Search results hijack wrong, abuses user trust
Hijacking of search traffic by Internet service providers (ISPs) for monetary benefits may constitute violation of laws by taking advantage of users, according to industry insiders, but users can take steps to prevent such practices from happening to them.
With traffic data growing significantly, ISPs are on the lookout for ways to "monetize the traffic instead of just being a bandwidth provider", Mark Koh, senior industry analyst for Asia-Pacific ICT practice at Frost & Sullivan, told ZDNet Asia in an e-mail.
Such a process, he noted, would specifically target "certain large brands" and suggest additional revenue for the ISP.
Over in the United States, a number of ISPs and a company called Paxfire have come under fire for rerouting Web search requests of users and sending them direct to brand Web sites, according to an Aug. 4 blog post on the Electronic Frontier Federation's Web site.
Authored by EFF Technology Director Peter Eckersley and a team of researchers from the ICSI (International Computer Science Institute) at Berkeley, who was one of two groups that reported on the phenomenon, the post explained that technology from Paxfire is used to redirect search traffic bound for "Yahoo, Bing and sometimes Google to a small number of separate Web traffic proxies". These proxies process the search queries and direct most to and from the intended search engines; however, queries relating to around 170 major trademark holders such as "Apple", "Dell" or "Groupon" are directed to affiliate marketing networks and the user ends up at the brand Web site or on "search assistance pages unrelated to the intended search engine results page".
Paxfire and the ISP involved collect a commission for the referral, EFF confirmed in a follow-up blog post on Aug. 25.
A class action lawsuit has been filed against the company and one U.S. ISP.
Koh pointed out that from a user's perspective, the outcome of this practice could result in searches that produced a less than optimal search result. The practice also "abuses search users' trust" as they are unaware of the hijacking and redirection of their search traffic, he said.
According to Koh, the practice is similar to the Domain Name System (DNS) redirect, where non-existent or mistyped URL requests are redirected to an ISP-related search portal often laden with advertising.
Beyond DNS redirect, ISPs also have Deep Packet Inspectors (DPI) which enables them to analyze the traffic of users, Koh warned, and that while DPI itself "isn't bad", there is a potential for it to be abused.
"Many of the outcry today stem from the lack of transparency to the end users and lack of the ability to opt out of these services, or better still, based on an opt-in approach," he said.
Unlawful act?
Andy Leck, principal lawyer at Baker & McKenzie, told ZDNet Asia in an e-mail the practice of "search engine proxying" may amount to an offence under Section 6 of Singapore's Computer Misuse Act.
Elaborating, he explained that under the Act, it is an offence for any person to, without authorization, knowingly intercept--directly or indirectly--any function of a computer by means of an electro-magnetic, acoustic, mechanical or other devices.
Bryan Tan, director of Keystone Law Corporation, added that ISPs are also under the purview of the Infocomm Development Authority of Singapore. A consultation paper released by the IDA in November 2010 on Net neutrality prohibits blocking of Internet content, suggesting that hijacking behavior would "similarly be frowned upon", he noted in an e-mail.
In this case, the guidelines indicate that obtaining consent from the user would still not be acceptable--unlike what's laid out in the Computer Misuse Act, Tan pointed out.
Singapore's three ISPs Singapore Telecommunications (SingTel), M1 and StarHub could not be reached for comments.
ISPs should stay "pipes"
Tan added that ISPs that try to be more than a "pipe" and, for example, regulate traffic as "a traffic light" are undertaking regulatory and other legal risks.
In addition to exposure to potential legal liabilities, engaging in such practices may also result in "adverse publicity" for ISPs, Ang Kai Hsiang, associate of Wong & Leow, told ZDNet Asia.
"There are also possible privacy issues, although any potential liability will depend on the substance and content of the data protection law, which is likely to be introduced early next year," Ang said in an e-mail.
Nevertheless, Koh of Frost & Sullivan advised that since there is potential to hijack search queries, a way to prevent this is to use HTTPS, a secure form of HTTP or encrypted Google search. This would ensure that end user data is secured by encryption so that ISPs are not able to decipher the content, he explained.
"Google offers a Public DNS service which is free to use [and] would help resolve the issue of such DNS redirection," Koh said, adding that it can be configured by users.