Social media websites violating user privacy seem to be an issue of an age long post (Web 2.0?), the current trend — aside from the NSA’s recent antics — is tracking user behavior online by the users’ internet service providers. That’s right, if it isn’t enough that everything you do is documented in a secret government database, it seems now that your own ISP may be hacking your web browsing to sell your behavior profile to marketing companies.
According to Hayden James Lee, who noticed some odd script running in the background during his online browsing, his ISP Access Media 3 seems to be injecting code for tracking user behavior into his unsecured HTML browsing:
Upon further inspection it turns out this ‘random script’ had been injected by a <script> tag in the header. I looked at some other sites and noticed the same script being inserted almost everywhere. Here is what it looks like:
I realized that the only sites that weren’t affected were those using https rather than http. This makes sense, you can’t inject code into https because it is encrypted.
Mr. Lee skimmed his ISP contract to find that the ISP reserved the right ‘monitor’ the traffic across their network. However, as Mr. Lee noted, if “by monitor they mean ‘conduct XSS injections against every user’ I know a lot of people will not be happy.”
How is the ISP using this monitored data? At this point it is hard to tell. But according to Mr. Lee:
At the very least I can see multiple references to persisting cookies – a way to track a user’s behavior on the internet. As seen by MediaShift’s website it is clear that they offer this data collection system as a way for networks to make money. Its therefore not too much of a stretch to conclude that Access Media is making money from selling the data of its users behavior to unknown parties.
We will likely soon see some privacy violation lawsuits in the works, and I will keep this issue updated. In the meantime, ArsTechnica.com has also been reporting of similar trends by other ISPs of tracking user behavior.