[NANOG] Charter Communications going to sniff traffic for advertising?

Apparently Charter is going to packetsniff its users and use that for commercial purposes.

Looks like the only way to somewhat opt out is by getting a cookie set at the below link - which is not only a dumb idea, but still - not even https.

Anyones thoughts on this?


In same spirit, something worst I think ...
If you are in some airport with a GSM/Wifi phone, you are going to receive a mail, from local Wifi provider to explain you how to reach his (local wifi) network.
Tested in Roissy / France, with iPhone. iPhone will switch from edge to wifi connection. I think that some application try to reach their server (like mail) and local provider sniff differents things (user name / mail sure but what about passwd ??) to send you back an email.
Interesting ...

I think you'd find they'd run pretty far afoul of 18 USC 2511
for that, without prior consent (18 USC 2511 2) (c)).

  I looked at that page, and as far as I can tell, they are just
referring to web ads, likely placed on their consumer portal site.

  Where do you get the notion that they are intercepting traffic?
Everything I see refers to a third party ad network, with no subscriber
data provided by charter. i.e. a typical advertisers tracking

  Using another cookie to opt out of the first cookie isn't
unusual, since it's the same mechanism that would be involved in the
first place.

  In any case, trying to correlate captured traffic to a
cookie that would only be exposed in web traffic and to the site that
set it, would not be reliably possible.


Majdi S. Abbas wrote:

Something Jon Devree and I were thinking about: How would they handle
cookies the size of 1 MB or larger? Scary as it sounds, looks like a simple
DOS attack waiting to happen :\

JOhn Menerick

[HSI] Charter to monitor surfing, insert its own targeted ads - Charter Spectrum | DSLReports Forums

This is definitely taking the position that its "their" pipe and not the *Internet*. I can only imagine the issues that will get wrangled around in the courts over this. (ahem, Google, ahem).

This is not fundamentally different than a TV station digitally inserting their own ads on the stadium instead of whatever is there you might see in person. This *seems* like a problem because most people only have 1 connectivity provider at a time and often few options around it.

Regulation could address this, a differentiated service could address this, but this smacks of paying for a service to then get additional ads sent to you. (like everytime you dialed a number into your Skype for Pizza Delivery, they sent you to their paid-Pizza Delivery provider instead).

Depending on how invasive (or effective) this gets, it has wild common-carrier implications.

Deepak Jain

I think that a TV station cannot just digitally insert an ad into copyrighted material, as it would be considered a derivative work. .. they have approval and pay to do that.

I wonder what the legal implications for a web page would be, I would almost assume they would be the same.


There's a company called Phorm (www.phorm.com) trying to do this in the UK,
running some trials with some of the large broadband providers.

It hasn't gone down well at all...



I noticed this as well with a windows mobile device and activesync over the ail. Enforcing SSL communication seems to have fixed it, as I no longer get these after doing that. Of course this assumes that your mail server does not need plain text authentication. I noticed this a lot when I was flying back and forth from Houston and DFW out of Denver. Never identified the culprit of who was harvesting but....

Phorm has been linked to the Russian Business Network (RBN), which
is unsurprising given that Phorm is in the spyware/adware business.
For a particular insightful writeup, please see:

  Some notes from the Phorm sales pitch


I've found that using SSL for all my SMTP and IMAP transactions
and not entering personally identifying information into non-SSL
web pages greatly reduces the amount of harvesting results I see.

As to Charter, I opt out by simply not purchasing anything from them.
It seems to work far better than bothering with their silly cookie


I think that's fine and all, but there are people where choice doesn't exist.

I would chose FIOS (or a fios-like service) for my home internet. That choice does not exist.

Verizon has not built that infrastructure in my state, nor does it appear they have any plans to.

Where choice does not exist, and there is no high-speed duopoly to choose between, what would you do? Build your own infrastructure a few miles at a cost of $2-50+/foot?

  - Jared

The other day, the Wall Street Journal ran a brief piece on VPN
providers... The threat they had in mind was wireless hotspots, but
any sort of on-link evil can be dealt with that way.

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

sure would be nice if some vendor would partner with a CDN-type group
(or a vendor that had enough 'local presence') to offer this sort of
thing... It doesnt' neessarily have to be IPSEC or SSL I bet... though
longer term SSL or IPSEC seem like better options (since phorm/blah
will quickly start poking into PPTP/gre tunnels as well).

Oh, how do you know you can trust the VPN folks anymore than the
cable-modem folks though? eventually the same cost issues are going to
arise for the VPN folks as did for cable-modem/dsl folks (downward
pressure on pricing and infra/opex/capex costs going


"Christopher Morrow" <morrowc.lists@gmail.com> writes:

Oh, how do you know you can trust the VPN folks anymore than the
cable-modem folks though? eventually the same cost issues are going to
arise for the VPN folks as did for cable-modem/dsl folks (downward
pressure on pricing and infra/opex/capex costs going

Unlike running fiber to your door, renting a VPS and setting up a
vpn server is quite inexpensive to do yourself.

They're not more trustworthy, but since they don't require widespread
local physical infrastructure it's potentially a more competitive

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

note the 'close to the user' part of the plan ... limit addtional
latency and user experience hit. but other than that sure.

right, so not 'today' not 'tomorrow' if this becomes a service that is
percieved as valuable and useful more providers will pop in this
market (like cable vs dsl vs dialup), pricing pressure will start,
profit margins will shrink... then ... Oh look! If I give my user meta
data to CompanyX I'll get profit without any real capex expenditure!
Yea, free money!!!

So, how long until that happens? Hopefully when that happens there
will be enough other vpn provider options so it won't matter as much
as it does in the current US Duopoly... I mean 'competitive local