Paxfire Responds: Says It Doesn't Hijack Searches, Will Seek Sanctions Against Lawyers

from the then-what-does-it-do? dept

Last week, we wrote about a lawsuit filed against Paxfire for supposedly teaming up with ISPs hijacking browser searches for profit. The idea was that search terms never made it to the search engine in question, but rather automatically directed users to pages paid for by marketers. That is, if you searched for "Apple" via your browser search, rather than having that search Bing (if Bing is your search engine) for "Apple," it would automatically take you to an Apple page -- and the search would never even touch Bing. The story was based on a New Scientist story about some researchers highlighting these practices and a class action lawsuit filed over the practices. New Scientist has updated the story to note that:
all the ISPs involved have now called a halt to the practice. They continue to intercept some queries – those from Bing and Yahoo – but are passing the searches on to the relevant search engine rather than redirecting them.
However, Paxfire's CEO sent us an email in which he not only refutes the entire story, but claims that he's planning to seek Rule 11 sanctions against the lawyers who filed the class action lawsuit:
This lawsuit is without merit, and harmful to our business and that of our partners. Let me respond to the two major accusations in the lawsuit.

"First, the lawsuit alleges that Paxfire collects, analyzes and sells user information. This is completely false and has absolutely no basis in fact.

"Paxfire does not and has never distributed or sold any information on users, either individually or collectively. Paxfire does not analyze end user searches, does not hold any history or database of user browsing or search, and does not profile users in any way. Moreover, Paxfire has no plans to change this policy. To repeat: We never, ever collect, monitor, store or sell personal data on users, collectively or as individuals, and we never have.

"Second, Paxfire does not hijack searches or 'impersonate search engines.'

"This would be fundamentally contrary to our service mission, which is to improve the user experience by helping users arrive at their intended website after having mistyped a web address. We are all about helping customers navigate the web, and not about searches. We partner closely with our ISP customers to ensure the service is operated not only in full accordance with the law and end user agreements, but also in a way that provides a good user experience. For example, when we have to guess the intended destination from a bad address, our results page includes an explanation of how they landed there and provides an option to opt-out of the service.

"Finally, we want to make clear that while it is without merit, this lawsuit and its allegations are extremely harmful to our reputation and those of our partners. Under Rule 11 of the Federal Rules of Civil Procedure, a party has an obligation to ensure a foundation for his or her allegations. Clearly, this was not done adequately by the plaintiff in this case. Accordingly, Paxfire intends to seek the full sanctions available to it under the law, to vindicate the organization and to make it whole from the damages caused by this lawsuit.
It appears that they're saying they didn't hijack searches so much as hijack typo searches, and they claim they do it nicely. I guess we'll find out the details as any lawsuit goes on, but I find it highly unlikely that even if Paxfire prevails that it will be able get Rule 11 sanctions. It's pretty rare for such sanctions to be used, and the conduct has to be pretty egregious.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: browsers, hijacking, search
Companies: paxfire


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ofb2632 (profile), 10 Aug 2011 @ 6:34am

    Too fine of a line

    "It appears that they're saying they didn't hijack searches so much as hijack typo searches"

    Hijacking ANY search, even if it is a typo search, is hijacking. Any explanation to the contrary is merely 'lawyer talk'... I wish judges would use the VERY simple analogy to see the truth... if it looks like a duck, swims like a duck, and quacks like a duck, it IS a duck.

    link to this | view in chronology ]

    • icon
      Hulser (profile), 10 Aug 2011 @ 7:20am

      Re: Too fine of a line

      Hijacking ANY search, even if it is a typo search, is hijacking.

      Your statement would make sense if entering a URL into the address field of a browser qualified as a "search". But it doesn't. When you enter someone's phone number into your mobile phone, is that a "search"? No. You already know exactly who you want to talk to and how to reach them; you're just telling the phone to actually make the call. Similarly, when you enter a URL into a browser, you're just telling the browser to actually navigate to the page. There is not search.

      link to this | view in chronology ]

      • identicon
        anotstupid, 10 Aug 2011 @ 7:28am

        Re: Re: Too fine of a line

        I don't think you understand how search works. Or software. Or the internet. Or phones.

        When you type a number into your phone, it connects to that number directly.

        When you type a string into your URL bar, your browser does the following:

        1. It checks to see if it is a properly formatted address. If so, it queries a DNS, then connects to the proper server.

        2. If it is _NOT_ a properly formatted address, it sends the string to whatever search engine your browser has as a default search engine.

        If the behavior that is discussed in this article is implemented, then there is a break between 1 and 2, whereby the DNS of the ISP that you are using _LIES_ and says that your shittily formatted address is, in fact, a proper address, and then redirects you to a different page.

        I doubt that you will read any of this, but let me just put this in black and white for the purposes of internet memorialization:

        You are either stupid, paid to have this opinion, or both.

        link to this | view in chronology ]

        • identicon
          out_of_the_blue, 10 Aug 2011 @ 7:36am

          Re: Re: Re: Too fine of a line: "If it is _NOT_ a properly formatted address"

          3rd option: I've disabled all internal search engines in my browser, and I LIKE it that way.

          link to this | view in chronology ]

          • icon
            lucidrenegade (profile), 10 Aug 2011 @ 8:22am

            Re: Re: Re: Re: Too fine of a line: "If it is _NOT_ a properly formatted address"

            How about disabling your Internet connection as well?

            link to this | view in chronology ]

          • icon
            DannyB (profile), 10 Aug 2011 @ 9:09am

            Re: Re: Re: Re: Too fine of a line: "If it is _NOT_ a properly formatted address"

            If you disabled the internal search engines in your browser, then you definitely would not want the hijacking that occurred between 1 and 2.

            The ISP would not LIE, your browser would proceed to step 2 and realize -- hey, you don't have an internal search engine, and display an error page -- as you want.

            If you didn't want the error page, then why did you disable search engines in your browser?

            If you wanted the ISP's lying DNS and hijacking, then it should be OPT IN rather than OPT OUT.

            link to this | view in chronology ]

        • icon
          Hulser (profile), 10 Aug 2011 @ 8:29am

          Re: Re: Re: Too fine of a line

          2. If it is _NOT_ a properly formatted address, it sends the string to whatever search engine your browser has as a default search engine.

          This is not necesarilly the case with every browswer out there. It may be that these days, it's quite common for an ISP or a browser to include functionality that will redirect an invalid URL to a proprietary page, but this hasn't alwasy been so and it's not part of the standards. My quibble with your statement is not the morality or legality of redirecting an invalid URL; it's with the use of "search" in reference to this behavior.

          When your average person enters in a URL into a browser, they don't think of this as a "search". In spite of the fact that this may result in a search depending on their ISP or browser, they think of this as what it is, a command to navigate to a certain page. Looking at this another way, if did a survey and asked people to describe a web search, I'd bet that the vast majority would describe going to www.google.com or some other specific site and typing in a search term, not entering a URL into the address field of a browser.

          You are either stupid, paid to have this opinion, or both.

          Well, this is a first. I've never been called a shill here before. I think you do a disservice to the Techdirt community with your assumption that I'm being paid for my posts. I don't doubt that there are shills who post comments here, but reacting to an opinion that happens to differ from yours with this kind of accusation brings down the entire conversation. I am not being paid for my posts. Besides, if you read my comments carefully, I am not defending what Paxfire is doing. I'm merely making the distinction between a search and redirecting an invalid URL.

          link to this | view in chronology ]

          • icon
            ComputerAddict (profile), 10 Aug 2011 @ 8:59am

            Re: Re: Re: Re: Too fine of a line

            While it may not have always been so that browsers included searchs as part of the URL bar, it has been 3-4 years since the Majors have included this feature (IE, Firefox, Safari, Chrome, Opera). Power users expect the functionality, and new users use it without knowing. Users expect when reading the features on these browser's homepages to work when they install them. As far as what the "average" person thinks they are doing when entering URLs and searches. In my experience in the IT field, I've seen just as many people type searches into the address bar as I have seen people type URL's into google.com (including someone typing in www.google.com into the URL bar, only to turn around and type the URL of where they really wanted to go in the first place into google's search bar).

            Whether it is standards or not, Browsers should behave as they were intended by their coders. To modify their behavior without informing the end user like "Do you want us to help you get to pages you may mis-spell? Yes or No, Remember my choice" is irresponsible. It sets a bad precedent that could open up far more spammy / spyware ridden hijackings in the future.

            link to this | view in chronology ]

            • icon
              Hulser (profile), 10 Aug 2011 @ 10:43am

              Re: Re: Re: Re: Re: Too fine of a line

              In my experience in the IT field, I've seen just as many people type searches into the address bar as I have seen people type URL's into google.com

              Yep. I've seen the same thing. It completely mystifies me that people don't grasp such a simple concept, but I too have seen people entering in a URL into the Google search field. None the less, my point stands: there is a clear distinction between doing a search and entering in a URL, even if the concept has been intermingled over the years.

              To modify their behavior without informing the end user like "Do you want us to help you get to pages you may mis-spell? Yes or No, Remember my choice" is irresponsible.

              Too bad the "Yes or No, Remember my choice" functionality wasn't built into the web from the start. Hindsight is 20/20 and all that.

              link to this | view in chronology ]

        • identicon
          TheStupidOne, 10 Aug 2011 @ 12:58pm

          Re: Re: Re: Too fine of a line

          I just typed gogle.com into the address bar of my browser. I was connected to www.google.com.

          While this situation may not be exactly as described (ie Google probably owns gogle.com and has a redirect), but if a website I typed in does not exist, but it is obvious that I want to get a website and not a search, what is wrong about the ISP redirecting me to a site that it believes I wanted along with an explanation of what happened and giving me a chance to opt out?

          link to this | view in chronology ]

      • icon
        Sean T Henry (profile), 10 Aug 2011 @ 7:39am

        Re: Re: Too fine of a line

        "When you enter someone's phone number into your mobile phone, is that a "search"? No."

        My phone searches the numbers it has as I type one so yes that can be a search.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Aug 2011 @ 7:52am

          Re: Re: Re: Too fine of a line

          If you have a secondary DNS, say, for a work VPN you are connected to, the first DNS is supposed to return a very specific code that the requested entry was not found, then your computer sends the DNS lookup to your secondary DNS, then the next, and so on.

          Anyone who uses a VPN for work and has to connect to Intranet sites internal to their organization are completely hosed by any provider who monetizes their DNS in this way. i didn't mis-type crap, I'm trying to get to a provate server. of course there is no entry in your DNS, its PRIVATE!

          There is no fine line: I was trying to access a perfectly legitimate URL over VPN. My ISP takes my request and, in violation of networking standards, takes me to another destination completely. That is hijacking.

          The only workaround I have seen worth a darn is in Google's Chrome browser, where there is only one bar for both search and URLs. If you type an Intranet address into Chrome it returns a Google search AND it performs a DNS check to see if you mean to go to a specific site. If the DNS check finds a site, you are offered a choice of a search or going directly to http://whatever.

          link to this | view in chronology ]

          • icon
            Hulser (profile), 10 Aug 2011 @ 8:52am

            Re: Re: Re: Re: Too fine of a line

            There is no fine line: I was trying to access a perfectly legitimate URL over VPN. My ISP takes my request and, in violation of networking standards, takes me to another destination completely. That is hijacking.

            I would agree that this is hijacking. (And really fucking annoying.) My original point was that this isn't search hijacking. I can see where many people might actually find some value in this service. To a novice computer user, a 404 page is confusing or at least not very user freindly. But to computer savvy people, it's just annoying. Don't assume that because you don't recognize the URL I typed in, I automatically want you to do a search. As you point out, it could be a site on your Internal network and you're just not connected via the VPN. I don't want an internal address to go into someone's log files. My point is that while I can see the value of invalid URL redirection, I think it should be either opt-in or at the very least very easy opt-out

            link to this | view in chronology ]

        • icon
          Hulser (profile), 10 Aug 2011 @ 8:35am

          Re: Re: Re: Too fine of a line

          My phone searches the numbers it has as I type one so yes that can be a search.

          Right, your phone searches for the number, not you. This may be splitting hairs, but I think in the minds of most people who are entering a known phone number into their phone, they're not doing a search, they're simply entering in a phone number. Besides, I'd describe this behavior as more of an auto-complete feature rather than a search.

          link to this | view in chronology ]

        • icon
          DannyB (profile), 10 Aug 2011 @ 9:12am

          Re: Re: Re: Too fine of a line

          > My phone searches the numbers it has as I type

          You mean your phone auto-completes the number for you. You had a specific number in mind before you started typing.

          link to this | view in chronology ]

          • identicon
            Prisoner 201, 10 Aug 2011 @ 10:47am

            Re: Re: Re: Re: Too fine of a line

            Yeah but you would be pretty annoyed if your provider required you to have an app that auto-completed what you typed to pay numbers on its partner list as often as it could.

            link to this | view in chronology ]

      • icon
        John Fenderson (profile), 10 Aug 2011 @ 10:56am

        Re: Re: Too fine of a line

        Your statement would make sense if entering a URL into the address field of a browser qualified as a "search".


        I disagree. Whether the use itnent was to search or not is irrelevant. It's still hijacking, because they are intentionally breaking important mechanisms of the internet. If I put in a nonexistent domain, internet standard specify a very specific response that lots of software absolutely relies on.

        If a third party, especially without my knowledge and consent, alters this behavior to make the malformed domain name resolve to something they have hijacked. And they've broken my internet. ISPs who do this or allow it to be done are, imo, breaking their contract with their users: to provide internet service. They are, instead, providing a broken service that doesn't not adhere to standards and therefore, technically, is not true "internet service."

        It's a very mild form of fraud, as you aren't getting what you're paying for.

        link to this | view in chronology ]

  • icon
    A Dan (profile), 10 Aug 2011 @ 6:40am

    Doesn't sound like searches

    Many people have their browsers set to search Google or some other engine if they type an invalid address into the address bar. Those often only work if they get a 404. It sounds like these guys are just doing what almost every annoying internet provider does and redirecting 404 errors. I don't think that deserves a class-action lawsuit, however annoying it may be.

    To be clear: That wouldn't be hijacking searches. It would be redirecting 404 errors, which are not directed at any provider in particular at that point in the process.

    link to this | view in chronology ]

    • icon
      Scooters (profile), 10 Aug 2011 @ 7:13am

      Re: Doesn't sound like searches

      I concur with this. Brighthouse, here in Indiana, redirects 404 pages with their own "Buy! Buy! Buy!" page, while putting up links to search engines.

      To me, this is no different than advertising some cable companies put on their guides.

      It's annoying, but certainly not illegal.

      Unfortunately, we now live in an "IP" world where we, consumers, must now pay for our own (bleeping) advertisement.

      link to this | view in chronology ]

      • identicon
        Nicedoggy, 10 Aug 2011 @ 7:19am

        Re: Re: Doesn't sound like searches

        https://www.eff.org/https-everywhere

        Nope you don't need to put up with it, just use encryption.

        Or use your own encrypted proxies like TOR.

        Or better yet use both.

        link to this | view in chronology ]

        • icon
          Hulser (profile), 10 Aug 2011 @ 7:35am

          Re: Re: Re: Doesn't sound like searches

          https://www.eff.org/https-everywhere
          Nope you don't need to put up with it, just use encryption.


          So, is this why your icon appears differently with every post? I just assumed some jackass was using the same alias as existing posts to grief the conversation.

          link to this | view in chronology ]

          • identicon
            Nicedoggy, 10 Aug 2011 @ 8:38am

            Re: Re: Re: Re: Doesn't sound like searches

            Nope is because of TOR.
            https://www.torproject.org/

            link to this | view in chronology ]

            • icon
              Hulser (profile), 10 Aug 2011 @ 9:03am

              Re: Re: Re: Re: Re: Doesn't sound like searches

              Nope is because of TOR.

              Cool. And on a completely unrelated note, every time I read your name, I do so in the Inspector Clouseau voice from the Does Your Dog Bite? scene in The Pink Panther Strikes Again.

              link to this | view in chronology ]

              • identicon
                Nicedoggy, 10 Aug 2011 @ 1:49pm

                Re: Re: Re: Re: Re: Re: Doesn't sound like searches

                Quote:
                Clouseau: I thought you said your dog didn't bite?
                Old man: That is not my dog.

                link to this | view in chronology ]

      • identicon
        Bengie, 10 Aug 2011 @ 8:30am

        Re: Re: Doesn't sound like searches

        "It's annoying, but certainly not illegal."

        Intercepting and modifying data is a criminal act.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Aug 2011 @ 6:46am

    If you use OpenDNS, you will find that they redirect on domains not found or incomplete entries. Many ISPs also use this sort of thing.

    Google Chrome browser takes incomplete addresses typed into the address bar as searches.

    It really doesn't sound like paxfire is doing anything particularly nasty.

    link to this | view in chronology ]

    • icon
      Josh in CharlotteNC (profile), 10 Aug 2011 @ 7:09am

      Re:

      If you use OpenDNS, you will find that they redirect on domains not found or incomplete entries. Many ISPs also use this sort of thing.

      That doesn't make it right. It breaks the accepted DNS standards, and thus can cause some applications to fail or produce unexpected results - and that's exactly why it was caught, since it was hijacking Google searches.

      Google Chrome browser takes incomplete addresses typed into the address bar as searches.

      That is a known and expected feature of the product, and is clearly stated and promoted, and is completely agnostic to the particular word or phrase. Are these ISPs clearly telling users that they'll redirect certain search terms to a marketing company?

      It really doesn't sound like paxfire is doing anything particularly nasty.

      That's what was said about Phorm.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Aug 2011 @ 8:16am

        Re: Re:

        Josh, can you find me the US federal law that explains "accepted DNS standards"?

        link to this | view in chronology ]

        • icon
          Josh in CharlotteNC (profile), 10 Aug 2011 @ 8:28am

          Re: Re: Re:

          You're the one bringing law into this. Notice I never commented on legality, only what was right - ethics. I think I've stated pretty clearly in the past that laws and ethics are separate concepts.

          However, DNS standards are in the IETF's RFCs 1034 and 1035.

          link to this | view in chronology ]

    • icon
      A Dan (profile), 11 Aug 2011 @ 8:21am

      Re:

      OpenDNS redirect on 404 is optional. It is part of their domain filtering scheme. I turned it off.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Aug 2011 @ 6:47am

    If you use OpenDNS, you will find that they redirect on domains not found or incomplete entries. Many ISPs also use this sort of thing.

    Google Chrome browser takes incomplete addresses typed into the address bar as searches.

    It really doesn't sound like paxfire is doing anything particularly nasty.

    link to this | view in chronology ]

  • identicon
    hegemon13, 10 Aug 2011 @ 6:56am

    RTFA, Mike

    "It appears that they're saying they didn't hijack searches so much as hijack typo searches, and they claim they do it nicely."

    No, it pretty clearly says that they redirect typo addresses, NOT searches. That is, when you mis-type the URL in your browser bar and the domain cannot be found, they direct you to a page that lists similar URLs to what you typed. In other words, instead of a 404-Not Found error, you get helpful suggestions to get you to the right place.

    Nearly EVERY DNS provider does this now, from OpenDNS to the major ISPs. I know that Time Warner does this for my home internet. It's not hijacking anything. It's simply displaying a more useful landing page when the DNS server encounters an unresolveable address.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Aug 2011 @ 1:06pm

      Re: RTFA, Mike

      It's not hijacking anything. It's simply displaying a more useful landing page when the DNS server encounters an unresolveable address.


      In what sense is this not hijacking anything? Instead of getting the response which you are supposed to get, you get their obnoxious "landing" page.

      Which means that if you are relying on the error that internet standards promise you, you are hosed. Your software will think that the DNS lookup succeeded when, in fact, it failed. Your ISP just broke the internet for you. That this is now common practice doesn't make it any less wrong.

      The awful thing is that they could have provided the same functionality (as,indeed, modern browser do) without breaking anything.

      ISPs (and Google) who do this are pretty much just giving you the finger and chuckling at how you accept degraded service for their unmitigated greed.

      Yes, this subject gets my blood boiling, just as much as DPI does. This kind of hijacking is worthless to anyone except the provider.

      link to this | view in chronology ]

  • identicon
    Nicedoggy, 10 Aug 2011 @ 6:56am

    Yah right.

    Also about hijacking, some exit TOR nodes are inserting their own ads on webpages, specially if you connect to Russian exit nodes, maybe others are doing to, I just noticed the Russian ones, when Privoxy blocked an entire page and when it changed the exit node to one in Germany it load the page.

    Paxfire may be betting that there are no way one can identify something being redirected, they would be wrong.

    From what I read they were in fact inserting their own content into others pages requests and that is a big no, no.
    Now the surprising part, they have been doing this for ages now, in 2008 people even found security vulnerabilities on that, that could put people at risk. Paxfire apparently even tried to get BIND to put their code in it.

    - https://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
    - http://blog.washingtonpost.com/securityfix/2008/04/more_trouble_with_ads_on_isps.html?nav=rss_blog
    - http://www.washingtonpost.com/wp-dyn/articles/A50115-2005Jan30.html
    - http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.htm l

    Tools to identify DNS hijacking:
    http://netalyzr.icsi.berkeley.edu/
    TOR and Privoxy(Since privoxy automagically blocks almost all ad links but puts a big white place holder in case you want to see that ad and you can access the same page from multiple exit points you can compare to see if the page served in one is different from the other)

    link to this | view in chronology ]

  • identicon
    Nicedoggy, 10 Aug 2011 @ 7:18am

    Quote:
    Paxfire's privacy policy says that it may retain copies of users' "queries", a vague term that could be construed to mean either the domain names that they look up or the searches they conduct, or both. The redirections mostly occur transparently to the user and few if any of the affected ISP customers are likely to have ever heard of Paxfire, let alone consented to this collection of their communications with search engines.

    Source: https://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us

    That privacy policy sure don't look right to me.

    link to this | view in chronology ]

  • identicon
    A Lawyer, 10 Aug 2011 @ 7:24am

    True story: filing baseless rule 11 motions can be a basis for rule 11 sanctions.

    link to this | view in chronology ]

  • identicon
    out_of_the_blue, 10 Aug 2011 @ 7:33am

    Weasel: "when we have to guess the intended destination from a bad address..."

    They NEVER "have to", they've gone to some effort to do so for purposes of inserting advertising. As above, even if many ISPs do it, it's not ethical -- or legal, they just CAN.

    2nd, I think Paxfire can be totally stymied by adding their name into your "hosts" file, if you have one. That completely prevents (or, to be accurate, /should/ if the system is honest) a browser from even seeing a site, just puts up its internal "can't connect" message.

    link to this | view in chronology ]

  • identicon
    Tom The Toe, 10 Aug 2011 @ 7:45am

    What is telling in their response

    "when we have to guess the intended destination from a bad address, our results page includes an explanation of how they landed there and provides an option to opt-out of the service." The fact that I never had the chance to opt in in the first place tells me they are doing something wrong in sending me someplace I had no intention of being.

    link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 10 Aug 2011 @ 7:59am

      Re: What is telling in their response

      That last sentence is precisely right: anything, anywhere, anytime on the Internet that requires "opt-out" is abusive.

      And those responsible know this is true, which is why they're sneakily forcing it down users' throats: if what they had was truly good and truly desired, they wouldn't have to do that. They KNOW that what they're doing (which is monetizing NXDOMAIN, an inherently dishonest and fraudulent act) is wrong, they KNOW that people don't want it, they KNOW that it breaks things...but because they're greedy assholes, they're going to try to do it anyway.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Aug 2011 @ 9:44am

    All of you who are saying that they are hijacking 404 pages are incorrect and misinformed about what a 404 is. A 404 is a page-not-found HTTP response code, and has nothing to do with DNS, which these systems are based on. Those mentioning NXDOMAIN are, of course, correct...

    link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 2:07pm

    Again with the legal threats, Mark Lewyn?

    I have no affiliation with Google, Microsoft, Comcast, and I have no financial interest whatever in this issue. But I care about it passionately because I am a consumer and a former (current?) victim of Google search hijacking by Paxfire.

    This is why I have been calling since 2008 for investigation into the sleazy and probably illegal business practices of this company and its "partners", some of which appear to be front companies--- and if Mark Lewyn disagrees, let him lay out for the world the corporate ownwership of Almar Networks LLC, for example (one of the companies which came up in my investigation in 2008 into the question of who was hijacking my Google searches, and also in independent research in 2011).

    In his email to Mike Masnick, Lewyn wrote "First, the lawsuit alleges that Paxfire collects, analyzes and sells user information. This is completely false and has absolutely no basis in fact." This appears to be contradicted by the description in Paxfire's patents related to its Paxfire Lookup Engines (PLE).

    United States Patent 7631101

    ...

    Sullivan, Alan T. (Leesburg, VA, US)
    Lewyn, Mark (Washington, DC, US)
    Gross, Phillip (Purcellville, VA, US)

    ...

    A computer system ... comprising a server in the DNS... provides... DNS forwarding, URL filtering,...
    Based on the type of inquiry that is being made, FIG. 4 shows how the PSP will return customer specific content based upon the profile stored for that customer or ISP... DNS Proxy intercepts DNS requests at port 53 and passes on those requests to the DNS of the ISP...
    The PLP can send information such as ... information about the owner of IP addresses... The Profiler ...can contain profile information about the ISP or the customer...The Page Builder module builds the PSP landing page in real-time in response to the profile of either the user, the ISP, or both that are stored in the Profiler...the identity of the user can then be determined by the IP address of the requester to bind a particular DNS request with a particular requester...the present invention... determines the general location of the computer of the user, for example through zip code...

    From a story by Andrea Caumont which appeared in the Washington Post, 31 January 2005
    [quote]
    So Lewyn and his co-founders, Alan Sullivan and Sezen Uysal, hit upon the idea of creating a technology that would work through Internet service providers. "Everyone will say the right place to do this is at the ISP level," Lewyn said, because ISPs are private companies that run private networks in an unregulated environment.
    [/quote]

    What we are discussing here is in fact an excellent example of the kind of outrageous abuse of consumer rights which will continue until the US Congress recognizes that the basic problem is precisely that companies which operate network equipment are unregulated.

    Mark Lewyn has often claimed that consumers can "opt out" of Paxfire hijacking. To say the least, that has not been my experience at all.

    @ the US Congress, the US FTC, the US Dept of Commerce, the US Attorneys General: how can the consumer even attempt to "opt out" if when they call their ISP's call center to ask why "Google is down", the employees they are talking to have been mislead by Paxfire (or its business partners, maybe even their own company) about who and what is responsible for false DNS information being provided, which causes a url like google.com to resolve to the IP address of a server which is not operated by or in any way affiliated with Google, which presents a perfect mimic of Google, but which is a perfect mimic of a genuine Google search result page. How precisely does that differ from malicious hijacking by cybercriminals?

    link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 2:16pm

    "Improved user experience"?

    From a Knol by an ISP admin who says he was misled by Paxfire into passing on misinformation to consumers:

    http://knol.google.com/k/dns-squatting
    How Paxfire stole Google.com - and nobody noticed.
    Joseph Harris
    8 August 2008

    [quote]
    When called to the carpet every single one of these invasive marketing firms and the ISPs that utilize them attempts to spin their activities as "improving the internet experience".
    [/quote]

    How does it improve the consumers experience when they find they cannot search Google? Not because Google is down--- that never happens--- but because Paxfire's secret DNS hijacking box is down. Which is the only way many consumers find out about Paxfire and its curious business model.

    See the EFF Deeplinks blog
    http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
    and the two research papers it discusses:
    http://www.icir.org/christian/publications/2011-satin-netalyzr.pdf
    http://www.usenix.or g/event/leet11/tech/full_papers/Zhang.pdf

    The researchers found evidence of multiple redirections of search requests by consumers who clearly did not know about or desire interference and profiling by Paxfire, whose purpose appears to be to create the false impression that multiple consumers are "clicking through" on some page, which causes companies to pay advertising revenue to Paxfire and its business partners. How is precisely that different from what we call clickjacking when the cybercrooks to it?

    US Congress, are you listening?

    link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 2:32pm

    Paxfire does not hijack?

    Mark Lewyn claims: "Paxfire does not hijack searches or 'impersonate search engines."

    Reporters, Attorneys General: don't be fooled by this technobabble.

    The facts are perfectly simple.

    If you type google.com into your browser url bar, your browser should arrive at a server operated by Google. That is what DNS is designed to ensure happens. To check that it is working as designed, savvy consumers can check that that the IP address corresponds to the true owner of the domain named in the url.

    But what Paxfire has been doing for years--- and many people, including individual consumers who have been victimized have documented this--- is ensuring that consumers whose ISPs (or their business partners) have installed Paxfire equipment wind up instead at a server whose IP address shows that it is not operated or affiliated in any way with Google, but which presents a perfect mimic of a Google search result page. Not just for some searches, but, at least for customers of some ISPs, apparently for ALL searches. As a consumer and a victim I documented that ALL my Google searches were being hijacked and winding up at a server which as I verified with Google has nothing to do with Google. How can that possibly be legal?

    Mark Lewyn has repeatedly claimed that if such things happen, it must be an error. But there is a great deal of evidence that this hijacking is intentional.

    I have been warning since 2008 that my estimate millions of American consumers are being victimized by such DNS hijacking by Paxfire equipment. The recent research papers appear to have that confirmed my 2008 estimate probably remains accurate in 2011.

    So why is Paxfire still operating?

    link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 2:45pm

    If Paxfire is doing nothing wrong, why all the secrecy?

    Mark Lewyn writes: "We are all about helping customers navigate the web, and not about searches."

    Simple question: why, then, in the case of consumers whose ISPs (or their business partners) have installed Paxfire equipement, when the consumer enters a search request in his browser search bar, or enters google.com in his browser url bar, does the supposed Google search result page have an IP address which has nothing to do with Google? In my investigation into hijacking of my own Google searches in 2008, I found that one of the companies whose servers I was misdirected to was

    ALMAR NETWORKS, LLC
    4231 DANT BLVD
    RENO, NV 89509-7020

    Almar Networks LLC
    297 Kingsbury Grade, Suite D
    Post Office Box 4470
    Lake Tahoe, NV 89449-4470

    Almar Networks LLC
    Stateline, NV

    And according to the government of the US State of Nevada, this company is "managed" by

    PAXFIRE INC.
    45665 WILLOW POND PLAZA
    STERLING, VA 20164

    I ask again: if Paxfire is doing nothing wrong, why does it hide the existence and purpose of its equipment from admins employed by (at least some of) the affected ISPs? Why does it hide its operation of the servers presenting fake "Google search result pages" behind what appear to be front companies?

    I speak as a consumer, not as a lawyer, but I say again that I think it should be perfectly clear to US Congressional staffers and to lawyers working for the various US Attorneys General why investigation is warranted.

    link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 2:59pm

    Business as usual?

    hegemon13 writes "it pretty clearly says that they redirect typo addresses, NOT searches".

    Not true. In many cases, as the research papers described in the EFF Deeplinks blog document, ALL searches by (almost) all consumers of certain ISPs are being hijacked and redirected to non-Google servers.

    I know this from personal experience. And employees of my ISP (and at Google) verified that ALL my attempts to access the Google search engine were being hijacked and redirected to a server not owned, operated or in any way affiliated with Google. And multiple independent investigations since 2008 keep coming up with the same culprit: Paxfire.

    Some others wrote that they believe that many American ISPs hijack Google search requests. Yes: they are the ones which have hired Paxfire (or possibly its business partner GlobalPops, a subsidiary of Ad-Base Systems, which is named as the worst offending ISP in one of the papers cited in the EFF Deeplinks blog.)

    @ US Congress, US FTC, US Department of Commerce, US Attorneys General: you know what to do: hire tech experts to study the patents, unravel the corporate structure, follow the money.

    link to this | view in chronology ]

  • identicon
    Hans, 10 Aug 2011 @ 7:57pm

    Bollocks!

    If Paxfire is associated with Frontier's "search assist", or the jomax.net DNS servers, then Mr. CEO is either misinformed, or an outright liar.

    I'm a Frontier customer in WA state. If I use their DNS servers, and the bing search tool in Firefox to search for "apple" or "amazon", it doesn't take me to www.bing.com, it takes me to an "interstitial" (with a Frontier brand) saying it will send me to www.apple.com (or www.amazon.com) in a few seconds, with an affiliate ID likely attached.

    It does this because they have hijacked the www.bing.com DNS entry, to wit (some dig noise omitted for brevity):

    $ dig www.bing.com
    ...
    ;; ANSWER SECTION:
    www.bing.com. 60 IN A 64.27.117.167
    www.bing.com. 60 IN A 69.25.212.60

    ;; AUTHORITY SECTION:
    www.bing.com. 65535 IN NS WSC2.JOMAX.NET.
    www.bing.com. 65535 IN NS WSC1.JOMAX.NET.
    ...


    Whereas if I use Google Public DNS I get:

    $ dig @8.8.8.8 www.bing.com
    ...
    www.bing.com. 3391 IN CNAME search.ms.com.edgesuite.net.
    search.ms.com.edgesuit e.net. 17657 IN CNAME a134.b.akamai.net.
    a134.b.akamai.net. 19 IN A 63.85.36.123
    a134.b.akamai.net. 19 IN A 63. 85.36.88
    a134.b.akamai.net. 19 IN A 63.85.36.97
    a134.b.akamai.net. 19 IN A 63.85.36.90
    a134.b.aka mai.net. 19 IN A 63.85.36.128
    a134.b.akamai.net. 19 IN A 63.85.36.104
    ...


    That there, is called hijacking.

    The interstitial page does not have a "just give me bing" link, it has a "give me more information" link which takes me to an opt-out page, which will only then take me to bing. The design is obviously trying to avoid informing the user what is going on.

    Oh, and the "opt-out" feature doesn't work. It probably requires I accept a cookie or some such nonsense, which I shouldn't have to do to "fix" their hijacking of the internet.

    Yahoo! search is similarly hijacked by redirecting the search.yahoo.com DNS entry to the same servers, but it directs to what seems to be a Frontier branded Yahoo! search page instead trying to take you straight to "apple" or "amazon". I'm guessing their deal with Yahoo! already gets them a cut for the referral.

    So, assuming the association between Frontier, jomax.net, and Paxfire, I think the Rule 11 threats are just a bunch of hooey to cover his ass.

    link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 11:05pm

    Spot on, Hans!

    Referring again to the EFF Deeplinks blog post and the two research papers it discusses:

    http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
    http://www .icir.org/christian/publications/2011-satin-netalyzr.pdf
    http://www.usenix.org/event/leet11/tech/fu ll_papers//mZhang.pdf

    and the 2008 Knol by Joseph Harris (an admin an ISP who was apparently lied to repeatedly by employees of a business partner of Paxfire, GlobalPops, which is a subsidiary of Paxfire)

    http://knol.google.com/k/dns-squatting

    The EFF pointed out in the Deeplinks blog post on this issue that after the most recent outcry the named and shamed ISPs turned off the Paxfire hijacking of Google, but may be still redirecting Bing. In the paper by Weaver et al., "Implications of Netalyzer's DNS Measurements", the authors name two subnets as presenting fake Google search pages to unsuspecting consumers who thought they were connecting to google.com but instead are connected by Paxfire's equipment to servers which are not owned, operated, or affiliated with Google:

    IP:8.15.228/24
    Co-Location.com Inc. LVLT-COLOC-1-8-15-228 (NET-8-15-228-0-1)
    8.15.228.0 - 8.15.228.31
    Development Gateway, Inc. DEVEL (NET-8-15-228-0-2)
    8.15.228.0 - 8.15.228.31
    Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1)
    8.0.0.0 - 8.255.255.255

    IP:69.25.212/24
    Almar Networks LLC INAP-DEN-ALLMAR-29799 (NET-69-25-212-0-1)
    69.25.212.0 - 69.25.212.127
    Internap Network Services Corporation PNAP-12-2002 (NET-69-25-0-0-1)
    69.25.0.0 - 69.25.255.255

    Co-Location Inc, L-3 Communications, Almar Networks LLC, and Internap Network Services Corporation all came up in my 2008 investigation (seeking answers to the question of who was hijacking ALL my Google searches). I pointed out above that according the Nevada state government, Almar Networks LLC is "managed" by Paxfire, Inc. In 2008 the servers registered by Co-Location Inc were also actually "managed" by Paxfire, Inc. (see the Knol by Joseph Harris). According to the EFF, it appears that Paxfire is also geolocating users as it hijacks their Google/Bing searches, and connecting them to specific fake Google servers (apparently actually "managed" by Paxfire, whatever that means) within these subnets. In 2008 the subnets were a bit different, but Paxfire seemed to be doing exactly the same thing back then.

    My ISP in 2008 was not Frontier, but my investigations then indicated that millions of Americans who were customers of ISPs including WOW!, or who were dial-up customers of almost any ISP in the US, were being victimized each time they attempted to access the Google search engine.

    Reporters, Congressional staffers, FTC staffers, States Attorneys General: please notice that Hans reports that when his browser requests www.bing.com (which should result a connection to a server registered to bing.com), he is connected to a server with IP 69.25.212.60, which is not owned or operated by or affiliated with bing.com, but is registered to Almar Networks, which as noted above, turns out to be "managed" by Paxfire, Inc., although this information is pretty well hidden.

    Let me suggest some questions to ask Mark Lewyn: why, precisely, Mr. Lewyn, is this not hijacking? Why is this not fraud? Why the discrepancies between the description of PLE in your patent and your claim that Paxfire "does not hijack"? If PLE doesn't hijack attempts by consumers to access the Google search engine (i.e. to connect to genuine Google servers, operated by Google, you know, the owners of the domain google.com that the consumers typed into their browser, or expected to reach when they used their browser search bar with a setting like "Search Google"), what precisely does it do? And if that is what PLE does today to the customers of one ISP, what does PLE do today to the customers of that other ISP? And what was PLE doing last month for each of the customers for all of those ISPs? Be specific, Mr. Lewyn. Be exhaustive. Be detailed. Tell the whole truth and nothing but the truth.

    More free advice for Congressional investigators: when you question this guy, think how you would question, oh, say, Bill Clinton.

    Example: Lewyn carefully uses the present tense when he denies that Paxfire hijacks connections. So be sure to grill him, not just on what Paxfire (and Almar, and all the other apparent front companies) are doing on the day of his testimony, grill him on what they were all doing to unsuspecting consumers on each day from 2002 to the present. Because a little time with Google (the real one!) will uncover plenty of evidence of a recurrent pattern: every time there is an outcry over Paxfire's trampling on consumer rights, Paxfire temporarily reconfigures its equipment until the fuss blows over, and then they go right back to hijacking ALL searches by (almost) ALL customers of the worst offending ISPs.

    And be sure to grill him, under oath, on precisely what his PLE was doing on each day, so that there is no misunderstanding about the meaning of the word "hijack". Remember, one of the "selling points" of PLE is that it is "highly configurable" and can easily be reconfigured at any time.

    Another reason why consumers need inquiries which can compel truthful testimony: employees of ISPs who know about the shady (and probably illegal) business practices of Paxfire are apparently routinely warned to keep quiet, to lie by omission (or worse) to customers of the ISP who want to know:
    "Why is Google down?"
    "Why do I keep seeing those CAPTCHAS?" (a typical clue that Paxfire is hijacking your Google search requests)
    "Why can't I connect to genuine Google?"
    We have seen that Lewyn likes to claim that "consumers can opt out" of Paxfire's hijacking. Well, I know from personal experience that this is a flat out lie. One reason why is easy to appreciate: if Paxfire's business partners are lying to small ISPs (or at least, to their admins), so that the ISP admins tell their own customers (consumers like me) some story about an alleged innocuous cause, or claim that I have "misconfigured" my browser, or whatever other misdirecting and incorrect explanation might be on offer, then how can the consumer possibly opt out? When employees of his ISP are repeatedly failing to explain the role of Paxfire in the hijackings--- possibly because they also have been repeatedly lied too by the employees of Paxfire or its business partners. A congressional investigation which can compel truthful testimony from employees of the affected ISPs and of Paxfire and its business partners, will surely verify this.

    Another reason why the claim that "consumers can opt out" is, to put it kindly, a misdirection, is that for security reasons many consumers choose to
    disable cookies for most sites
    disable Javascript for most sites (vulnerabilities in Javascript are frequently named as a leading cause of cross-site attacks).
    But even when consumers are informed about Paxfire's hijacking and given a webform where they can opt-out, this typically will not work without enabling Javascript or enabling Paxfire to set a permanent and uniquely identify cookie. And please don't forget that a consumer who has already caught Paxfire hijacking his attempts to use the Google search engine, by hijacking his connection and illegtimately redirecting it to a fake Google website which mimics perfectly a Google search result page, but is actually served by a server registered to an apparent front company like Almar Networks and which is actually "managed" by Paxfire, is hardly likely to trust Paxfire enough to let Paxfire place a permanent uniquely identifying cookie in his computer!

    In my opinion, it ought to be very easy to see through all these misdirections which Lewyn has used so often and which are wearing very thin indeed.

    Congressional staffers, Attorneys General, FTC, DOC: Mark Lewyn seems to think you are all easily gulled. I challenge you to prove just how wrong he is. I am confident that a little serious investigation will show that the EFF is fully correct in estimating that at least 2% of the US population has been victimized by Paxfire's years of shady (and probably illegal) business practices.

    link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 11:43pm

    Make a fuss, How to

    If you, like me, are on of the 2% or more who have been victimized by Paxfire (or believe you may have been--- if your ISP is one of the ones listed by EFF and if your browser ever acted like Google was "down", or wanted you to fill out a CAPTCHA to see Google search results, you probably were), let the U.S. Senate know:

    Sen Richard Blumenthal (D-Connecticut)
    Judiciary Committee
    702 Hart Senate Office Building,
    District of Columbia 20510-0702
    Phone: (202)-224-2823
    Fax: (202)-224-1083

    Sen. Al Franken (D-Minnesota)
    Judiciary Committee
    309 Hart Senate Office Building,
    District of Columbia 20510-2303
    Phone: (202)-224-5641
    Fax: (202)-224-0044

    According to the New Scientist, Sen. B said last week he intends to talk to Sen. F this week about putting on a full blown Congressional investigation. I say, go to! And ask the States Attorneys General to get in touch with Nevada to ask about the relationship between Paxfire Inc and Almar Networks LLC, and Pennsylvannia, to ask about the relationship between Paxfire Inc and Ad-Base Systems and its subsidiary GlobalPops. Follow the money! Study the patents owned by Paxfire! Read the past boasts by Paxfire CEO Mark Lewyn.

    According to a story by Nate Anderson, "Small ISPs use "malicious" DNS servers to watch Web searches, earn cash", Ars Technica, 5 August 2011, the Paxfire website (in a blurg apparently aimed at seducing greedy ISP owners):

    The profit motive for Paxfire's business partners:
    "Some of our customers literally generate millions of dollars a year using the Paxfire Look-up Service... It all depends. That said, no matter how you slice and dice it, the Paxfire Look-up Service will generate good money for you."

    No worries, says Paxfire:
    "What feedback you do receive typically will come from a small group of highly technical users... Even that feedback tends to fall away after just a few weeks—as they get used to the new behavior."

    This is perhaps the most outrageous claim of all: the sniveling suggestion that consumers who are insufficently "technical" deserve to be victimized. How precisely does this attitude differ from that of the con-man?

    US Congress, are you listening?

    link to this | view in chronology ]

  • identicon
    Harlan Sanders, 7 Sep 2011 @ 2:26pm

    If anything Paxfire's lawyers should be sanctioned for this counter suit and for wasting the court's time by requesting sanctions against the other guy...

    My ISP at work use(d) Paxfire (I've had paxfire's IPs nullrouted on our router for a long time and their various DNS names as 0.0.0.0 in our local DNS server) and I've always hated them. Contrary to what they claim there is no obvious opt out.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.