2008年2月号 強制的なWeb広告、どう思います?

Before I get to the unpleasant material, I want to say something negative and positive about the gaming industry. I try to keep my mix of game play and Real Life in proper proportion, but I must admit that when something compelling comes out, I can lose myself in the experience for a time. Bioware is a company that has consistently made extremely engaging games, ones that are driven not so much by technology but by a terrific story, like "Star Wars: Knights of the Old Republic" 1 and 2, and the Baldur's Gate series. Black Isle Studios, now defunct, published the Baldur's Gate series and some of the finest other role-playing games, like "Planescape: Torment" and Fallout 1 and 2. I was very disappointed when Interplay, the parent of Black Isle Studios, went out of business. But I was almost equally disappointed when I heard the distressing news that Bioware had been bought by Electronic Arts. EA is a company I have come to severely dislike. Although I suppose EA deserves some praise for having brought some titles to the Mac, their method sounds like something of a hack. I can only hope that Bethesda Softworks makes a great Fallout 3 and can someday make a Fallout MMO.

On with the Nastiness

Of course we know what software is running on our computers--we see the little triangle under its icon or the rectangular button in the Windows or Linux taskbar, and the more technical computer users (for example, SD readers) know that a lot more is going on inside our boxes. We run anti-virus software (on Windows, at least) to stop bad stuff from getting installed, and we follow certain practices to avoid infection (being careful about what we download and install, aware of where we are surfing and what links we are clicking, and so on). But how often do we think about what happens to our data packets after we send them out into the Internet or what happens to the responses as they are traveling back to us? I know that I am very conscious of whether or not I am using a "secure" site via an SSL encrypted connection, and I'm sure you are too, but beyond that, I usually just think in terms of "secure" vs "not secure." I realize that my e-mail is often not secure, because even though I may be using an encrypted channel to my mail server, my outgoing mail probably doesn't leave there encrypted. But that's more about someone obtaining my specific data, the words I use or the logins or passwords I enter. I can be fairly confident that that material isn't at risk. But what about other kinds of data?

I have been following a controversy with Comcast, a US cable television/VoIP/Internet provider for a few months, wherein it appears that they are shaping network traffic to decrease the amount of data coming into their network from the outside, specifically peer-to-peer data. There are a number of ways to handle this huge increases in network bandwidth generated by p2p transactions. A paper from a company called Sandvine describes five methods:

  1. Build more bandwidth--a very expensive solution.
  2. Block p2p traffic--something that will annoy customers and drive them away.
  3. Set up a network cache--impractical if the material is coopyrighted, and lots of it is.
  4. Cap bandwidth--another irritation to customers.
  5. Traffic shape p2p packets--not always possible to identify p2p traffic, which can penalize non-p2p users as well.

Finally, Sandvine offers its own alternative, "Stateful Policy Management," meaning "On the downstream, a redirecting agent reroutes P2P traffic along the least-cost network path, while P2P session management manages the upstream bandwidth by controlling the number of P2P connections with external networks."

Comcast appears to be using Sandvine's system, which works like this:

Using a network device from Sandvine, it appears that from time to time Comcast interrupts the peer-to-peer protocol sequences that should initiate a new transfer from within Comcast's network to a peer outside of Comcast's network. Sandvine's system accomplishes this by sending a forged TCP packet (with correct peer, port, and sequence numbering) with the RST (reset) flag set to both machines (the sending machine within Comcast's network and the receiving machine outside of Comcast's network). Each machine's network stack then drops the connection.

This may be good for Comcast, reducing the amount of data that passes through its gateway into external networks. If p2p data can be exchanged within its own networks then it doesn't have to send a lot of data outside, and that will reduce their costs. It may be, however, that Comcast uses this technology even within its own networks, reducing data exchange between internal subnets.

There are some Bad Things about this whole thing, though. First, RFC 793 says, "As a general rule, reset (RST) must be sent whenever a segment arrives which apparently is not intended for the current connection. A reset must not be sent if it is not clear that this is the case. " The Sandvine application appears to be violating that case. RFC 792 (ICMP) says nothing that permits such activity and RFC 1812 (IP4 router requirements) says explicitly "All state information required for end-to-end flow control and reliability is implemented in the hosts, in the transport layer or in application programs. All connection control information is thus co-located with the end points of the communication, so will be lost only if an end point fails. Routers control message flow only indirectly, by dropping packets or increasing network delay."

Of course, does this mean that firewalls violate RFCs? I don't think so, as most firewalls evaluate whether a packet should be passed on or dropped, rather than faking a response to each end of an existing connection. Sandvine could use other alternatives to faking packets: they could send a source quench, thereby slowing down traffic, or send ICMP Administratively Prohibited or perhaps Cut-off in Effect notifications, or they could simply drop the packets on the floor. But instead they fake an RST and do so secretly.

If you do use p2p software and find yourself suffering from RSTs, there are some things you can do to get around possible "Stateful Policy Management." You could tunnel outside the affected network using a VPN or SSH. Your p2p client might allow you to transmit data encrypted. Or you could improve your upload to download ratio by setting a download rate slower than your upload rate. Accepting a high RST rate might be an alternative, but some networks (like eDonkey 2000) will cut off leeches quite quickly.

I don't use p2p networks much, but I find the technology very interesting and potentially highly useful. Blizzard Entertainment uses a p2p system to transfer patch data (often one or two hundred megabytes) and unfortunately Sandvine's system can interfere with that quite severely.

My main complaint about such systems is that they are invisible to the user. Things might be working fine for a while but then suddenly start to fail. How can regular people determine what the problem is? If you aren't both exceptionally curious and exceptionally clever, chances are you would never figure it out. Again, my problem with this situation isn't so much that Comcast is doing this, although it does appear to violate more than one RFC. Their Terms of Service ("ToS") which their customers must agree to follow describes what Comcast can do with their service, and they pretty much say that they can do anything they want. What bothers me is that this is all hidden, all invisible to their users. And so what if the ToS really does give Comcast the right to do all these things? They are interfering in an unexpected way, one hard enough for technically minded people to figure out.

Targeted Ads (Go Straight Through the Heart)

Here's another one, first discovered and discussed in the summer of 2007, NebuAd ( and is an advertising company that has hardware that injects its own ads into an http delivery, causing their ads to appear in webpages where the original designer never intended or even considered them appearing. They share ad revenue with Internet Service providers that install their equipment in their facilities. Says NebuAd, "NebuAd provides the appliance to ISPs at no charge and does not require major configuration changes to existing IP network elements nor any hidden hardware costs." What do they have? "Web-wide consumer visibility with micro-targeted ads delivered at the right time in the buying cycle." NebuAd claims to be "dedicated to the highest standards of consumer privacy. NebuAd's network was designed from the ground up to meet industry best-practices regarding consumer privacy and protection, and does not collect and use any personally identifiable information." I don't much care about the advertising industry's best practices. I care far more about the individual's best interests. NebuAd also claims to have "established industry-leading privacy controls and practices with respect to transparency, consumer notice and consent. NebuAd's privacy policy provides consumers with clear 'Opt Out' instructions." But I don't want "Opt Out" instructions. I don't want to be "In" to begin with. I don't want my traffic analyzed and ads served to me based on what they think I would find most useful according to their "behavioral targeting network."

The Fair Eagle site goes into this a bit further: "Fair Eagle is able to determine behavioral user interests based on web pages navigated, searches made, ads clicked, and other factors." Specifically these things:

  • Web pages viewed and links clicked on
  • Search terms
  • The amount of time spent at some Web sites
  • Response to advertisements
  • System settings, such as the browser used and speed of the connection
  • ZIP code

I don't want people following me around while I traverse the Internet. What business is it of their's or my ISP's? None at all.

To some extent, I already receive targeted advertising on the Google pages I visit, through Gmail and Calendar and so forth. But I don't think I am being hypocritical by rejecting NebuAd and its Fair Eagle Technology and Services Division: I pay my ISP to deliver me Internet connectivity, not advertising. I am quite sure that my ISP is not going to reduce what they charge me monthly for that connectivity if they somehow get $X a month from NebuAd for being able to deliver me advertising. In the case of Google, I receive clearly beneficial services for advertising that I find minimally intrusive, and their services are even more useful now that they have rolled out an iPhone version, which works very well. The ads I have seen from NebuAd have been large graphics, banner-sized.

But not only are NebuAd's advertisements intrusive, they directly interfere with the http stream, injecting their own JavaScript into the page, which opens questions of copyright infringement (a publisher could argue that the addition of a NebuAd/Fair Eagle advertisement violates their page copyright) and security (for example, imagine a criminal inside or outside the company who managed to replace NebuAd's supposedly innocuous JavaScript with something clearly malicious). No, this advertising system is very, very questionable.

Western Digital - What happened to you?

Here's a third example of a third party interfering with our quiet enjoyment of the Internet. I am disappointed with Western Digital. I do like their hard drives, but they are doing something that I find almost incomprehensible. Western Digital has built a kind of digital rights management system into their My Book World Edition hard drive line. If you use their proprietary MioNet software, you can register up to five users who can access the data, but anyone who is not registered cannot access certain kinds of media files, despite your permission. A complete list of affected files is here:

It includes DiVX, QuickTime Video (MOV), Impulse Tracker, even OGG Bitstream files! This is simply insanity. In their desire to avoid any lawsuit from Hollywood, WD has assumed that we are all criminals and decided for us, well before the fact, that we cannot use our own drivesd to share certain kinds of "questionable" files.

This isn't quite as bad as it seems, though. They can impose this limitation only if you use Western Digital's proprietary access software. MioNet or WD Anywhere Access does give you some helpful features, like being able to access your drive securely from remote locations, but nothing that can't be done with other, non-proprietary systems. And it comes with a very severe downside, namely not being able to share media files freely, no matter if they are copyright protected or completely copyright-free.

Workarounds are Good

There are workarounds for all these problems. Avoid ISPs who perform traffic shaping or instead try to tunnel out of their networks. Use OpenDNS ( or and/or an ad-blocker to help stop unwanted content from getting to you. And use a well understood protocol like Samba rather than proprietary systems like MioNet to serve files. These solutions may have possible negative consequences, though. For example, Western Digital warns about trying to back out of using MioNet, their FAQ stating "If data has already been added to shares on the drive using WD Anywhere Access (MioNet), this data will need to be copied or transferred to the internal computer's drive(s) or other SAMBA shares BEFORE MioNet is to be disabled or uninstalled. Data contained in shares under MioNet's control will not be accessible if the program is uninstalled. Once you've moved the data from the MioNet protected shares to the internal computer or another location, you can proceed creating SAMBA share(s) on the drive." Yet another argument for being very cautious about using proprietary encryption systems (a reason I have not yet tried Apple's encrypted home directory feature). And this is another example of something that a typical user will just find befuddling.

I would far prefer Comcast and other services providers to say in very clear language "We reserve the right to interfere with your Internet traffic for any reason and in any way we wish, including blocking your access to certain services and software, inserting advertising into your web browing based on our analysis of your behavioral patterns, and examining and blocking all potentially-copyright data you try to send and receive." But they don't say that, and I doubt they ever will. I've done a lot of complaining this month, but the situation isn't all bad. In fact, some good can come out of this. It is up to us, the consumers, to understand what we may be buying and refuse to buy or use items that we object to. We don't complain just to complain. I certainly don't. Rather, it is by making our disagreements known that we can bring about change for the better, encouraging companies to make their goods and services more useful to us. Companies that improve them so that we want to use them will thereby benefit, and our community as a whole will likewise benefit.