Friday, April 5, 2013

An Update on CMA Communications' Ad Injection Practices

Part of the new "Acceptable Use Policy" of CMA Communications - Added April 4, 2013


Thanks to the intelligent and rational nature of Redditors, the post which detailed CMA Communications' injection of advertisements into their paying customer's HTTP requests received quite a bit of attention. I'd like to provide you with an update on what has occurred since then:


1. I've contacted several of the media outlets suggested, only one has responded and they seem to have backed out of running the story. (Update 4/7/2013: ArsTechnica is now running an article about the injections: http://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-for-hs-ok).


2. I've contacted a few major companies which have affected websites, but none have responded. 


3. The FCC has responded that this is not something they can help with.


4. A complaint with the FTC has been submitted, but they note that they do not act on individual consumer complaints.


5. On April 4, CMA Communications updated their "Acceptable Use Policy" to include a new section which covers their injection practices. It is here: http://www.cmaaccess.com/Internet/acceptable-use-policy/ (Section 10). In my opinion it is a frightening read and I'd encourage you to take a look.


Overall, no progress has been made towards changing the questionable practices of this ISP. Being just one person with no ties to journalists or the major companies affected, I seem to have exhausted all of my avenues. So I'm asking for your help in this.

If you have ties with anyone who might be able to assist with this situation, the many customers of CMA Communications would be very appreciative of anything they could do. I am happy to provide answers to any questions, as well as evidence of the injection practices. Feel free to contact me using my gmail email address, which is zhenkel.

The one thing I would like to emphasize is that in many of the areas served by CMA Communications, they are likely to be the only broadband provider. This means customers would need to revert to dialup internet to make a point, which is a difficult choice to make for many.

TO Redditors:
In the spirit of good Reddiquette, I'd like to assure you that I have been a regular member of the community for a little over a year now. Unfortunately, I did not want my username linked to my real world identity, so I created a new account to submit this story. I would like to assure you that this is my last submission of this nature, and I am not looking to use the community as my soapbox. Thank you all for bringing your expertise and suggestions to this issue.

Friday, March 29, 2013

ISP Advertisement Injection - CMA Communications

Apple Inc. endorsing H&R Block with a beautiful bright green banner ad, compliments of CMA Communications.

Tired from the day’s events and travel, I had planned to quickly look up the specifications of a Mac Mini, respond to a few emails and then get some sleep. But as Apple.com rendered in my browser, I realized I was in for a long night. What I saw was something that would make both designers and computer programmers wince with great displeasure. At the bottom of the carefully designed white and grey webpage, appeared a bright neon green banner advertisement proclaiming: “File For Free Online, H&R Block”. I quickly deduced that either Apple had entered in to the worst cross-promotional deal ever, or my computer was infected with some type of malware. Unfortunately, I would soon discover there was a third possibility, something much worse.

Assuming I had somehow managed to install malware on my MacBook Pro, running OS X, I quickly turned off the wifi connection and began to investigate. I was visiting my parents for spring break, so I moved to one of their computers to run internet searches while I examined the evidence on my Mac. Opening Chrome, I was directed to Bing.com. I laughed to myself briefly, thinking: “who uses Bing?”, and then realized I was a computer science grad student who had managed to get malware on a Mac, so I wasn’t in a position to judge. But, just as I was about to navigate to Google, I noticed something familiar. At the bottom of Bing.com, there it sat, a banner advertisement in orange in white for AT&T Wireless. It was identical in positioning and size to the one on my Mac.

Bing sporting a classy AT&T Wireless Ad, courtesy of CMA Communications
I pulled out my phone, which runs an Android operating system, and navigated this time to Yahoo.com. At the bottom of the page: a misplaced banner ad which matched the proportions of the others. I am not great at statistics, but I was fairly certain the probability of identical malware on all of these devices was low. So, I moved to thing that these devices all shared: the same wireless network. 

I turned off wifi on my phone, and refreshed the Yahoo.com page. This time no banner ad. I refreshed a few more times, checked a few other sites, all was well. As soon as the phone was back on wifi, the banner ads appeared again, I had found the source. I pulled up the web inspector in Chrome and examined the source of a page which had the ad. Appended to the very end of the HTML file for the webpage, was a single line which called to r66t.com for a JavaScript file. 

This small line of code, added by CMA Communications wreaks havoc on most websites.

I investigated further and realized that the JavaScript file would not only place banner ads at the bottom of pages, but also replace existing advertisements on the page with new advertisements (sometimes even for a competing product). This was an aggressive move by someone, but who?

What's that Huffington Post? You sold ad space on your site? So did we! - CMA Communications

I needed to rule out that my parent’s router hadn’t somehow been compromised to modify websites. I hadn’t ever seen router malware in the wild, but I supposed with some effort it would be possible. First though, I ran a traceroute to see the route my internet requests were taking. There it was: an extra stop at a private IP address. I was soon able to show that HTTP internet traffic was being routed through a Squid proxy server.

A small tag that let's us know what CMA Communications is up to.

The proxy server had been setup by a company, R66T, that specializes in a few things, one being advertisement injection into webpages. I was soon able to confirm with one other person (via Reddit) using the same internet service provider that they were seeing the uninvited advertisements too. It was apparent at this point, that my parent’s ISP, CMA Communications, had started injecting advertisements into websites requested by their customers. I felt dissatisfied to say the least. So I spun into damage control mode, blocking all R66T owned domains on our network and preparing for battle the next day.

You might not be surprised to know that CMA Communications won’t confirm or deny that they are injecting advertisements into their customer’s web traffic. You also could probably guess that there aren’t any regulatory agencies that care either and that a complaint to the Better Business Bureau is not an effective remedy to the situation. Nor does the Electronic Frontier Foundation have resources or desire to assist in a case like this. But, I think there are some entities who should care. Who? How about Apple or Microsoft? It is their trademarks and brands which are being tarnished by this scheme. When a naive user experiences a bright green banner ad on an otherwise pristine Apple.com, they do not understand that Apple is not responsible for the content. After all, Apple must be endorsing H&R Block, as it’s right there on their website, with their logo next to it.  

Target's color scheme actually fits the Verizon ad placed by CMA Communications
For those of you who are still skeptical of this situation: suppose I started an advertising company based around the idea of me putting one company’s ad next another company’s logo, without their agreement. To take it further, suppose I started a service which opened people’s mail before it got to them, carefully replaced all the advertisements inside with different ones, and then sealed it back up and delivered it as if the original sender intended for it to be that way. I would probably go to jail for something like this. So why is CMA Communications allowed to perform a similar process in the digital world, without consequence? 

Oh, you sold ad space to Allstate? Here, let me cover that with our Progressive Ad. - CMA Communications

I would urge anyone who may be in a similar situation to file complaints, and let your voice be heard. If CMA Communications succeeds at this venture, it is certain that more ISPs will join in.  

UPDATE: For the super curious, here's a zip file of many more affected sites, as well as the BBB complaint info and the FCC complaint and response. Download it at: https://zmhenkel.com/CMAInjection.zip

Below are screenshots of a couple more of the many websites that are being actively modified by CMA Communications:

Amazon.com, ads by CMA Communications
LinkedIn proudly endorses Verizon. Thanks CMA Communications!