Broadband ISP CenturyLink Is Blocking Users' Internet Access Just To Show An Ad
from the ill-communication dept
US telco CenturyLink is under fire for temporarily disabling the broadband connections of broadband customers in Utah unless they click on an ad for CenturyLink security software. Even more oddly, the telco is repeatedly (and falsely) trying to blame a new Utah law for its ham-fisted behavior.
It began when a CenturyLink user in Utah posted to Twitter that his CenturyLink broadband line suddenly and mysteriously stopped working. Using what appears to be JavaScript ad injection (an already contentious practice), Centurylink then sent the user a notice stating his broadband connection would not be restored until he acknowledged receipt of the message, which appears to be a glorified advertisement for CenturyLink's @Ease filtering and security software:
Just had @CenturyLink block my internet and then inject this page into my browser (dns spoofing I think) to advertise their paid filtering software to me. Clicking OK on the notice then restored my internet... this is NOT okay! pic.twitter.com/NtCZUeJF8I
— Rich Snapp (@Snapwich) December 9, 2018
In a blog post first spotted by regional Utah news outlets and subsequently Ars Technica, the user explains how he was initially under the impression that CenturyLink had tried to block him from visiting a phishing website, only to realize later that the ISP was really just temporarily holding his connection hostage until he engaged with a product ad:
"At first glance I was worried that I had somehow been redirected to a malicious website and that this was some kind of phishing attempt... After all, I didn't navigate here. I attempted to do another search but still ended up at this same notice. I considered the idea that maybe my ISP had detected some kind of threat coming from my network and that's why I was seeing this official looking page. Eventually, after reading over the page several times, I clicked "OK" and my internet was back."
When criticized, CenturyLink repeatedly told the user and many reporters (myself included), that it had to block user access in this fashion due to a new Utah law:
Legislation requires us to notify Utah consumers of content filtering options to protect minors in a conspicuous method. To protect those most vulnerable, the most conspicuous method is a pop-up. We did not engage in DNS hijacking. - Zac
— CenturyLinkHelp Team (@CenturyLinkHelp) December 18, 2018
Except that's false. Utah is, Techdirt readers will be aware, home of what has been a near-constant stream of ridiculous efforts to filter porn, a technically impossible task (something backers of the idea refuse to learn). And while this new law in question is dumb, it's not quite that dumb. The law requires ISPs to inform users that filtering software is available to them as a sort of half-measure toward combating porn. ISPs can do this in a number of ways; the law specifically recommends either including mailers in user bills or sending an email.
The law does not require that ISPs sever access to the internet in order to show them ads for an ISP's own software, something CenturyLink executives appear to have come up with on their own. That's something the bill's author himself confirmed when asked by the impacted user on Twitter:
I’m sorry you are having problems. SB134 did not require that — and no other ISP has done that to comply with the law. They were only required to notify customers of options via email or with an invoice.
— Todd Weiler (@gopTODD) December 10, 2018
Users on Reddit indicate this wasn't isolated to just this user -- all Utah CenturyLink customers appear to be experiencing this unnecessary, heavy-handed nonsense. Now it's possible CenturyLink could argue it was just over-complying to adhere to the law, but since the law is pretty clear an email is ok, this argument doesn't hold up. More likely, CenturyLink executives either thought they'd use the law as a marketing opportunity, or wanted to bring attention to the dumb new law. Unfortunately that's not really accomplished by behaving stupidly yourself.
Of course this is the kind of ISP behavior our since-discarded net neutrality rules were designed specifically to prevent. And while a few days of press shame may drive Centurylink away from the policy if users are lucky, that's really no substitute for an attentive FCC that actually cares about keeping the internet free from idiotic monopoly ideas exactly like this one. The battle over net neutrality has always been about slippery slopes, and letting an ISP interrupt internet traffic to market its own products--and then lie about it--is slippery as hell.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ads, blocking, broadband, filters, injection, packet injection, utah
Companies: centurylink
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
This is the third article which dismisses the true problem: why did Utah's legislature make this a law to begin with.
*THAT* should be the focus, not an ISP blocking the internet (a daily occurrence).
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
So, this story's over a week old now. Has anyone based a phishing site on it yet?
[ link to this | view in thread ]
Re:
Most communities don't have the luxury to choose.
[ link to this | view in thread ]
Re:
Mormonism, like most Christ-derived religions, dislikes pornography from a moral standpoint. It also disapproves of masterbation. Porn bans have not stood up to legal challenge. But a 'for the children' law designed to remind consumers, like parents, the existence of optional filters to protect them from 'objectionable' material, via email or letter, but requires the consumer start the process, is pretty benign and so is something no one wants to spend resources fighting.
I suppose that legislating morality is an issue, but it is also one Techdirt covers regularly. This law, while strange, is not one that impacts the speech of consumers, or their viewing habits.
Given that the ISP choose instead to block the internet and blame the law for hijacking a customer's internet session, that is news. The why and how of the blocking is important.
You must be burnt out on net neutrality. That's understandable. But it is how corporations rule us. By violating our norms until we accept that the norms will always be violated, and the violation becomes the norm. Techdirt remains vigilant. I remain vigilant. You, clearly, refuse.
[ link to this | view in thread ]
Re:
They were also using some kind of traffic hijacking to redirect people to the page, which to me is the bigger problem. (They deny DNS hijacking but don't say how they got the popup to appear; the only other option I know is to redirect and rewrite port 80 traffic.)
It also indicates a serious problem on the customer's end. "Eventually I turned to a Google search on my phone only to be immediately greeted with an official looking notice"—what? Google has been encrypted for years now. How did the customer accidentally end up on a site vulnerable to the ISP's hijacking? Google.com claims to use HSTS to force encryption; it shouldn't have been possible.
And I didn't see a comment about this yet: CenturyLink is giving out the customer's account number. If they had open wifi, anyone driving by could have that number now.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
That does not protect the initial DNS request, and the ability to put up a page if the name does not resolve.
[ link to this | view in thread ]
Re: Re:
https://twitter.com/ktetch/status/1075442986455052294
[ link to this | view in thread ]
Got it too
What's odd is that it doesn't block all traffic, as some big name sites (google, yahoo, etc) still work, but most minor sites load the "ad".
I'd gotten this before when I downloaded some... less than legal audiobooks once. Same method done as here, where most sites are down and showing a notice from the ISP.
[ link to this | view in thread ]
Working as intended
[ link to this | view in thread ]
[ link to this | view in thread ]
Apple lawsuit in the making?
[ link to this | view in thread ]
Re: Re:
They most likely had an account check. Anyone that had not yet checked the agree box would have the "pay your bill" webpage, but if you hit the check box, they'd reboot you back to the regular internet.
[ link to this | view in thread ]
[ link to this | view in thread ]
Testing the waters...
My guess is that they will wait a period of time, then do another trial-run... wait a shorter period of time and then do another... so on and so forth until people are used to it.
If that doesn't work out they will probably make regular ad-free internet connections more expensive while offering "cheap" connections with ad injections like this (cheap meaning almost, or exactly, same price as connections now).
Long have they looked envious at TV stuffing more and more ads into every hour and I am betting it is in their long-term strategy to stuff the internet just as full of them.
[ link to this | view in thread ]
What are the laws about 911 access, I don't think states have much say in this.
Some people, by choice, do not have plain old telephone service and they rely upon their internet connection for telephony related functions, including 911 service that Centurylink blocked.
[ link to this | view in thread ]
Re: Re: Re:
HSTS is meant to protect exactly that. If your browser has a record of you having gone to google.com, and it had HSTS, the browser will automatically convert all http requests to https. And DNS-redirection will cause any https connection to throw an error, because CenturyLink shouldn't have a valid google.com cert. (Try it: put a google.com record in your hosts file that points to the IP of an unrelated https server, then go to https://google.com.)
Otherwise, any random wifi AP could redirect your bank's DNS elsewhere and grab your password.
[ link to this | view in thread ]
Re: Re: Re:
Sure, easily done, but any https connection is supposed to throw an error if redirected to an unauthorized server. Unless you mean they're working with a browser's built-in captive portal detection feature somehow. (Is that standard? There were talks.)
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Its not to 'show an ad' Its to comply with a state government mandate.
You can say the legislature 'never intended' for them to comply with the legislature's mandate in this manner - but the ISP is still required to contact users to inform them about porn filter software the ISP is mandated to offer them.
This way at least no one - especially the legislature - can come back later and say 'we didn't know, you didn't put enough effort in to contacting people'.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
That doesn't make sense. You cannot send an arbitrary error page back in response to a failed https connection. If you could, the phishers would do exactly that. And you can't send a "page" back from a DNS request.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
I live in a county of 200,000 people in Arizona (a state with fewer than 8 million people in it, 6 of which are in one city) - 5 miles outside a town of 15,000.
I still have 3 internet providers available. They all suck - but I've got competition.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
This is a terrible response to a terrible law.
[ link to this | view in thread ]
Re: Re: Re:
And I live within 5 miles of ASU and the only broadband ISP available at my address is Cox.
Are you counting dialup and satellite? Or are you just lucky?
[ link to this | view in thread ]
Re: Re: Re:
I live in a county of ~400,000 and in a township of ~20,000 and I have one broadband internet provider available. There is one other DSL provider available but they can only provide about 3-6 Mbps at my location. Your situation is quite unusual in the United States.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
I'm not sure which would be more pathetic, Blue pretending to be their own fanboy/girl, or someone who actually is.
[ link to this | view in thread ]
Nothing new here
First this is a big fat nothing of a story. Years ago when I had AT$T I would get occasional notices of service changes that disconnected the internet until I agreed. Charter did the same to me even earlier. A mandatory click through for each TOS change. That goes back to old telephone DSL days.
Second, the filter option was just that, an option.
Third, the law requires that filters be made available and that the customer be made aware. A one button click through seems as good a route as any.
Fourth: they pushed their own tool. So what. Anyone unskilled enough to set up their internet connection with an included software cd already knows that communications companies are going to push their software, be it by partnership or rebranded. The fear mongering in clicking to disable installing inferior software such as Symantec or Eset makes people install it anyway.
So why not look at the far more underhanded tactics like those install discs?!? Not a click through notification.
And really, are you so caught up in looking for something, anything, to prove the regulatory changes caused harm somewhere that you resort to this.
This has nothing to do with net neutrality! No traffic was redirected. You weren’t charged to do something previously free. You weren’t blocked from using the services of your choosing! You were prompted with a notification from the provider. One that required a simple click through to access. A process I’m sure was easier than registering to post here. Where you get a page. Another page. Go to your email for code. Enter code. Finds article again. All you had to do was click through and acknowledge you were made aware that draconian filtering was available to you. Where’s the story?
[ link to this | view in thread ]