Chris @ Olstrom (.com)

As noted by Lauren Weinstein, Rogers is modifying HTTP data sent to their users as illustrated here:

Note: This is not speculation. Rogers’ Vice President of Communications, Taanta Gupta has confirmed that they are experimenting with this technique ( via Wired ).

What this means is that they are embedding additional content in web pages served to their clients, without explicit permission. This is not something clients can opt into. As a privacy-aware netizen, I find this to be a blatant abuse of any Internet Service Provider’s power, for a number of reasons.

Security

When I connect to a site, my browser requests a page from the server hosting that site. I expect that the page I receive is the one that the server sent to me. What Rogers is doing breaks this implicit trust. As a user, I can no longer have faith in the authenticity of a page I view, because it may have been modified somewhere between the server that generated the page, and me.

Such action (when initiated by an individual) is considered malicious activity, and controversial at best. When a telecommunications carrier is responsible, it is also illegal.

Part II, Section 36 of the Telecommunications Act states:

[Content of messages]

36. Except where the Commission approves otherwise, a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public.

Privacy

The example above illustrates this capability being used to send targetted messages to clients regarding their accounts. Two important details can be determined from this: That Rogers is in fact actively monitoring data that passes through their network (so as to not inject arbitrary code into incompatible content types) and that they are linking these data sessions to individual client accounts. It is hardly a distant thought for them to be tracking the sites a client visits, and constructing a profile about that user from that data. Again, this is done without explicit consent from their users.

Potential Impact

Right now, this technology is being used to send ‘useful’ (but intrusive) messages to clients. In the future, it would not be unexpected for Rogers to add ‘relevant data’ to pages, or deliver contextual advertising (and they would likely make a killing from it). It is possible that this capability could be used to push software onto the PCs of their users. Though local security policies would likely prevent this, it would be simple enough to install a browser addon from the Internet Setup software that bypassed the usual security measures by considering such content to be ‘trusted’. In the case of users who opt not to use the setup software, such an addon could be installed by exploiting any one of the vulnerabilities in their given browser (most commonly Internet Explorer). A user would not even have to go to a specific site, as the needed data could be embedded in any page.

In a more sinister scenario, it is also possible that Rogers could modify the owner attribute on existing on-page advertisements, effectively stealing that ad revenue from the page owners. Since this would occur after the page was generated, but prior to it being served to the client’s browser, there would be no way for the site owner to notice this (since it is common for users to have ad-blocking software installed locally, many site owners expect a certain portion of viewers to not receive the advertisements), and no way for the client to determine it either.

Extending this a bit further, it is not difficult to envision an entity with these capabilities modifying other content on-page. Altering unfavourable commentary regarding themselves, censoring content, adding content to pages and generally discrediting the validity of the web.

Some of these examples seem unlikely, others not so much. Only time will tell, but if we do not voice our concerns, if we do not defend our rights to privacy, anonymity, and security, a bleak future is all the more probable.

Note: This page should be should be served to you via HTTPS, ensuring that such content-modification schemes are ineffective.