Published by LawTechie - January 6, 2014 - LawTechie

tracking user behaviorSocial media websites violating user privacy seem to be an issue of an age long post (Web 2.0?), the current trend — aside from the NSA’s recent antics — is tracking user behavior online by the users’ internet service providers. That’s right, if it isn’t enough that everything you do is documented in a secret government database, it seems now that your own ISP may be hacking your web browsing to sell your behavior profile to marketing companies.

According to Hayden James Lee, who noticed some odd script running in the background during his online browsing, his ISP Access Media 3 seems to be injecting code for tracking user behavior into his unsecured HTML browsing:

Upon further inspection it turns out this ‘random script’ had been injected by a <script> tag in the header. I looked at some other sites and noticed the same script being inserted almost everywhere. Here is what it looks like:

<script type=”text/javascript”> var dot=’.’; var setCookie=’net’;var gAnalytic=’adsvc1107131′;var IETest=’rxg’; var v=’ashx’; var R=’ajs’; var gid=’5d738f4aeccb49c39d3013cabc563f64′; </script>
<script type=”text/javascript” src=”http://rxg.adsvc1107131.net/ajs.ashx?t=1&amp;5d738f4aeccb49c39d3013cabc563f64″ id=”js-1006893410″ data-loaded=”true”></script>

I realized that the only sites that weren’t affected were those using https rather than http. This makes sense, you can’t inject code into https because it is encrypted.

Mr. Lee skimmed his ISP contract  to find that the ISP reserved the right  ‘monitor’ the traffic across their network. However, as Mr. Lee noted, if “by monitor they mean ‘conduct XSS injections against every user’ I know a lot of people will not be happy.”

How is the ISP using this monitored data? At this point it is hard to tell. But according to Mr. Lee:

At the very least I can see multiple references to persisting cookies – a way to track a user’s behavior on the internet. As seen by MediaShift’s website it is clear that they offer this data collection system as a way for networks to make money. Its therefore not too much of a stretch to conclude that Access Media is making money from selling the data of its users behavior to unknown parties.

We will likely soon see some privacy violation lawsuits in the works, and I will keep this issue updated. In the meantime, ArsTechnica.com has also been reporting of similar trends by other ISPs of tracking user behavior.

LawTechie is a blog focusing on trends in tech and digital media. Areas covered include intellectual property, cyberlaw, venture capital, transactions and litigation as they relate to the emerging sectors. The blog is edited by the firm's partner Tim Bukher with contributions from the firm's experts in their respective areas of law.

Contact

Enter your email to get started.