As noted by Lauren Weinstein, Rogers is modifying HTTP data sent to their users as illustrated here:
Note: This is not speculation. Rogers’ Vice President of Communications, Taanta Gupta has confirmed that they are employing this technology (via Wired).
What this means is that they are embedding extra content in web pages served to their clients, without explicit permission. This is not something clients can opt into. As a privacy-aware citizen, I find this a blatant abuse of any Internet Service Provider’s power, for a number of reasons.
When I connect to a site, my browser requests a page from the server hosting that site. I expect that the page I receive is the one that the server sent to me. What Rogers is doing breaks this implicit trust. As a user, I can no longer have faith that the pages I view are authentic, as the risk of corruption somewhere between the server that generated the page and me is now part of the security equation.
Such action (when initiated by an individual) is malicious activity, and controversial at best. When a telecommunications carrier is responsible, it is also illegal (in Canada).
Part II, Section 36 of the Telecommunications Act states:
[Content of messages]
36. Except where the Commission approves otherwise, a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public.
The example above illustrates this ability being used to send targeted messages to clients about their accounts. We learn two important details from this: That Rogers is in fact actively monitoring data that passes through their network (to not inject arbitrary code into incompatible content types) and that they are linking these data sessions to individual client accounts. It is hardly a distant thought for them to track the sites a client visits, and constructing a profile about that user from that data. Again, this occurs without explicit consent from their users.
Right now, Rogers is using this technology to send ‘useful’ (but intrusive) messages to clients. In the future, it would not be unexpected for Rogers to add ‘relevant data’ to pages, or deliver contextual advertising (and they would likely make a killing from it). It is possible that this ability could be used to push software to the PCs of their users. Though local security policies would likely prevent this, it would be simple enough to install a browser add-on from the Internet Setup software that bypassed the usual security measures by considering such content ‘trusted’. In the case of users who opt not to use the setup software, such an add-on could be installed by exploiting any one of the vulnerabilities in their given browser (most commonly Internet Explorer). A user would not even have to go to a specific site, as the needed data could be embedded in any page.
In a more sinister scenario, it is also possible that Rogers could alter the owner attribute on existing on-page advertisements, effectively stealing that ad revenue from the page owners. Since this would occur after generating the page, but prior to it being served to the client’s browser, there would be no way for the site owner to notice this (since it is common for users to have ad-blocking software installed locally, many site owners expect a certain segment of viewers to not receive the advertisements), and no way for the client to notice it either, unless they had a list of advertiser IDs for all sites they visit regularly, and audited those values on each visit.
Extending this a bit further, it is not difficult to envision these capabilities used to change other content on-page. Altering unfavourable commentary about themselves, censoring content, adding content to pages and generally discrediting web’s validity.
Some of these examples seem unlikely, others not so much. Only time will tell, but if we do not voice our concerns, if we do not defend our rights to privacy, anonymity, and security, a bleak future is all the more probable.