Dear ZDNet: Comcast Has Been Sketchily Injecting Messages Into User's Browsers For Years
from the old-news-bad-news dept
Comcast has been dutifully modeling its behavior in such a way so as to fill up Techdirt's story pages for years now. So, when we come across a story somewhere discussing how Comcast is doing some bad new thing, it's tempting to simply assume it's true and move on. Such might be the case for some readers of ZDNet's recent post about how Comcast was injecting notices into browsers warning of potential copyright infringement.
The cable and media giant has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material -- such as sharing movies or downloading from a file-sharing site. Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner's code on his GitHub page, told ZDNet in an email that this could cause major privacy problems.Well, sure, this is horrible, and it is a privacy issue -- but it isn't new. In fact, Comcast as been doing some flavor of this sort of browser injection for the better part of a decade. The company started this practice way back in 2009, using the tactic to warn users of potential malware infections, and there was even discussion about expanding the use for other security purposes in 2011. More specifically on browser injections being used as a copyright warning system, our own Karl Bode noted in 2013 that this was all specifically laid out in Comcast's six-strike plan. Per Karl's post, Comcast isn't even alone in using this tactic.
Comcast has now put information on their implementation of six strikes online. According to the nation's largest broadband company, their version of the program will involve a persistent nagging pop up that continues to alert the user after the fourth warning. Time Warner Cable, who outlined their version of the plan to me last November , stated they're using a similar pop up warning system that blocks browsing until users acknowledge receipt of "educational" copyright materials.None of that is to say that the privacy and security concerns aren't very real, of course, and ZDNet does a nice job of discussing those concerns. But it's not new. Perhaps the better conversation to be had is why anyone in their right minds would think that Comcast deserves anyone's trust to the level where users' browsers should be injected with copyright violation notices in a system rife with abuse from pretty much every player involved.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: alerts, copyright, deep packet inspection, injection
Companies: comcast
Reader Comments
Subscribe: RSS
View by: Time | Thread
disable javascript !
Though it's possible that Comcast -like many websites- will just switch to another display method on Javascript-disabled browsers. Perhaps like inserting a banner image in the middle of any web page.
But compared to Comcast's numerous other below-the-belt shenanigans, like injecting forged reset packets into a user's data stream to cripple Bittorrent, this privacy & neutrality violation seems mild.
As the usual mission-creep sets in, Comcast could even use this method for selling advertising space and delivering ad banners right into everyone's browser.
[ link to this | view in chronology ]
Re: disable javascript !
Using a different method of displaying ads as suggested may actually be illegal. It is definitely in the extremely stupid realm thus ComCast will probably do it.
[ link to this | view in chronology ]
Re: disable javascript !
[ link to this | view in chronology ]
Random Comcast injections
It's a very annoying popup that does nothing besides remind you to surf TLS pages exclusively.
This is nothing more than an ad for letsencrypt. The lack of security on the internet is astounding.
[ link to this | view in chronology ]
Mediacom Too
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
"The company (Comcast) started this practice way back in 2009, using the tactic to warn users of potential malware infections, "
...I had this problem a few years ago, a popup warning that my computer might be at risk and I was to call Xfinity (Comcast) for important information that would save my computer. There was literally no way to make it go away, no X box in the corner to close it.
The only way to stop it was to call the number. Comcast used my call as a way to capture me on the phone to pitch their crappy Constant Guard software. The Comcast guy was very earnest and said I was getting the pop up because my computer was, and I quote, "probably already compromised", and that only buying Constant Guard for a monthly fee of $12.99 was the way to fix it and stop the pop ups.
I told the Comcast weasel that I knew Comcast was injecting the pop up as an ad and that it was NOT any indication of a malware infection because I'd done my research online, and ordered him to fix is so that Comcast would stop injecting their stupid ad into my browser. I'm and older woman, which means I'm part of a demographic that usually automatically believes what the nice, young tech gentleman who seems to have my best interest at heart says... he kept telling me the pop up meant I ("probably") had a malware infection and that he was trying to help me save my computer.
I pay for ESET Smart Security, I would recommend it to anyone, and I'm not buying Norton, especially not for a nice, chunky monthly fee from Comcast.
He finally glumly agreed to stop the ad injection, and it never happened again after that... this is a guy who stated categorically that Comcast was not injecting an ad, that it was a malware warning only meant to help me.
It makes me sick to think of all the older people who fall for this crap because they do not know any better.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It's a sad state of affairs that in the internet today, spoofing a browser's user-agent is a requirement on so many sites in order to avoid getting redirected to a scold page telling you to "update" your browser in order to be let in. Though it would indeed be nice if browsers let users spoof the screen resolution as well, so as not to be automatically redirected to the "mobile" page (which Twitter does to punish people with large screens in non-standard resolutions)
OK, morning rant over.
[ link to this | view in chronology ]
It's reminds me of the direction mass surveillance is heading in. It started out being about safety and security from terrorists (which it's failed miserably at stopping any terror plot). Then it morphed into economic espionage followed by quelling political dissidents, spying on journalists and prosecuting whistle blowers.
It always starts out being about safety and security before morphing into a monster.
[ link to this | view in chronology ]
Also, it sucks being a poor blogger because SSL certificates cost hundreds of dollars a year per domain. Techdirt had run a story about some organization (EFF?) that was going to give those certs away for free soon? There's lots of sites like mine that would go to HTTPS in a hot second if they could afford the certs.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
In order to inject, they must first read the header
This isn't like dropping a pebble in a pond. Line rate content transliteration requires heavy engineering and complex software.
If they are doing this, they have the capacity to do many other nefarious things that would be less obvious. Like transliterating popular political content at line-rate in order to manipulate elections.
How indistinguishable does a telecom have to become, before a judge is willing to call them what they are: "Agencies of the State"?
Overturn Citizens United. Reinstate Glass Steagall. Bust the Trusts.
[ link to this | view in chronology ]
Suggestion for a better headline
[ link to this | view in chronology ]
Use a VPN
[ link to this | view in chronology ]