Security Laboratory

Security Laboratory

ISPs monitor what you do on the Internet and sell the information for marketing purposes


By Stephen Northcutt
Version 1.1


This article is being told in a chronological manner. Our story begins in 2002, with a post on Interesting People and an assertion that Comcast was spying on its users, http://www.interesting-people.org/archives/interesting-people/200202/msg00164.html

Then, in January 2007, while on their honeymoon in Maui a couple was checking their email from their hotel and noticed something odd...
  • A lot of redirecting and other weirdness (sometimes with an IP and sometimes with "superclick" in the URL)
  • That every new URL you type ends in "?",
  • And if you look closer, you'll find secret frames around your webpages.[1]

In short, all of the hotels I have ever stayed in, and I am on the road over four months per year, perform a redirection with your browser to register your room with their network. Many do it to charge between $9.95 and $14.95 per day for Internet access. Since you are going through the hotel's proxy, it would be possible for a hotel to display ads to your browser via frames they create and control, as well as track where you are going; and, since you are registered with the hotel, this would be tracking by name.

Who is doing this and what are they doing?

According to the couple's blog, the proxy operator was Superclick. In a press release, Sandro Natale, CEO of Superclick, commented that "We believe that our MDS application is going to change the way advertising, marketing and other targeted messages can be delivered over private networks. MDS enables hoteliers and conference center managers to more effectively brand and market their own services and amenities and importantly, it creates an unprecedented and powerful advertising solution and revenue center."

Superclick's MDS allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network. "Perhaps the most powerful aspect of MDS is that it can be integrated onto any third-party managed network, not just our own proprietary SIMS network." Natale added, "In addition, we have developed MDS Analytics which provides marketers with real-time network performance and usage analysis, thereby enabling them to evaluate the ROI of their marketing efforts."[2]

And this approach to marketing would work since it is congruent with the web use and taste of travelers

According to the Travel Industry Association of America 2005 edition of the report: Travelers' Use of The Internet, "the most common communications to which online travelers respond is clicking on (unsponsored) search engine results (36%), following up on email recommendations from friends/colleagues (34%) and clicking links on websites (26%)." These are not online media. These are online marketing tactics.[3]

MDS type activity isn't that widespread today, due to existing hotel/ISP contracts

Brian Correia, business development director with the SANS Institute,[4] and someone that is in the top 50 in terms of annual dollars spent on hotel contracts in the USA, shared the following:

The majority of hotels do not maintain their own internet service and instead they are managed by third party providers who give them back a percentage of the revenue. Most hotels did not have a clue on how to manage an Internet service for guests, so it was an easy sell for the third party providers.

These third party organizations assumed that offering Internet service for guests was going to be a cash cow but the reality is that, apart from a few high traffic business hotels, it has been a money-losing operation. Some of these third parties have already gone out of business and major lawsuits have been filed regarding who owns the infrastructure if the third party goes out of business.

Almost all of the hotels have signed long term agreements which would cost them dearly to break. I would expect that the Maui hotel is an ideal customer for companies like SuperClick since the number of guests who use their Internet service is probably small. Most likely the hotel is only paying the third party if guests actually use the service. Note that all the major hotel chains require every property to offer high speed connections whether it is a business hotel or a honeymoon vacation resort. If the individual hotel does not comply, they could lose their name and relationship with the chain (for example Marriott, Sheraton, Hilton, Hyatt).

I sat on the board of a major hotel chain and it was interesting to listen to other board members grill the management on whether Internet in the rooms is going to make a difference in a guest's decision to stay. These are multi-billion dollar companies and seeing the concern of the board members was a real eye-opener. At this point the hotel chains literally have no clue what to do. The only thing protecting them is that they are all in the same boat, having signed long term third party deals that they cannot easily break.[5]

Cybercrime in Hotels

Another risk is having the laptop stolen while in the hotel itself.[6] Organized crime targets conferences, the speakers are particularly vulnerable since they have to be at a particular place at a particular time in order to present.[7] Apparently, accurate data is not available as to the size of the problem.[8,9]

Why staying invisible on the Internet is important

There are many articles on pervasive or ubiquitous computing, the idea that everything we do will be done with computers and, in one way or another, we will be on line all of the time in developed countries.[10] However, we need to consider the implications on privacy "always on, where ever you are" computing would have.[11]

I have long been an advocate of achieving privacy when possible and commissioned a course designed to teach the business traveler, called Protecting Your Personal Privacy on the Internet.[12] There has been a lot of push back to the course. People look at me accusingly and say "Why do you need to protect your privacy?", as if the purpose was to hide wrongdoing. The answer is simple: if there is money to be made, principle may be in second place. Superclick may be the most honorable company in the world, but it is only a matter of time until an unscrupulous operator is doing similar things. Surf safely.


2008 update:
I just ran across an excellent blog by Michael Coates, where he details his experience with Superclick right down to the screen shots.[13] If you are a business traveler and use the hotel's Internet, you should read this posting. Speaking only for myself, I have quit using hotel Internet and purchased the Verizon EVDO service; if you are considering EVDO, you may want to visit EVDOinfo.com before you buy.[14] In January 2008, the New York Times carried a story that U.S. ISPs, Comcast, AT&T, Earthlink are considering examining your content.[15] In April 2008, The WashingtonPost.com reported over 100,000 users were being monitored by their ISPs.[16] One of the companies mentioned was Front Porch, who states, "Front Porch partners with ISPs and ad networks. We bring all partners higher revenue and improve the user Internet experience by enabling ad networks to serve more relevant ads Internet-wide. With our Smarter Advertising solutions, everyone wins! ISPs enjoy significant new revenue streams. Users see more relevant ads, not more ads. Ad networks enjoy higher CPMs. Advertisers enjoy higher CTRs."[17] The article also mentions Nebuad.com[18] and Phorm who is teamed with British Telecom, Virgin Media and TalkTalk.[19] Channel 4, has released a story that BT has been installing spyware on their customer's computers to supply information to Phorm and that is now breaking news, there is a devastating interview online. There is a good chance that BT violated the law," "The act of anonymising the surfing history of someone is in itself processing personal data. And someone is doing that, whether it's ISP or Phorm, so there's a good argument that that is a breach of the Data Protection Act." - Mike Conradi, Technology Lawyer"[20] And the company that started it all, Comcast, they are taking it to the next level by installing TV cameras in their equipment with facial recognition software according to the newteevee blog.[21]


Please help with additional research

If you have or know of additional sources of information, or if you notice your browser being affected by more than the standard redirect in a hotel, we would love to hear from you, drop us a line at stephen@sans.edu

1. http://www.nerdblog.com/2007/01/superclick-is-evil.html
2. http://superclick.com/admin/SinglePosting.php?ArticleID=68
3. http://www.travelmarketingblog.com/archives/2005/12/index.asp
4. http://www.sans.org/
5. Email conversation with Mr. Corriea, January 11, 2007
6. http://www.interpol.int/Public/TechnologyCrime/CrimePrev/ITSecurity.asp
7. http://dc214.defcon.org/notes/june_2005/dc214_sn_orgcrime.ppt (slide 17)
8. http://answers.google.com/answers/threadview?id=741758
9. http://www.corporatetravelsafety.com/laptoptheft.html
10. http://en.wikipedia.org/wiki/Ubiquitous_computing
11. http://www.media.mit.edu/resenv/classes/MAS961/readings/soppera-burbridge.pdf
12. http://www.sans.org/training/description.php?tid=364
13. http://michaelcoates.wordpress.com/
14. http://www.evdoinfo.com/
15. http://bits.blogs.nytimes.com/2008/01/08/att-and-other-isps-may-be-getting-ready-to-filter/
16. http://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304052.html?sub=new
17. http://www.frontporch.com/html/index.html
18. http://www.nebuad.com/
19. http://www.phorm.com/
20. http://www.channel4.com/news/articles/science_technology/bt+spies+on+customers/1933047
21. http://newteevee.com/2008/03/18/comcast-cameras-to-start-watching-you/