Tunnel-only ISPs?

| Comments (5) | COMSEC Outstanding!
Lauren Weinstein is rightly concerned about Charter Communications' plans to "enhance" your browsing experience by injecting banner ads into your Web pages based on analysis of your browsing habits.

If this is something you're not that thrilled about, (which I can easily understand), then you might get to thinking what your options are. Charter offers an opt-out but as far as I know there's nothing forcing them to do so, and their opt-out appears to be pretty inconvenient:

Yes. As our valued customer, we want you to be in complete control of your online experience. If you wish to opt out of the enhanced service we are offering, you may do so at any time by visiting www.charter.com/onlineprivacy and following our easy to use opt-out feature. To opt out, it is necessary to install a standard opt-out cookie on your computer. If you delete the opt-out cookie, or if you change computers or web browsers, you will need to opt out again.

You could just change ISPs, of course, if you're lucky enough to live in a non-monopoly area and your other choices don't offer this enhanced feature set.

As Weinstein observers, one possible defense is to do HTTPS connections to every server, but that requires cooperation from all the server operators which has the usual network effect/collective action problems. But there's at least one obvious way to protect yourself unilaterally: set up a VPN to some provider who promises not to mess with your packets. You'd still be getting packet carriage from Charter, but they wouldn't be able to mess with your packets much, other than to drop or delay them. Certainly, they would not be able to inject their own traffic. This technique would probably introduce some latency, but the provider could locate their VPN concentrator near a major exchange point, which would reduce the latency quite a bit. The major obstacle would be finding someone to provide this service; I know there are providers which do IPv6 tunnels, but I don't know if they do v4 tunnels.

The effect of all this is to reduce your local ISP to raw packet carriage. Effectively, you're treating them long a long wire between you and your real ISP, the tunnel provider. Obviously, local ISPs could stop you from doing this, but it's hard to see on what grounds they would do so if they don't block enterprise VPNs.


Hurricane electric will allow you to do this if you have a shell account on their servers (most web packages come with this). ssh or https both are permitted.

In theory, you could ad-block away all of the injected garbage. If they start replacing other content with their own (e.g., editing themselves into Google AdWords), then you could well see some interesting lawsuits.

Well, they aren't actually going to do add injection. NebuAd got smacked down hard for doing that (who Charter is dealing with) and has reportedly backed off.

Instead, they are wiretapping and selling the wiretap information to doubleclick etc (existing vendors of the adds themselves).

I really want to know how this doesn't violate wiretap statutes, given its illegal to run TCPdump.

To be honest, the web NEEDS to be SSL-only anyway, there is WAY WAY WAY too much mayhem that can be done to non-HTTPS traffic. Like rip out EVERY cookie and autocomplete form and a bnuch of other hideously nasty stuff.

I've been doing this for awhile using OpenSSH's dynamic proxy mode - it's far more reliable than any VPN I've ever used and just about everything supports SOCKS proxies. It's particularly nice to avoid things like the hotspot login/splash pages which try to redirect all of your RSS feeds.

@Nicholas: It's not illegal to use tcpdump on your own network and I'm sure Charter has this written into their customer agreements.

@Chris Adams
Actually, in sane parts of the world it is illegal. It's called wiretapping and is something we only allow the police to do.

Just like the Postal office is not allowed to register all mail you get your ISP can't examine what web pages you connect to.

Leave a comment