Dear ZDNet: Comcast Has Been Sketchily Injecting Messages Into User's Browsers For Years
from the old-news-bad-news dept
Comcast has been dutifully modeling its behavior in such a way so as to fill up Techdirt’s story pages for years now. So, when we come across a story somewhere discussing how Comcast is doing some bad new thing, it’s tempting to simply assume it’s true and move on. Such might be the case for some readers of ZDNet’s recent post about how Comcast was injecting notices into browsers warning of potential copyright infringement.
The cable and media giant has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material — such as sharing movies or downloading from a file-sharing site. Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner’s code on his GitHub page, told ZDNet in an email that this could cause major privacy problems.
Well, sure, this is horrible, and it is a privacy issue — but it isn’t new. In fact, Comcast as been doing some flavor of this sort of browser injection for the better part of a decade. The company started this practice way back in 2009, using the tactic to warn users of potential malware infections, and there was even discussion about expanding the use for other security purposes in 2011. More specifically on browser injections being used as a copyright warning system, our own Karl Bode noted in 2013 that this was all specifically laid out in Comcast’s six-strike plan. Per Karl’s post, Comcast isn’t even alone in using this tactic.
Comcast has now put information on their implementation of six strikes online. According to the nation’s largest broadband company, their version of the program will involve a persistent nagging pop up that continues to alert the user after the fourth warning. Time Warner Cable, who outlined their version of the plan to me last November , stated they’re using a similar pop up warning system that blocks browsing until users acknowledge receipt of “educational” copyright materials.
None of that is to say that the privacy and security concerns aren’t very real, of course, and ZDNet does a nice job of discussing those concerns. But it’s not new. Perhaps the better conversation to be had is why anyone in their right minds would think that Comcast deserves anyone’s trust to the level where users’ browsers should be injected with copyright violation notices in a system rife with abuse from pretty much every player involved.
Filed Under: alerts, copyright, deep packet inspection, injection
Companies: comcast
Comments on “Dear ZDNet: Comcast Has Been Sketchily Injecting Messages Into User's Browsers For Years”
disable javascript !
This is one more reason why it’s very important to turn off Javascript in your browser — assuming that it can still be done(it’s been getting harder and harder on newer browser versions). But be warned: many sites don’t work properly without Javascript (Techdirt does, but just barely).
Though it’s possible that Comcast -like many websites- will just switch to another display method on Javascript-disabled browsers. Perhaps like inserting a banner image in the middle of any web page.
But compared to Comcast’s numerous other below-the-belt shenanigans, like injecting forged reset packets into a user’s data stream to cripple Bittorrent, this privacy & neutrality violation seems mild.
As the usual mission-creep sets in, Comcast could even use this method for selling advertising space and delivering ad banners right into everyone’s browser.
Re: disable javascript !
Disabling JS has not changed over the last several versions of Chrome.
Using a different method of displaying ads as suggested may actually be illegal. It is definitely in the extremely stupid realm thus ComCast will probably do it.
Re: disable javascript !
It’s also a good idea to disable unencrypted traffic on any browser you want to be secure. The easy way is to set your browser’s http proxy to 127.0.0.1:1 and leave the SSL proxy blank (for chromium: --proxy-server=http=socks4://127.0.0.1:1).
Random Comcast injections
Comcast injects pop-ups in to other websites too. If you connect to their xfinity hotspots (they pirate your connection and broadcast their own public hotspot from your rented cable modem), they ~once per day pop-up an xfinity logo in the middle of the other sites’ webpages.
It’s a very annoying popup that does nothing besides remind you to surf TLS pages exclusively.
This is nothing more than an ad for letsencrypt. The lack of security on the internet is astounding.
Mediacom Too
They’ve injected in terms of service updates, bandwidth warnings, and optional equipment upgrade requests for years now.
If you are a Comcast subscriber do not install the free antivirus they provide Norton with constant guard.
Re: Re:
Regarding what you’ve posted and this quote from the article:
“The company (Comcast) started this practice way back in 2009, using the tactic to warn users of potential malware infections, “
…I had this problem a few years ago, a popup warning that my computer might be at risk and I was to call Xfinity (Comcast) for important information that would save my computer. There was literally no way to make it go away, no X box in the corner to close it.
The only way to stop it was to call the number. Comcast used my call as a way to capture me on the phone to pitch their crappy Constant Guard software. The Comcast guy was very earnest and said I was getting the pop up because my computer was, and I quote, “probably already compromised”, and that only buying Constant Guard for a monthly fee of $12.99 was the way to fix it and stop the pop ups.
I told the Comcast weasel that I knew Comcast was injecting the pop up as an ad and that it was NOT any indication of a malware infection because I’d done my research online, and ordered him to fix is so that Comcast would stop injecting their stupid ad into my browser. I’m and older woman, which means I’m part of a demographic that usually automatically believes what the nice, young tech gentleman who seems to have my best interest at heart says… he kept telling me the pop up meant I (“probably”) had a malware infection and that he was trying to help me save my computer.
I pay for ESET Smart Security, I would recommend it to anyone, and I’m not buying Norton, especially not for a nice, chunky monthly fee from Comcast.
He finally glumly agreed to stop the ad injection, and it never happened again after that… this is a guy who stated categorically that Comcast was not injecting an ad, that it was a malware warning only meant to help me.
It makes me sick to think of all the older people who fall for this crap because they do not know any better.
With JavaScript off the connection to this site is secure. I guess with advertising being what it is, and most sites depending on it, I need to leave it off all of the time, and quit commenting on sites that require it to be on.
Re: Re:
This is one of the reasons I hang around Techdirt, as it’s one of the few remaining sites that does not require cookies or javascript or logging in … or supporting/enriching Mark Zuckerberg. And the page’s source code is not too complex to follow (whose reading is required in order to view the ‘deleted’ comments)
It’s a sad state of affairs that in the internet today, spoofing a browser’s user-agent is a requirement on so many sites in order to avoid getting redirected to a scold page telling you to “update” your browser in order to be let in. Though it would indeed be nice if browsers let users spoof the screen resolution as well, so as not to be automatically redirected to the “mobile” page (which Twitter does to punish people with large screens in non-standard resolutions)
OK, morning rant over.
Same old story. This injection technology started out by claiming to be about keeping users safe and secure from malware and viruses. Then mission creep set in and suddenly it’s being used for copyright and advertisements.
It’s reminds me of the direction mass surveillance is heading in. It started out being about safety and security from terrorists (which it’s failed miserably at stopping any terror plot). Then it morphed into economic espionage followed by quelling political dissidents, spying on journalists and prosecuting whistle blowers.
It always starts out being about safety and security before morphing into a monster.
They can use bend the CFAA to threaten people like Arron Swartz with life in prison for downloading public domain files, but they can’t use it to go after actual browser injection attacks? Thankfully we have a law to protect corporations-I-mean-the-public. Thank you society for standing up for Comcast.
Also, it sucks being a poor blogger because SSL certificates cost hundreds of dollars a year per domain. Techdirt had run a story about some organization (EFF?) that was going to give those certs away for free soon? There’s lots of sites like mine that would go to HTTPS in a hot second if they could afford the certs.
Re: Re:
Soon the Linux Foundation will offer free certs at letsencrypt.org
In order to inject, they must first read the header
Which is certainly enough to violate their customers 1st, and 4th amendment rights.
This isn’t like dropping a pebble in a pond. Line rate content transliteration requires heavy engineering and complex software.
If they are doing this, they have the capacity to do many other nefarious things that would be less obvious. Like transliterating popular political content at line-rate in order to manipulate elections.
How indistinguishable does a telecom have to become, before a judge is willing to call them what they are: “Agencies of the State”?
Overturn Citizens United. Reinstate Glass Steagall. Bust the Trusts.
Suggestion for a better headline
I am shocked, SHOCKED to find crony capitalism going on in this corporate-bought oligarchy!
Use a VPN
all the previous suggestions are good, but I always use a VPN in addition. This ensures my ISP cannot spy on me. Hopefully P.I.A. remains trustworthy…