ISP Customer Sales FAIL: using 'it's OK they all invade privacy' argument

A salesman tried to sell me on his ISP with the argument that invading privacy and hijacking search results was OK since they all do it. That is how NOT to do customer sales with a privacy and security freak.

Over the weekend, a guy from a different ISP than I use swung by my house. He was, of course, hoping to talk me into switching ISPs. But when I mentioned reading an article about that ISP hijacking users' search queries, in order to further line their pockets with profits, he had no idea to what I was referring. I happily enlightened him.

NewScientist reported that after several months of research and monitoring, a team from Berkley had identified 165 search terms that were passed to marketing companies like Commission Junction and redirected to retail websites. An example was if a user searched for "apple" then the search results jumped users directly to Apple's online retail site. The list of 10 U.S. ISPs that were "hijacking" some search queries included: "Cavalier, Cincinnati Bell, Cogent, Frontier, Hughes, IBBS, Insight Broadband, Megapath, Paetec, RCN, Wide Open West, XO Communication. Charter and Iowa Telecom were observed to be redirecting search terms, but have since ceased doing so. Iowa Telecom stopped its redirection between July and September 2010, and Charter stopped in March 2011."

The trying-to-sell-me-on-his-ISP dude didn't get it. The guy had no clue who Alice or Bob were, nevertheless malicious MITM Mallory, so there was no need to go deeper when I needed him to leave so I could write about the hot DigiNotar Debacle news. Instead, I tried a simpler approach and told him what the EFF's Peter Eckersley had said in the NewScientist article: "This interception and alteration of search traffic is not just your average privacy problem. This is a deep violation of users' trust and expectations about how the internet is supposed to function."

But the poor ISP sales dude had no idea who or what the EFF was and I wouldn't joke about something like that. Instead, he said, "Well if they ALL do it, then it's okay!" At this point, the two people who were already at my house had distinctly different reactions. One cursed and shook his head while the other started laughing his silly head off, saying the poor guy has no idea who he's talking to. Both of my friends were right; it's not that I'm someone important, but don't ever try to tell me that having my privacy invaded is "okay." I will do my dang best to open your eyes and your mind. I fetched a laptop to help educate the ISP salesman with facts.

Paxfire was supposedly one of the companies involved in the alleged "hijacking" of certain search results from specific ISPs. According to its Hardware Look-up Service, "Paxfire provides you with your own Paxfire Look-up Engine (PLE) at our expense, to place in your data center in front of your DNS. Paxfire will support deployment and fine-tuning of the PLE appliances to fit your network traffic. Paxfire creates a custom page for search results for your users and you choose the URL you want displayed for search results for your traffic." Although Paxfire also says end-users can easily opt-out, I have not seen this option - nevertheless an easy opt-out but that doesn't mean it's not in the fine print of the ISP's privacy policy.

To be fair, the EFF did an update on the Paxfire post. It appears as if Paxfire may possibly be ready to sue the pants off anyone [PDF] suggesting the allegations have any basis in fact. The company wrote, "We never, ever collect, monitor, store or sell personal data on users, collectively or as individuals, and we never have." Furthermore, "Paxfire does not hijack searches or 'impersonate search engines'."  Although I read the Paxfire patents, Methods and systems for node ranking based on DNS session data and Systems and methods for providing information and conducting business using the Internet, I'll leave it with Paxfire's post claiming no wrongdoing and mentioning the EFF's "retraction."

The EFF had concluded, "Overall, while we believe these changes to our original blog post are appropriate, we remain deeply concerned by both the privacy and the network neutrality implications of Paxfire's business."

Later, NewScientist said that all ISPs involved in the research about redirecting users' searches for profit have "called a halt to the practice. They continue to intercept some queries - those from Bing and Yahoo - but are passing the searches on to the relevant search engine rather than redirecting them."

In the end I explained to the ISP salesman that by using EFF'S Firefox add-on HTTPS Everywhere, none of my results had been hijacked . . . but he looked like he might want to strangle me when I suggested he use it as well. It didn't get better for him when he knew nothing of the FCC's first-ever ISP broadband performance report and his ISP wasn't on the list. When he left the house, shaking his head, saying he didn't understand people like me . . . I told him that's okay cause he probably reuses the same password for all his sites and I don't understand that. His eyes got huge. Needless to say, he left much wiser about security and privacy, but looking a bit afraid of me.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies