ISPs secretly hijacking search traffic to profit off customers


In a study released by a UC Berkeley research group, a group of Internet service providers in the United States are watching the keywords that a user types into a search engine and redirecting those users to the brand page to rack up affiliate revenue. While Charter claims to have stopped this behavior, companies involved include Frontier, Hughes, Insight Broadband, XO Communication, Cincinnati Bell, Megapath, Cavalier, DirecPC, Paetec, Cogent, RCN and Wide Open West. The study also identified a company called PaxFire that’s the middle man for this operation.

paxfire-schemePaxFire watches and collects the search keywords that users type into search engines. Based off typical user behavior, they redirect the user to a brand page. For instance, if a user searches for the term “best buy”, they would be whisked off to the Best Buy home page rather than the search results page. Once the user lands on the page and starts to shop, PaxFire collects affiliate revenue off purchases or collects revenue based on the user simply visiting the page. There are several companies that offer this “service” to ISPs, but PaxFire was found in a relationship the majority of ISPs within this study. Lawyers have already filed a class-action lawsuit against PaxFire claiming that spying on customers is a violation of the Wiretap Act.

The researchers found about 170 brand-related keywords that triggered this redirect action, likely large brand names and lucrative relationships for affiliate revenue. They also discovered that PaxFire proxies occasionally malfunctioned resulting in a broken Web page which the user blames on the search company like Google or Yahoo. If a user is concerned that their ISP may be redirecting search results, they can run a tool provided by the Berkeley team called Netalyzr. Provided by the Electronic Frontier Foundation for increased security, there’s also a Firefox extension called HTTPS Everywhere that encrypts user data by rewriting all requests to the secure HTTPS connection.