists (which it's failed miserably at stopping any terror plot). Then it morphed into economic espionage followed by quelling political dissidents, spying on journalists and prosecuting whistle blowers.

    It always starts out being about safety and security before morphing into a monster.

    reply to this | link to this | view in chronology ]

  • identicon
    Mark Wing, 26 Nov 2015 @ 8:17pm

    They can use bend the CFAA to threaten people like Arron Swartz with life in prison for downloading public domain files, but they can't use it to go after actual browser injection attacks? Thankfully we have a law to protect corporations-I-mean-the-public. Thank you society for standing up for Comcast.

    Also, it sucks being a poor blogger because SSL certificates cost hundreds of dollars a year per domain. Techdirt had run a story about some organization (EFF?) that was going to give those certs away for free soon? There's lots of sites like mine that would go to HTTPS in a hot second if they could afford the certs.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Nov 2015 @ 7:03am

    In order to inject, they must first read the header

    Which is certainly enough to violate their customers 1st, and 4th amendment rights.

    This isn't like dropping a pebble in a pond. Line rate content transliteration requires heavy engineering and complex software.

    If they are doing this, they have the capacity to do many other nefarious things that would be less obvious. Like transliterating popular political content at line-rate in order to manipulate elections.

    How indistinguishable does a telecom have to become, before a judge is willing to call them what they are: "Agencies of the State"?

    Overturn Citizens United. Reinstate Glass Steagall. Bust the Trusts.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Nov 2015 @ 11:16am

    Suggestion for a better headline

    Comcast free to engage in shady business practices

    from the water-is-wet-and-Pope-is-Catholic dept
    I am shocked, SHOCKED to find crony capitalism going on in this corporate-bought oligarchy!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Nov 2015 @ 10:04am

    Use a VPN

    all the previous suggestions are good, but I always use a VPN in addition. This ensures my ISP cannot spy on me. Hopefully P.I.A. remains trustworthy...

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.