Yesterday night while I was working on my website, an unpleasant surprise popped up in my browser – a popup, shown via a script injected by my ISP, Cox Communications:
I had heard about the unpleasant technique of internet providers injecting scripts into their customer’s plain HTTP traffic before, but I did not know that Cox Communications was employing this horrible practice, too. A brief look revealed that the script is coming from the IP address 220.127.116.11, which belongs to a bigger block assigned to Cox, the 18.104.22.168/12 subnet. Since I doubt that they’re using only a single IP address for these scripts, I blocked the entire range on the firewall for now (using a script blocker like NoScript for Firefox would work, too).
While that may be an immediate solution to get rid of the pop ups, it is the practice itself that I find absolutely disgusting (and that’s besides the fact that it violates the so-called “end-to-end principle“). They’re my ISP, and that requires a certain trust, because my communications run through their network. This trust included – foolishly – thinking that they would not tamper with traffic on the way from one end point to another. And that trust has been destroyed entirely. Well done, Cox.
I have no doubt though that the not-so tech-savvy internet users (which are probably the majority these days) won’t question this practice (and that’s why Cox can get away with it, while I also have no doubt that they formulated their contracts in a way that makes this perfectly legal for them to do). So let’s apply this type of thinking to a different protocol: POP3. Using it on port 110, it’s unencrypted too – if I would retrieve my messages via POP3 (which I’m not), Cox might just as well intercept that traffic, and inject some notifications into the message body of any email that I retrieve. If the practice of script injection to show a popup didn’t sound wrong yet, does it now, maybe? The principle is exactly the same.
I also found it particularly annoying that this script was added into the administrative interface of my website – it’s no surprise, because it is not HTTPS secured, but still: I am appalled by the “brute-force” thinking and complete lack of decency and respect behind using such script injecting techniques: just push it into any kind of HTTP traffic, doesn’t matter what it is.
The question remains: why is this even necessary? After all, I am their customer: they have my email address (that’s where they manage to send me a message when my bill is due, always, and reliably), my phone number, and my home address. If there’s anything they need to tell me, they can contact me without injecting their scripts into the traffic going from other websites to my browser, violating the end-to-end principle, and annoying (or confusing) their customers with this rude behavior.
Oh and, about the popup: “we recently shared the great news with you that your Cox High Speed Internet speed has increased” – that’s not true. The only thing I saw was a price hike, from $54.99 to $61.99 per month, without any announcement whatsoever. Or is that what Cox refers to with “great news” perhaps? It’s great news for them for sure, to charge even more for comparably low internet speeds. I’ve written about that before.