Dear ZDNet: Comcast Has Been Sketchily Injecting Messages Into User's Browsers For Years

from the old-news-bad-news dept

Comcast has been dutifully modeling its behavior in such a way so as to fill up Techdirt’s story pages for years now. So, when we come across a story somewhere discussing how Comcast is doing some bad new thing, it’s tempting to simply assume it’s true and move on. Such might be the case for some readers of ZDNet’s recent post about how Comcast was injecting notices into browsers warning of potential copyright infringement.

The cable and media giant has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material — such as sharing movies or downloading from a file-sharing site. Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner’s code on his GitHub page, told ZDNet in an email that this could cause major privacy problems.

Well, sure, this is horrible, and it is a privacy issue — but it isn’t new. In fact, Comcast as been doing some flavor of this sort of browser injection for the better part of a decade. The company started this practice way back in 2009, using the tactic to warn users of potential malware infections, and there was even discussion about expanding the use for other security purposes in 2011. More specifically on browser injections being used as a copyright warning system, our own Karl Bode noted in 2013 that this was all specifically laid out in Comcast’s six-strike plan. Per Karl’s post, Comcast isn’t even alone in using this tactic.

Comcast has now put information on their implementation of six strikes online. According to the nation’s largest broadband company, their version of the program will involve a persistent nagging pop up that continues to alert the user after the fourth warning. Time Warner Cable, who outlined their version of the plan to me last November , stated they’re using a similar pop up warning system that blocks browsing until users acknowledge receipt of “educational” copyright materials.

None of that is to say that the privacy and security concerns aren’t very real, of course, and ZDNet does a nice job of discussing those concerns. But it’s not new. Perhaps the better conversation to be had is why anyone in their right minds would think that Comcast deserves anyone’s trust to the level where users’ browsers should be injected with copyright violation notices in a system rife with abuse from pretty much every player involved.

Filed Under: , , ,
Companies: comcast

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Dear ZDNet: Comcast Has Been Sketchily Injecting Messages Into User's Browsers For Years”

Subscribe: RSS Leave a comment

disable javascript !

This is one more reason why it’s very important to turn off Javascript in your browser — assuming that it can still be done(it’s been getting harder and harder on newer browser versions). But be warned: many sites don’t work properly without Javascript (Techdirt does, but just barely).

Though it’s possible that Comcast -like many websites- will just switch to another display method on Javascript-disabled browsers. Perhaps like inserting a banner image in the middle of any web page.

But compared to Comcast’s numerous other below-the-belt shenanigans, like injecting forged reset packets into a user’s data stream to cripple Bittorrent, this privacy & neutrality violation seems mild.

As the usual mission-creep sets in, Comcast could even use this method for selling advertising space and delivering ad banners right into everyone’s browser.

Sam smithsays:

Random Comcast injections

Comcast injects pop-ups in to other websites too. If you connect to their xfinity hotspots (they pirate your connection and broadcast their own public hotspot from your rented cable modem), they ~once per day pop-up an xfinity logo in the middle of the other sites’ webpages.

It’s a very annoying popup that does nothing besides remind you to surf TLS pages exclusively.

This is nothing more than an ad for letsencrypt. The lack of security on the internet is astounding.



Regarding what you’ve posted and this quote from the article:

“The company (Comcast) started this practice way back in 2009, using the tactic to warn users of potential malware infections, “

…I had this problem a few years ago, a popup warning that my computer might be at risk and I was to call Xfinity (Comcast) for important information that would save my computer. There was literally no way to make it go away, no X box in the corner to close it.

The only way to stop it was to call the number. Comcast used my call as a way to capture me on the phone to pitch their crappy Constant Guard software. The Comcast guy was very earnest and said I was getting the pop up because my computer was, and I quote, “probably already compromised”, and that only buying Constant Guard for a monthly fee of $12.99 was the way to fix it and stop the pop ups.

I told the Comcast weasel that I knew Comcast was injecting the pop up as an ad and that it was NOT any indication of a malware infection because I’d done my research online, and ordered him to fix is so that Comcast would stop injecting their stupid ad into my browser. I’m and older woman, which means I’m part of a demographic that usually automatically believes what the nice, young tech gentleman who seems to have my best interest at heart says… he kept telling me the pop up meant I (“probably”) had a malware infection and that he was trying to help me save my computer.

I pay for ESET Smart Security, I would recommend it to anyone, and I’m not buying Norton, especially not for a nice, chunky monthly fee from Comcast.

He finally glumly agreed to stop the ad injection, and it never happened again after that… this is a guy who stated categorically that Comcast was not injecting an ad, that it was a malware warning only meant to help me.

It makes me sick to think of all the older people who fall for this crap because they do not know any better.



This is one of the reasons I hang around Techdirt, as it’s one of the few remaining sites that does not require cookies or javascript or logging in … or supporting/enriching Mark Zuckerberg. And the page’s source code is not too complex to follow (whose reading is required in order to view the ‘deleted’ comments)

It’s a sad state of affairs that in the internet today, spoofing a browser’s user-agent is a requirement on so many sites in order to avoid getting redirected to a scold page telling you to “update” your browser in order to be let in. Though it would indeed be nice if browsers let users spoof the screen resolution as well, so as not to be automatically redirected to the “mobile” page (which Twitter does to punish people with large screens in non-standard resolutions)

OK, morning rant over.


Same old story. This injection technology started out by claiming to be about keeping users safe and secure from malware and viruses. Then mission creep set in and suddenly it’s being used for copyright and advertisements.

It’s reminds me of the direction mass surveillance is heading in. It started out being about safety and security from terrorists (which it’s failed miserably at stopping any terror plot). Then it morphed into economic espionage followed by quelling political dissidents, spying on journalists and prosecuting whistle blowers.

It always starts out being about safety and security before morphing into a monster.

They can use bend the CFAA to threaten people like Arron Swartz with life in prison for downloading public domain files, but they can’t use it to go after actual browser injection attacks? Thankfully we have a law to protect corporations-I-mean-the-public. Thank you society for standing up for Comcast.

Also, it sucks being a poor blogger because SSL certificates cost hundreds of dollars a year per domain. Techdirt had run a story about some organization (EFF?) that was going to give those certs away for free soon? There’s lots of sites like mine that would go to HTTPS in a hot second if they could afford the certs.


In order to inject, they must first read the header

Which is certainly enough to violate their customers 1st, and 4th amendment rights.

This isn’t like dropping a pebble in a pond. Line rate content transliteration requires heavy engineering and complex software.

If they are doing this, they have the capacity to do many other nefarious things that would be less obvious. Like transliterating popular political content at line-rate in order to manipulate elections.

How indistinguishable does a telecom have to become, before a judge is willing to call them what they are: “Agencies of the State”?

Overturn Citizens United. Reinstate Glass Steagall. Bust the Trusts.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it