Several internet service providers across the United States are using an online service to secretly spy on, and redirect their subscribers’ online searches, according to a group of researchers at the International Computer Science Institute in Berkeley, California.
The ISPs are monitoring, intercepting, and redirecting the searches that their subscribers are performing through the search boxes in their browsers, say the researchers.
“Instead of returning a legitimate address for search.yahoo.com, www.bing.com, and (sometimes) www.google.com, these ISPs returned the address of proxy servers,” Nick Weaver, one of the researchers, told TPM.
“These proxy servers impersonate the legitimate search engine by transparently forwarding requests to the legitimate search engine, but have the ability to both monitor all queries and change the results.”
It’s not clear precisely how many users are affected, but the researchers have gathered a list of 12 ISPs that they say engage in the practice. The complete list is at New Scientist, which first reported the story late Thursday.
The list includes a range of local, regional and national internet service providers that includes Cincinnati Bell, Hughes, RCN and XO Communications, according to New Scientist.
The news is sure to create an uproar in the wider internet community — as have all other previous attempts by other entities to intercept and redirect network traffic. Aside from the glaring violation of subscribers’ privacy, many network engineers see efforts such as these as deceptive, and a way to undermine trust and clarity over the way the internet works.
To redirect users’ search queries, the ISPs are re-routing those queries first to an internet address that’s controlled by a third party instead of directly to an individual’s search engine of choice.
Weaver explains to TPM:
Whether the end-user can see this depends on the nature of the change. For the change that we’re aware of, a user who’s paying attention will note that they didn’t get back search results for a query they entered in the search bar, but instead are taken directly to a particular site.
In principle, though, subtle changes could also be made in search results
(for example, reordering them, or changing which ads are displayed) that
a user would have no practical means of detecting. But we do not have
evidence that this sort of change occurs.
The goal of this shady activity is to siphon off and monetize users’ search, say the researchers, who put up a blog post about the subject at EFF late Thursday evening:
In short, the purpose appears to be monetization of users’ searches. ICSI Networking’s investigation has revealed that Paxfire’s HTTP proxies selectively siphon search requests out of the proxied traffic flows and redirect them through one or more affiliate marketing programs, presumably resulting in commission payments to Paxfire and the ISPs involved. The affiliate programs involved include Commission Junction, the Google Affiliate Network, LinkShare, and Ask.com. When looking up brand names such as “apple”, “dell”, “groupon”, and “wsj”, the affiliate programs direct the queries to the corresponding brands’ websites or to search assistance pages instead of providing the intended search engine results page.
But, says Weaver in an e-mail, the company that’s facilitating the diversion of the traffic is a company called Paxfire, which markets its services to the ISPs. It’s unclear whether the advertisers or the affiliate programs know what’s going on, he says.
An e-mail inquiry sent to Paxfire wasn’t immediately returned.
The Berkeley team says that its identified 170 search terms that trigger the re-direction of users’ search queries.
The Berkeley researchers Christian Kreibich, Vern Paxson and Nicholas Weaver had compiled the data as part of a process of building a network diagnostic tool for the general public in order to enable them to independently monitor and troubleshoot performance issues with their ISPs.
The researchers have put their network diagnostic tool Netalyzer on the web, and are making it available for free to the public to use for themselves to see if their traffic is being intercepted.
Meanwhile, the EFF recommends using encrypted connections whenever possible. One way of doing this is to install its HTTPS everywhere extension on the Firefox browser.
However, it only works with some sites since not all web sites enable encrypted communications.
Have a story idea or tip for Idea Lab? Please send them to: Idealab@talkingpointsmemo.com.