Broadband ISP CenturyLink Is Blocking Users' Internet Access Just To Show An Ad

from the ill-communication dept

US telco CenturyLink is under fire for temporarily disabling the broadband connections of broadband customers in Utah unless they click on an ad for CenturyLink security software. Even more oddly, the telco is repeatedly (and falsely) trying to blame a new Utah law for its ham-fisted behavior.

It began when a CenturyLink user in Utah posted to Twitter that his CenturyLink broadband line suddenly and mysteriously stopped working. Using what appears to be JavaScript ad injection (an already contentious practice), Centurylink then sent the user a notice stating his broadband connection would not be restored until he acknowledged receipt of the message, which appears to be a glorified advertisement for CenturyLink's @Ease filtering and security software:

In a blog post first spotted by regional Utah news outlets and subsequently Ars Technica, the user explains how he was initially under the impression that CenturyLink had tried to block him from visiting a phishing website, only to realize later that the ISP was really just temporarily holding his connection hostage until he engaged with a product ad:

"At first glance I was worried that I had somehow been redirected to a malicious website and that this was some kind of phishing attempt... After all, I didn't navigate here. I attempted to do another search but still ended up at this same notice. I considered the idea that maybe my ISP had detected some kind of threat coming from my network and that's why I was seeing this official looking page. Eventually, after reading over the page several times, I clicked "OK" and my internet was back."

When criticized, CenturyLink repeatedly told the user and many reporters (myself included), that it had to block user access in this fashion due to a new Utah law:

Except that's false. Utah is, Techdirt readers will be aware, home of what has been a near-constant stream of ridiculous efforts to filter porn, a technically impossible task (something backers of the idea refuse to learn). And while this new law in question is dumb, it's not quite that dumb. The law requires ISPs to inform users that filtering software is available to them as a sort of half-measure toward combating porn. ISPs can do this in a number of ways; the law specifically recommends either including mailers in user bills or sending an email.

The law does not require that ISPs sever access to the internet in order to show them ads for an ISP's own software, something CenturyLink executives appear to have come up with on their own. That's something the bill's author himself confirmed when asked by the impacted user on Twitter:

Users on Reddit indicate this wasn't isolated to just this user -- all Utah CenturyLink customers appear to be experiencing this unnecessary, heavy-handed nonsense. Now it's possible CenturyLink could argue it was just over-complying to adhere to the law, but since the law is pretty clear an email is ok, this argument doesn't hold up. More likely, CenturyLink executives either thought they'd use the law as a marketing opportunity, or wanted to bring attention to the dumb new law. Unfortunately that's not really accomplished by behaving stupidly yourself.

Of course this is the kind of ISP behavior our since-discarded net neutrality rules were designed specifically to prevent. And while a few days of press shame may drive Centurylink away from the policy if users are lucky, that's really no substitute for an attentive FCC that actually cares about keeping the internet free from idiotic monopoly ideas exactly like this one. The battle over net neutrality has always been about slippery slopes, and letting an ISP interrupt internet traffic to market its own products--and then lie about it--is slippery as hell.

Filed Under: ads, blocking, broadband, filters, injection, packet injection, utah
Companies: centurylink


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 19 Dec 2018 @ 11:07am

    And I bet there are various marketing people reading this and asking how much will it cost to do the same?

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Dec 2018 @ 11:18am

    Saw this after I saw a tweet about someone visiting a freind & they took the webpage he was going to & put it in a frame under a threat to pay up or else...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2018 @ 11:20am

    "I’m sorry you are having problems. SB134 did not require that — and no other ISP has done that to comply with the law. They were only required to notify customers of options via email or with an invoice. "

    This is the third article which dismisses the true problem: why did Utah's legislature make this a law to begin with.

    *THAT* should be the focus, not an ISP blocking the internet (a daily occurrence).

    reply to this | link to this | view in chronology ]

    • icon
      Karl Bode (profile), 19 Dec 2018 @ 11:34am

      Re:

      I don't know, I think pointing out they're both stupid (which I did) works. Even if you think a law is stupid, being even DUMBER (and lying about it) isn't any kind of solution to your complaint.

      reply to this | link to this | view in chronology ]

      • identicon
        Agammamon, 19 Dec 2018 @ 5:33pm

        Re: Re:

        Make stupid laws up front and in people's faces. That way they might do something about them instead of just sitting there.

        reply to this | link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 19 Dec 2018 @ 11:45am

      Re:

      Why isn't the problem, nor is it a mystery. Utah is a state with a massively Mormon population and being Mormon is as much a benefit to a political career (on either side of the isle) in Utah as being explicitly Christian is to Republican Candidates in most US elections.

      Mormonism, like most Christ-derived religions, dislikes pornography from a moral standpoint. It also disapproves of masterbation. Porn bans have not stood up to legal challenge. But a 'for the children' law designed to remind consumers, like parents, the existence of optional filters to protect them from 'objectionable' material, via email or letter, but requires the consumer start the process, is pretty benign and so is something no one wants to spend resources fighting.

      I suppose that legislating morality is an issue, but it is also one Techdirt covers regularly. This law, while strange, is not one that impacts the speech of consumers, or their viewing habits.

      Given that the ISP choose instead to block the internet and blame the law for hijacking a customer's internet session, that is news. The why and how of the blocking is important.

      You must be burnt out on net neutrality. That's understandable. But it is how corporations rule us. By violating our norms until we accept that the norms will always be violated, and the violation becomes the norm. Techdirt remains vigilant. I remain vigilant. You, clearly, refuse.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Dec 2018 @ 11:49am

      Re:

      an ISP blocking the internet (a daily occurrence).

      They were also using some kind of traffic hijacking to redirect people to the page, which to me is the bigger problem. (They deny DNS hijacking but don't say how they got the popup to appear; the only other option I know is to redirect and rewrite port 80 traffic.)

      It also indicates a serious problem on the customer's end. "Eventually I turned to a Google search on my phone only to be immediately greeted with an official looking notice"—what? Google has been encrypted for years now. How did the customer accidentally end up on a site vulnerable to the ISP's hijacking? Google.com claims to use HSTS to force encryption; it shouldn't have been possible.

      And I didn't see a comment about this yet: CenturyLink is giving out the customer's account number. If they had open wifi, anyone driving by could have that number now.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Dec 2018 @ 12:01pm

        Re: Re:

        Google.com claims to use HSTS to force encryption; it shouldn't have been possible.

        That does not protect the initial DNS request, and the ability to put up a page if the name does not resolve.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Dec 2018 @ 2:04pm

          Re: Re: Re:

          That does not protect the initial DNS request, and the ability to put up a page if the name does not resolve.

          HSTS is meant to protect exactly that. If your browser has a record of you having gone to google.com, and it had HSTS, the browser will automatically convert all http requests to https. And DNS-redirection will cause any https connection to throw an error, because CenturyLink shouldn't have a valid google.com cert. (Try it: put a google.com record in your hosts file that points to the IP of an unrelated https server, then go to https://google.com.)

          Otherwise, any random wifi AP could redirect your bank's DNS elsewhere and grab your password.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Dec 2018 @ 2:32pm

            Re: Re: Re: Re:

            I suspect that the errored the DNS request, and used the error page for their advert, as an error page can say anything. That would fit with their claim that they did not use DNS redirect. The way to test that would be to use any DNS server other than the ISPs. Googles is easy to remembers being 8.8.8.8 or 8.8.4.4.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Dec 2018 @ 5:32pm

              Re: Re: Re: Re: Re:

              I suspect that the errored the DNS request, and used the error page for their advert, as an error page can say anything.

              That doesn't make sense. You cannot send an arbitrary error page back in response to a failed https connection. If you could, the phishers would do exactly that. And you can't send a "page" back from a DNS request.

              reply to this | link to this | view in chronology ]

      • identicon
        Anonymouse Cupboard, 19 Dec 2018 @ 1:28pm

        Re: Re:

        It was probably done in the same way that when you forget to pay your internet bill, they reboot your modem and give it a new IP address with a designated range that redirects all traffic to a "pay your bill" webpage.

        They most likely had an account check. Anyone that had not yet checked the agree box would have the "pay your bill" webpage, but if you hit the check box, they'd reboot you back to the regular internet.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Dec 2018 @ 2:06pm

          Re: Re: Re:

          give it a new IP address with a designated range that redirects all traffic to a "pay your bill" webpage.

          Sure, easily done, but any https connection is supposed to throw an error if redirected to an unauthorized server. Unless you mean they're working with a browser's built-in captive portal detection feature somehow. (Is that standard? There were talks.)

          reply to this | link to this | view in chronology ]

        • icon
          Toom1275 (profile), 19 Dec 2018 @ 8:00pm

          Re: Re: Re:

          Which sounds like the reason why their instructions were to reset the router if the internet didn't come back after clicking the notice.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2018 @ 11:22am

    How shortsited to think a few sales of their @ease would compensate for the users that probably ditched them for this crap.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Dec 2018 @ 11:40am

      Re:

      Ditch them and get internet from...?
      Most communities don't have the luxury to choose.

      reply to this | link to this | view in chronology ]

      • identicon
        Agammamon, 19 Dec 2018 @ 5:37pm

        Re: Re:

        Really?

        I live in a county of 200,000 people in Arizona (a state with fewer than 8 million people in it, 6 of which are in one city) - 5 miles outside a town of 15,000.

        I still have 3 internet providers available. They all suck - but I've got competition.

        reply to this | link to this | view in chronology ]

        • icon
          Thad (profile), 20 Dec 2018 @ 8:20am

          Re: Re: Re:

          And I live within 5 miles of ASU and the only broadband ISP available at my address is Cox.

          Are you counting dialup and satellite? Or are you just lucky?

          reply to this | link to this | view in chronology ]

        • icon
          R.H. (profile), 20 Dec 2018 @ 11:54am

          Re: Re: Re:

          I live in a county of ~400,000 and in a township of ~20,000 and I have one broadband internet provider available. There is one other DSL provider available but they can only provide about 3-6 Mbps at my location. Your situation is quite unusual in the United States.

          reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 19 Dec 2018 @ 11:52am

      Re:

      Depends upon how their 'security/filter' software works. Does it also collect information and pass it back to Century Link? Does it make note of all your contacts and add them to a list to track (a la Facebook)? And as noted above, what are your other choices?

      reply to this | link to this | view in chronology ]

  • identicon
    Nick-B, 19 Dec 2018 @ 12:28pm

    Got it too

    Had this happen to me as well once I came back from out of town. Loaded up my usual daily blogs, and half of them or so loaded this page, while the other half seemed to run a bit slow.

    What's odd is that it doesn't block all traffic, as some big name sites (google, yahoo, etc) still work, but most minor sites load the "ad".

    I'd gotten this before when I downloaded some... less than legal audiobooks once. Same method done as here, where most sites are down and showing a notice from the ISP.

    reply to this | link to this | view in chronology ]

  • icon
    Gary (profile), 19 Dec 2018 @ 12:57pm

    Working as intended

    This is how de-regulation works. Expect more hijinks like this since there isn't any sort of consumer protection on the table.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2018 @ 1:18pm

    This is the same "feature" that Century Link uses if they get copyright claims against you. You are required to click through a bunch of guilt-shaming to get your connection back. Pretty obnoxious, but what are you going to do? Get Comcast? HA!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2018 @ 1:23pm

    Apple lawsuit in the making?

    I wonder if Apple will sue CenturyLink over the product? They own the trademark on AtEase as a software security product, as well as on @me. There's definitely room for product confusion here. Of course, since neither mark is being used anymore, it's possible they don't care, but that doesn't sound like the Apple I know.

    reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 19 Dec 2018 @ 1:50pm

    There's are laws that prohibit this type of behavior--charging for a service that you then don't provide. Usually, it's just called fraud.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2018 @ 1:57pm

    Testing the waters...

    CenturyLink probably decided they would use this opportunity to test this kind of ad injection while having an "excuse". It will probably happen again, and soon if there is not enough backlash this time.
    My guess is that they will wait a period of time, then do another trial-run... wait a shorter period of time and then do another... so on and so forth until people are used to it.
    If that doesn't work out they will probably make regular ad-free internet connections more expensive while offering "cheap" connections with ad injections like this (cheap meaning almost, or exactly, same price as connections now).
    Long have they looked envious at TV stuffing more and more ads into every hour and I am betting it is in their long-term strategy to stuff the internet just as full of them.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2018 @ 2:02pm

    Interesting ... perhaps Utah has made a mistake here.

    What are the laws about 911 access, I don't think states have much say in this.

    Some people, by choice, do not have plain old telephone service and they rely upon their internet connection for telephony related functions, including 911 service that Centurylink blocked.

    reply to this | link to this | view in chronology ]

  • icon
    Thad (profile), 19 Dec 2018 @ 2:22pm

    Are we sure CenturyLink counts as broadband?

    reply to this | link to this | view in chronology ]

  • identicon
    Agammamon, 19 Dec 2018 @ 5:31pm

    Jesus Christ.

    Its not to 'show an ad' Its to comply with a state government mandate.

    You can say the legislature 'never intended' for them to comply with the legislature's mandate in this manner - but the ISP is still required to contact users to inform them about porn filter software the ISP is mandated to offer them.

    This way at least no one - especially the legislature - can come back later and say 'we didn't know, you didn't put enough effort in to contacting people'.

    reply to this | link to this | view in chronology ]

    • identicon
      Talmyr, 20 Dec 2018 @ 7:29am

      Re:

      They could also send the mob around to tell you, but it doesn't make that a good or honest idea either.

      This is a terrible response to a terrible law.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 20 Dec 2018 @ 7:37pm

    An ISP? Getting criticized? out of the blue is going to be pissed...

    reply to this | link to this | view in chronology ]

  • icon
    Lostinlodos (profile), 23 Dec 2018 @ 2:30pm

    Nothing new here

    I’m not seeing anything worth a story; beyond possible user stupidity.
    First this is a big fat nothing of a story. Years ago when I had AT$T I would get occasional notices of service changes that disconnected the internet until I agreed. Charter did the same to me even earlier. A mandatory click through for each TOS change. That goes back to old telephone DSL days.
    Second, the filter option was just that, an option.
    Third, the law requires that filters be made available and that the customer be made aware. A one button click through seems as good a route as any.
    Fourth: they pushed their own tool. So what. Anyone unskilled enough to set up their internet connection with an included software cd already knows that communications companies are going to push their software, be it by partnership or rebranded. The fear mongering in clicking to disable installing inferior software such as Symantec or Eset makes people install it anyway.
    So why not look at the far more underhanded tactics like those install discs?!? Not a click through notification.
    And really, are you so caught up in looking for something, anything, to prove the regulatory changes caused harm somewhere that you resort to this.
    This has nothing to do with net neutrality! No traffic was redirected. You weren’t charged to do something previously free. You weren’t blocked from using the services of your choosing! You were prompted with a notification from the provider. One that required a simple click through to access. A process I’m sure was easier than registering to post here. Where you get a page. Another page. Go to your email for code. Enter code. Finds article again. All you had to do was click through and acknowledge you were made aware that draconian filtering was available to you. Where’s the story?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.