ISPs meddled with their customers' Web traffic, study finds

April 16, 2008 —

About one percent of the Web pages being delivered on the Internet are being
changed in transit, sometimes in a harmful way, according to researchers at
the University of Washington.

In a paper, set to be delivered Wednesday, the researchers
document some troubling practices. In July and August they tested data sent
to about 50,000 computers and discovered that a small number of Internet service
providers (ISPs) were injecting ads into Web pages on their networks. They also
found that some Web browsing and ad-blocking software was actually making Web
surfing more dangerous by introducing security vulnerabilities into pages.

"The Web is a lot more wild than we originally expected," said Charles
Reis , a PhD student at the University of Washington who co-authored the paper.

The paper, which was co-written by a researcher at the International
Computer Science Institute, will be delivered at the Usenix
Symposium on Networked Systems Design and Implementation in San Francisco.

To get their data, the team wrote software that would test whether or not someone
visiting a test page on the University of Washington's Web site was viewing
HTML that had been altered in transit.

In 16 instances ads were injected into the Web page by the visitor's Internet
Service provider. "We're confirming some rumors that had been in the news
last summer, that ISPs had been injecting these ads."

The service providers named by the researchers are generally small ISPs such
as RedMoon, Mesa
Networks and MetroFi,
but the paper also named one of the largest ISPs in the U.S., XO
Communications, as an ad injector. An XO spokesman said that the company
does not engage in this practice and that any ad-injection linked to its network
is probably being done by a "downstream" service provider that is
purchasing network capacity from XO.

In June 2007 the TechCrunch
blog reported RedMoon, a small Texas wireless provider, was using a system
built by a Redwood City, California, company called NebuAd
to insert advertising into the HTML code of Web pages.

Critics blasted the ISP for meddling with its customers' traffic and worried
that this kind of ad injection undermined the integrity of Web sites, which
had no control over the ads being displayed.

NebuAd has now discontinued its ad-injection product line and now delivers
only the standard type of advertising that it buys from Web publishers, a company
spokesman said Tuesday.

The data also shows that pages were sometimes changed by popup blockers within
products such as CheckPoint's
ZoneAlarm or CA's
Personal Firewall, but also that some products actually inserted security
vulnerabilities into the pages they processed.

Even Microsoft's
Internet Explorer browser is part of the problem, the researchers claim.
IE injects HTML into pages that it saves to the computer's hard drive, making
those pages vulnerable to attacks when the page is then reloaded from the local
disk.

The paper's authors characterized their work as a first step and said that
more study would be required to get a clearer picture of what exactly is going
on within the many networks that make up the Internet. "One of the next
steps for the community is to create better and stronger mechanisms for understanding
what is happening," said Tadayoshi Kohno, an assistant professor with the
University of Washington. "The Web is still very young and we just don't
know what's going to happen next."

IDG News Service