NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Liability issues in ISP-injected ad systems?
Brett Glass wrote:
> It is unclear why this would create any more or different vulnerabilities
> than one might expect from any other site which contained third party
> advertising.
There are several possibilities, apart from the most obvious one of
alteration of the displayed pages user experience quite possibly
being a copyright violation -- but that's a matter for courts to
decide. From an identification standpoint, ISP-injected ads that
were not clearly identified as such would tend to give the
impression to users that those ads were being provided by the Web
site with which users were communicating. If users had problems or
negative issues related to those ads, they'd likely blame the Web
site, not the ISP, in such situations.
Similarly, vast numbers of sites choose not to display advertising,
for any number of reasons, including legal, nonprofit issues, decorum
(*many* sensitive topics are totally unsuitable to be displayed
along with ads of any kind), and so on. ISPs injecting ads around
such pages would likely face considerable backlash, legal and
otherwise. The entire look and feel of sites can be changed by such
injections not under the control of the Web site authors.
Systems like Phorm go a step farther of course, by actually "listening
in" on user data. As far as I'm concerned, that sort of content
monitoring is most akin to wiretapping. In the telephone environment,
it would be like AT&T monitoring what their subscribers say on the
phone ("Don't worry, we'll handle the data anonymously!") then prepending
and appending commercials at the start and end of calls based on the
topic being discussed. Presumably this would be unacceptable to most
persons on the phone -- and would trigger immediate legal entanglements.
> That being said, our ISP has considered catching DNS errors for a different
> reason. An increasing number of our users seem to have "DNS error redirectors"
> installed on their machines -- either when they buy them (it seems to be a
> "feature" of many vendors' installations of Windows Vista) or when they install
> third party toolbars, etc. Some of these redirectors seem to be designed to
> hijack and/or mislead the user.
I am in general not a big fan of preinstalled toolbars that feed
user activity data back to sponsoring entities on a default,
non-opt-in basis.
> If we redirect the errors to our own error page, we can actually protect our
> users from security vulnerabilities and hijacking that might occur if we let
> them get an NXDOMAIN result back.
For many non-Web applications, NXDOMAIN is the only appropriate
response in such situations, and of course the DNS is usually
oblivious to which application triggered a DNS lookup. ISPs that
falsify DNS returns by subsituting their own data for NXDOMAIN (on
other than a user opt-in basis) are risking interfering with other
applications, particularly if such interception is done via port 53
diversion, which cannot easily be bypassed by users changing their
local DNS settings.
--Lauren--
NNSquad Moderator