CenturyLink is totally shady. My wife just yesterday spent a significant amount of time fixing our phone bill. She decided a couple months ago to upgrade to a "fixed" bill plan (apparently they've been raising our prices $10/mo every year for the last few years). This plan price won't change until we change the plan. It's bundled with their internet though, but my wife told them to not send the modem because we weren't going to be using it and didn't want to be charged for it.
Fast forward to yesterday and we had a modem in the mail a $200+ bill for our landline that should be <$60. She called and the guy on the other end was very helpful (surprisingly). He went through the bill line-by-line and almost every time said something to the extent of, "Why is that here?" "I'm going to have to talk to {previous sales lady who 'upgraded' us}". Some of the items he didn't even know what they were and couldn't remove them, so he instead gave us a permanent $10/mo discount or whatever it was billing.
About the modem, he said, "You can keep it or mail it back. I can make a note on our software that you didn't want it and it shouldn't bill you for it. However, I recommend you mail it back because sometimes that note will disappear from our software and start charging you again".
Wait... what!? Did he just acknowledge what some of us has suspected all along? That their software has intentional "bugs" that don't remember to stop billing someone for something?
The whole thing feels like a scam to me. I don't trust them at all. This isn't the first time and won't be the last either.
The reason we haven't canceled? No other traditional landline offerings in our area. Everything is VOIP or Cell. My wife wants something independent for emergencies. She's starting to question the value of it all though.
The quickest way to resolve all of these billing shenanigans: file a consumer complaint with the FCC. Magically, you'll almost immediately get a phone call from someone fairly high up in the company (typically executive relations or similar) that has the power to fix things and will make it right.
The sad truth is that these telcos will systematically screw millions of customers with shady fees and fraudulent billing practices, but when the FCC gets involved, they are facing potential fines of tens of thousands for each infraction, so they'll bend over backwards to get you to drop the complaint.
Try it sometime, it sucks that it's necessary, but you'd be amazed at the results.
Completely agree! Taking the time to pull in the regulatory body that sits on top of a misbehaving behemoth absolutely works! I've done this with PHH Mortgage who "lost" a payment when they took over the mortgage from another company, and also with Enterprise Car Rental when they tried to scam me in Chicago during a drop-off. In both cases I received 100% satisfaction very quickly.
Other tips:
* Take the time to find the correct regulator... It might be in a different state than yours
* Prepare a complete document with as many facts and scanned copies as you can
* Clarify your desired outcome
* Send everything certified mail
* CC the CEO of the company with which you are fighting
* If sending a follow-up letter, included scanned copies of the certified mail receipt(s) from previous communications - they cannot then argue that they did not receive your previous communication.
Nobody wants a call from the AG or a Financial Regulator!
Yes, it is terrible that this needs to be done, but it works wonders.
Don’t know if it’s the same in the US as the UK, but the regulators details are generally on the bill under the complaints section for each company/utility.
Similar, except I went through Elizabeth Warren's Consumer Protection Bureau, the one Republicans want to kill off. I actually got a direct, hand signed letter from PayPal's chief legal counsel listing the ways they would, and did, to correct the situation. We need more power, not less, in regard to shady business practices.
"The quickest way to resolve all of these billing shenanigans: file a consumer complaint with the FCC"
This , I had to do this with Comcast because of their craptastic service ,BS, and invalid billing. Trying to cancel them I kept being passed around to ALL the wrong people and departments, hung up on, refusal to give confirmation that the service was actually cancelled. Finally figured the only way they would cancel my service was to write a complaint to the FCC.
Sure enough just a few days later comcast called and apologized and cancelled my service as requested and fixed the hundreds of dollars of wrongful billing.
Make sure to file a complaint with your state attorney general. Cases like these can quickly get their attention and more importantly, companies don't want to be investigated by AGs. Unlike state regulators, companies are less likely to have a pre-existing relationship with them. Since you're talking about telecom and not just internet, it's also worth checking to see if that is regulated by your state PUC/PSC. Don't bother with the better business bureau. A company can have an A rating as long as they respond to you, they don't actually need to fix your issue.
Also file complaints with your city. Comcast relies on licenses from the city to use the poles for their cables. Complaints about bad service tend to get fixed quickly when their franchise agreements are in peril.
The best way to cancel any cable service is to simply unplug your equipment and drive to the service office and plunk it on the counter while announcing loudly that you’re canceling your service. It took all of 15 minutes and all the service rep said was “Sorry to see you go.” No retention techniques, nothing. It was the best customers service experience I ever had with Comcast.
In my experience helping an elderly relative with the cable shitshow, the Comcast service center people are actually really nice and would have done so without the drama. But I definitely recommend the physical side of things.
Although I have done a bit of a chaotic neutral thing myself: Comcast sent her two new boxes instead of one after we switched her to a cheaper box. They wanted us to drive all the way back to service center. Grabbed their UPS account # from the tracking code, filled out the web form and had it sent back with pickup billed against Comcast’s acct. She never got billed a cent.
Another way to deal with Comcast is to go in to their local customer service office. The people there are real, live in the same town, etc and generally can solve any issue and will do so with no BS. At least that's my experience.
When I've tried dealing with someone in their call center, it's been much more frustrating.
Unfortunately sometimes they’re woefully understaffed. When we lived in New Haven they never had a line less than 20 deep and it was clear that they just needed not to skimp on staffing because the people were working as quickly as they could.
I recently ran into an issue with Spectrum where an agent signed me up for a new plan with lower pricing and shipped me a new modem, but the pricing didn't actually update in their system. Called back a few days later to correct this, and no one could find anything about the plan I signed up for, claimed I was lying, etc. After escalating several times and getting no where I emailed the first person from this list [0] and received a call back the next that solved the problem.
Yea, spectrum is scamming people with that. Got an online quote for 400Mbps internet (no modem) for price X. Signed up for service. Billing price was $X + $15. Called service. Oh, we don't offer that pricing, you could not possibly have a quote for that. I was like I do, and I will hold you to it. So they sent me to the local store. Even the store was like "We don't offer that price" and I replied "So you are illegally baiting and switching on customers and committing mail fraud?". After that they adjusted our rate to the quoted price.
BBB complaints also work sometimes. Was playing back and forth ball with Verizon FIOS's billing department for a few months. Got tired of it. Filed a BBB complaint. Then soon after got a call and magically the issue was solved.
BBB is also a kind of scam: they are not in any sense a government agency, more of a Yelp-like entity. In the age of the internet, they go after small businesses, and are eagerly sought out by scammers because you can just purchase their approval, and it can help allay people's suspicions. For that reason I'm less trusting of anything that is touting BBB support. It might be an old person who's not up to speed with what they've become, but it might be someone purchasing a high rating because they know they're going to try and rip people off, and need some cover.
At the time of writing this, they think I'm just dandy, because I didn't respond but didn't attack them when they tried to shake me down. It'll be interesting to find out if they respond to this post ;)
Yelp would also work, if the business concerned cared a ridiculous amount about resolving complaints there. That's the only value - that these particular companies care an awful lot about resolving complaints left with the BBB.
Got bullshitted by Comcast phone rep, skipped straight to BBB complaint since I didn't want to deal with Comcast for hours/days, less than a week later I had their VIP Customer Service department calling/emailing daily until they (not me) got the issue resolved.
Perhaps an FCC complaint results in the same result, but it worked out perfectly for me.
> For that reason I'm less trusting of anything that is touting BBB support
What is important is that those companies care about BBB and are quick to fix the issue. If they didn't care about BBB I wouldn't have gone that route.
Same with Twitter. Some companies can be shamed into helping by posting on Twitter. If they didn't care about Twitter, it doesn't nothing using that medium to get help.
When municipal fiber started moving into Utah, CenturyLink was a big offender of paying off local authorities to restrict and limit deployment. Lots of cities and areas didn't get upgraded for that reason. Less customers for fiber meant less customers to payback the investment - ends up costing everyone else more. CenturyLink is textbook rent-seeking behavior.
My advice to anyone moving into the Utah area is check the internet service provider options first. Last thing you want is to be in an area serviced only by CenturyLink.
"CenturyLink was a big offender of paying off local authorities to restrict and limit deployment. Lots of cities and areas didn't get upgraded for that reason. Less customers for fiber meant less customers to payback the investment - ends up costing everyone else more. "
This happened to all of Australia with Telstra/Foxtel and the NBN.
We were all going to get gigabit fibre, then Rupert Murdoch and the incumbent corporations got involved.
Now the 80% of us that didn't already get fibre yet are getting DSL or HFC that drops out ten times a day and can't reliably hit 15Mbit. That's right, new DSL being installed in the year 2020.
A friend of mine signed up for them on a promo, got charged 3x the price he was supposed to, then was told “We didn’t apply the promo, but that’s only for new customers and you’re a customer now so we won’t fix it.”
Thankfully he lives in one of the few places with multiple providers, so he told them to stuff it.
I had a similar issue with comcast. I sent back a modem I didn't need, took photos and even had a receipt. After around 8 hours of phone calls asking them to remove it from my bill and them giving me the run around. They continued to charge me and sent my bills to collections.
At collections, it continued like this for months, I sent photos, I even had a recording of a comcast manager saying "we shouldn't have billed you, and will remove the charge".
After 18 months of fighting this $300 charge and around 30 hours of debates... I just paid the bill
You could just take the CEO to small claims court for the maximum amount in your area (usually $5000-$10000) for the charge + punitive. Some states make it so you can't have a lawyer represent you in small claims court, and since Centurylink does business in your area then the person you served (i.e. the chief executive) would have to show up in person.
That's basically what I did with a shady property management company (AMC LLC, one of the largest in the US tried to steal my security deposit) and won, but I've heard that huge corporations like CenturyLink will even immediately follow up with a settlement offer to avoid spending an executive's time.
I think in some states they can appeal from small-claims to non-small-claims court then you have to get a lawyer. Obviously a super pro-corporate court system.
A couple of Comcast employees were canvasing my neighborhood earlier this year trying to talk me into switching over from my amazing fiber provider. I told them I've read enough horror stories like this to ever even consider the possibility of getting into any kind of contractual agreement with them.
I had a similar fraudulent charge sent to collections once. I collected evidence and started a case to get it removed with the big three credit companies which basically took their teeth away. You can win without playing with courts.
An important bit of law to always keep in mind, as companies bank on consumers being ignorant of it: If a company mails something to your home that you did not expressly order - it's yours. End of story. They cannot request that you send it back, they can not charge you for it. It's yours. This includes if you ordered product A and they sent you product B by mistake. Legally speaking, in that situation you were sent a gift and the company has done nothing to satisfy their legal obligation to send you the product you purchased.
If companies could just send you things and bill you without you ordering anything, we'd all be buried in mountains of garbage and steep debt. Keep the modem as a gift courtesy of CenturyLink. Watch your bill and if they charge for anything you haven't received, if you've got the time, file fraud claims in small claims court to recover the money.
You are misconstruing what the laws on unordered merchandise mean. If you have a business relationship with a company, and they send you something mistakenly, they can bill you if you do not send it back. You will not win a lawsuit for fraud or similar unless you have no business relationship, or the company refuses to send you a return mailing label.
If they meant to send it to someone else but put your address on it, that's an accident. Which is to say, if the package has your address on it but someone else's name, you can't keep it (in fact, if it's delivered by the USPS then I believe even just opening it is a crime as it's someone else's mail).
If they intended for you to receive it but believed you were expecting it (and understood that you'd have to pay for it), then I expect that would also qualify.
In order to count as "unordered merchandise" it seems reasonable that the sender must be aware that it was unordered.
If you're mailed merchandise that you did not expressly request or consent to, it becomes your property to do with as you will, and you cannot be billed for it. There are no exceptions for accidents.
What I "find reasonable" only applied to the sentence that contained it. Receiving accidental packages has nothing to do with "reasonable".
If you receive a package that was not intended for you, that's an accident, and you are not entitled to that package. That's my core point.
If you receive a package that is intended for you, but it was a bona fide mistake on the company's part, you'd have to ask a lawyer as to whether that counts as "unordered merchandise" or not. I certainly wouldn't simply assume it is.
That's simply not true. An accidental package is not "unordered merchandise".
If it's got your address on it, but someone else's name, it's not your package and you're not entitled to it (in fact, you can't even open it).
If it's got your name and address on it, but the company meant to send it to someone else named dragonwriter instead of you, it's also not your package and you're not entitled to it.
If you order item A and the company accidentally sends you item B instead, that's not "unordered merchandise", that's a mistake, and you're not entitled to treat item B as a gift.
> An accidental package is not "unordered merchandise"
I'm not sure what you mean by “accidental package”; specifically what kind of accident is involved.
> If it's got your address on it, but someone else's name
Then it isn't addressed to you (the verb address and noun address are related, but not in the use directly corresponding), and isn't what I was talking about.
> If it's got your name and address on it, but the company meant to send it to someone else named dragonwriter instead of you, it's also not your package
This is both generally incorrect and objectively unworkable (it would require an inquiry into the mental state of the sender before one could decide what to do with a package.) There are special cases where things would be different (e.g., there actually is another dragonwriter at the address, who actually did order the merchandise, in which case it is, obviously, not unordered merchandise that they have caused to be delivered to the first dragonwriter. But that's not even an accident or mistake on the sender's part.)
As well as the statute referenced above, the FTC provides clear and explicit guidance: if you receive it, and you didn't order it, it's yours and you may keep it. Intent of the sender is not an issue.
Is that a moral distinction? Then both are right. It's not 'yours', but the law says otherwise.
The reason is, the common con game where criminals would send expensive items to someone, often a recently deceased person, and demand payment. The surviving family would assume that good ol' Dad had ordered it and pay up.
The item was usually junk but with a high price tag. So the con had little to lose.
Anyway, items mailed to you without being explicitely ordered are yours to keep, legally.
Not making my self clear. The unordered item, traditionally a bible with the deceased's name in gold lettering (so it cannot reasonably be returned) is delivered with a wildly optimistic price tag. In the hope that the suckers will pay up without question.
What usually happens in my neighborhood is the demented postman delivers my neighbors packages and letters to me. This is a different situation of course and I always hand carry it to the correct address.
One word of caution: I worked for a large phone company (GTE then Verizon) back in 99-01. I was in the call center for disconnections.
Inactive lines are not equal to lines with no telephone service. IF there is no telephone service, 911 probably won't work. If your phone is temporarily disconnected (say for non-payment of a phone bill or the disconnect they do for folks that live in FLorida for the winter and up north for the summer), 911 will work for you.
This was definitely true for some of the states on the list provided.
I've long thought this was a sad state of affairs. Anyone with a physical phone to plug into a jack should, theoretically, be able to dial 911. I'm happy that cell phones generally allow this.
Putting power down each linw costs money, ditto for maintaining cabling to each home.
Setting an expectation of free 911 service is fine in the cellular world where its a minor nusiance to support, but in the context of a rapidly shrinking customer base (for incumbent telcos) its a very expensive burden.
I'm not convinced it is an expensive burden comparatively. I'm fine using tax money to fund this. I'm fine with a 911 fee for mobile phones, and Im fine including it on prepayments for prepaid, though it would be more upfront if it were included in the price of the prepayment. I wish the world would put a bit more effort into the system so it is better than it is.
These are things that let folks call 911 for a dangerous, possibly drunk driver. House fire, abusive husband, neglected kids next door. I've personally used it for car accidents, violent customers (one decided to huff canned air in a pharmacy), hurt co-workers, and random folks off the street needing an ambulance.
911 provides a public safety service. If it means that phone companies have to provide access from their equipment or their lines, I'm OK with that. Im OK with all or part of that being reimbursed, with the main exception of requiring a new mobile to be compatable with emergency services (no worse than requiring autos to have seat belts).
Its really easy to end up with a shrinking taxable revenue base like the Universal Service Fund currently has, causing the tax rate to support lifeline services like what you seek to creep up to impressively high rates: http://www.atconference.com/support/faq/usf.aspx#rates
Lifeline service is a public good, but funding should not come from taxing shrinking telephone bills, but instead from a different revenue source that isn't in the process of notably shrinking every year.
I truly tend to agree with you on this. To complicate matters, I'm pretty sure the Universal service fund not only does things like 911, but also helps poor people afford phone bills. The phone bill tax isn't the best way to do it, I think. Honestly, I think they should be fairly flat easy-to-understand taxes for the phones (including wireless service).
That said, I'm not sure how cell phone taxes wind up looking on a bill, honestly. I have weirdly never had contract telephone service. I've never been able to justify the costs. For years, I had prepaid plans (that kept getting better) in the US, then moved out of the country.
Might getting a ham radio and learning how to operate it (getting a technician's license together) be an alternative to a landline for having something in emergencies?
I got my technician license and one of the things that surprised me was how helpful the community was and how much they want you to get your license. KB6NU has written a nice guide for the technician exam if you have a background in basic electronics, and there are several nice sites to take test exams on.
The technician license exam is extremely easy, you just have to memorize a few hundred questions. Passing the exam and getting the license doesn't actually prepare you for real world operation at all... I think I spent a total of less than four hours going over the questions, and got full marks on the exam (which amazed everyone there... But I'm a physicist to begin with — just not very much into electronics).
By the way, back when I took the exam, I made a tiny web app to help me with the question pool: https://hamradio.zhimingwang.org/. It basically lets you quickly go over the questions, hide the ones you're confident with, then go over the rest again, rinse and repeat. The question pool might have been updated though.
Of course. Companies stating that info has been misplaced, or taken over by a different representative, or whatever has been happening since the dawn of time. It used to be a kind of CYA. As tech has increased to where I can record every call made on my phone or line and specs about it. If you don't know that they have all your data, now you do, because they do. I believe this tactic will stay around for a bit as a last ditch bully attempt.
I work customer service for a large heating oil company. The system we have really does just have horrible "bugs" like this that make charges to the account. Not fun when you are on Auto Pay either.
It's malicious. Some of us reps try to help you out and get it all reversed. Others don't give a shit at all.
The main thing you can consider is not paying, blasting them on social media, or just keep calling until you get a nice rep who will fix it, hopefully permanently.
Our system deliberately renews/adjusts prices per gallon and service contracts to pretty much whatever price the company feels like extorting. I've seen customers charged $4000 instead of $2000 countless times. Some even pay it.
Our system deliberately renews/adjusts prices per gallon and service contracts to pretty much whatever price the company feels like extorting. I've seen customers charged $4000 instead of $2000 countless times. Some even pay it.
While I’m the last person to trust big business, it’s hard for me to believe that whoever is over the developers who create the billing system would put that in a spec - to deliberately overcharge people.
I’m more inclined to believe incompetence and deprioritizing known bugs to create new features.
How does intentionally writing buggy software even get communicated to the front line developers?
It's not that the software is built explicitly to overcharge people. But it is written and launched into production in a buggy state. And the bugs that cost the company money get fixed. The ones that cost the customers are... not prioritized. The overcharging becomes an emergent property.
In the case of my company specifically, I'm tempted to say the system is working as intended. A lot of the workflows are deliberately complex and obfuscated, though, so users are trying to enter $2000 but the system will always generate $4000 unless you know exactly which buttons to press.
Who's to blame for this? The CEO and CTO I would say. They want to generate as many inflated bills as possible and then make it really hard for the customer service rep to submit an approval for it to be adjusted.
They train the reps to say, "sorry sir, this is what my computer is telling me your balance is."
The customer then either pays or leaves the company, at which point they are charged an early terminaton fee and threatened with small claims court.
So yeah, I really feel this corporation directly desires a complex and costly process since it has a near monopoly on the market and the cheaper competitors are plagued with product quality issues as opposed to service/billing issues.
A friend who is in telecom told me that when talking to a prepaid calling card software company, one of the features was the ability to change by how much the prepaid calling card would overbill.
For instance, you make a 12 minute, 5 second call (12.1 minutes with 6-second billing which means 60 seconds is billed in tenths of a minute) - the software records it as say, 12.6 minutes.
I am talking about the sort of prepaid calling cards that you might buy at a gas station or convenience store. I don't know what would happen if you called their customer service line and asked for the logs of your card...
Not sure about his industry but all of our calls are recorded in customer service and your verbal acceptance (allegedly) makes you liable for the debt.
Among other things, we run residential VOIP networks for large ISPs and other operators, and it's ridicilous to see the prices CenturyLink, AT&T and others charge their home customers for just phone service... I regularly come across LOAs and phone bills for $60 to $120 single home phone lines - for absolutely no reason other than that they can get away with it.
“It’s because the law gave them too much leeway” doesn’t make sense. If you have leeway, you choose the easiest and cheapest method, not the one that involves building a whole new communication system.
“They thought it was the only way to satisfy the law” also doesn’t make sense. There’s no reasonable way to get that from the law, they didn’t confirm it was necessary, and they didn’t publicly fuss about being forced into a large expenditure.
Today is, by the way, the one year anniversary of the repeal of net neutrality. ISPs, including CenturyLink, were viciously fighting to end rules preventing the sale of selective internet access, and won. In order to sell selective internet access, you need exactly the system that just showed up. This system would take a while to build—maybe a year. And once it’s built, you would want to test it. The test would put your capitalization on the lack of net neutrality in the spotlight—unless you just serve a legal notice, and pretend you thought you had to. For that to work, you need to make sure people know the “legally required” part; for a legitimately legally-required notice, companies typically don’t say as much. CenturyLink literally highlights it.
> “It’s because the law gave them too much leeway” doesn’t make sense. If you have leeway, you choose the easiest and cheapest method, not the one that involves building a whole new communication system.
No, you choose the most self-interested option. That type of criticism is usually levied against laws that provide an incentive to enforce it in a self-serving way.
In this case what CenturyLink did should itself be illegal. CenturyLink knows fully well this was a self-serving move and they likely only did it because they're betting they can avoid lawsuits by blaming the law.
Interfering with traffic on a paying customer's active account should be illegal so there is no option to do this for any reason.
1) Most ISPs have something like this router/software -- one that is capable of injecting/redirecting web requests to whatever they want. I remember seeing this kind of thing when I was a Comcast customer -- they implemented a bandwidth limit and to warn you that you were about to exceed it, they used this type of web request injection.
2) There's likely a profit motive here as the software that is being advertised via this injected message costs money. They're likely getting a commission/affiliate fee from every customer that installs said software via this notice.
>involves building a whole new communication system.
Did this require building a new communication system? Comcast has a similar injection system for reminding you to pay your bill, or to notify you that you've been accused of piracy.
Maybe this was done using hardware and software they had lying around.
And here we see the disconnect between what politicians say, and what they write into law.
The bill's sponsor's response to the blog authors query:
SB134 did not require that ...They were only required to notify customers of options via email or with an invoice.
And here is the text of the statute that was written:
(ii) A service provider may provide the notice described in Subsection (2)(b)(i):
(A) by electronic communication;
(B) with a consumer's bill; or
(C) in another conspicuous manner.
Note the difference in language breadth. Bill sponsor: "via email" - text of statute: "by electronic communication".
And note clause (C): "in another conspicuous manner".
Century link is notifing by: "electronic communications" (DNS hijacking to force viewing of the page is "electronic communications") and/or by "another conspicuous manner" (it is definitely "another" and it is clearly "conspicuous" (one will not miss it)).
So, the fault here lies with the politician. He wrote a law that allowed Century link too much leeway to "do whatever they wanted to do to notify". If they were really only required to "notify ... via email or with an invoice", then clause (A) should have said "via email" and clause (C) should not have been present.
I disagree: the claim by CenturyLink that this particularly intrusive, access blocking method is mandated is simply false. It's true that it is permitted by the state law (just as it would be permitted without any specific law on the topic at all), and even arguable that it is one means of complying with the law. (Though since the notification is not presented to some users, it's arguably not even fully compliant.)
But, even if it were fully compliant with the law, it's not any lawmaker’s fault that CenturyLink chose to implement pretty much the most user-hostile method imaginable (short of, say, posting sings on its customers lawns, facing the windows of their home, illuminated with burning crosses—which would likewise be “another conspicuous manner”) to fulfill the notification requirement.
Maybe we shouldn't be looking at whether or not this law allows this particular message to be communicated in this way, and instead look at whether or not arbitrarily blocking access is permitted under the agreement between the service provider and its customers.
As users of streaming devices will attest, HTTP is just one part of the internet, so many would consider it to be a matter of not delivering the service that was promised if an ISP blocks access for any reason (other than by request from law enforcement or breach of the service agreement by the customer).
If a cable TV provider were to block all access and put up a message on an obscure channel that someone might never see explaining how to re-enable the service, I think it's reasonable to assume that most customers would call and complain that their cable service isn't working (and they'd be right).
It shouldn't matter if someone can use a specific type of internet-connected device (among many) and open a specific type of application (among many) on that device to communicate over a specific protocol (among many) to re-enable their service. For practical purposes and in the broad context of what "internet access" means, CenturyLink is simply cutting off service to its customers without justifiable reason. Customers should hold them to that and threaten legal action if the company doesn't want to deliver the expected service.
Agree. While I think the law is silly an unneeded on the merits, I do have to agree with the lawmaker on this one. It's not like he made an exception to a law that banned notices, so "electronic communication" was perfectly fine.
What we need is a separate net neutrality law that bans all DNS hijacking and the like. Furthermore, it costs more for CenturyLink to set up DNS hijacking (unless of course they have bigger plans for it) than to quickly throw out a mass email or slip a note at the bottom of the next bill. So we all know this had nothing to do with compliance with the law.
If the politician does not take responsibility (accept fault) who will? Taking responsibility for the text of at least the law the sponsor has proposed and helped pass is the minimum responsibility I would expect from a legislator. What else do we elect them for? The legislator wrote a law that allowed too much interpretation, that is the fault of the legislator.
I don't see any ambiguity in the wording of the law -- seems like it was intended to provide maximum flexibility in how the information was delivered. The wording also didn't rule out tying the information to a brick and throwing it through each customer's window, but I don't think anyone would be blaming the politicians if that's what the ISP decided to do...
Who will? Probably not CenturyLink, but they should. They're responsible for making a stupid decision here.
The law doesn't require or even encourage CenturyLink to notify customers in this way so what is the politician responsible for? For writing a bill that wasn't impossible to interpret maliciously?
> claim by CenturyLink that this particularly intrusive, access blocking method is mandated is simply false
Agreed - also not the point I was making.
> it's not any lawmaker’s fault that CenturyLink chose to implement pretty much the most user-hostile method imaginable
Oh but it is the lawmaker's fault. It is the lawmaker's fault by writing a law that was so broadly worded as to allow Century Link to be able to perform this "user-hostile method" under cover of being within the wording of the law.
If the law maker had written a more narrow law, and written what he actually intended, then CL using this method would have been in clear violation of the law, rather than being able to hide behind "we are permitted this method by the law".
It shouldn't be the lawmaker's job to specify how businesses go about doing their business. The law was written generically enough that any sensible option would satisfy it; email, postal letter, addendum to your bill, or some other "electronic communication" that the lawmakers aren't qualified to specify. This is how laws should be written.
There's absolutely no justification to CenturyLink choosing DNS hijacking over a simple email in this case, and "the law made me do it" is a particularly weak excuse.
"The law made me do it" is an outright lie. They had numerous options under the law and they chose this one all on their own. They're trying to pass the buck onto the legislators and we should not stand for it.
> under cover of being within the wording of the law.
> then CL using this method would have been in clear violation of the law
DNS spoofing by an ISP a clear violation of the law? Since when?
Just because the law makers don't say email doesn't mean they mean to hijack DNS.
If someone asked you to pick up some food for them on the way home, are you doing to bring leftovers from two weeks ago because they didn't specify from where and exactly what they wanted?
Blaming this on the lawmakers doesn't make sense. ISP had a broad way to use "electronic communications" and they chose a HORRIBLE one.
Once again--yet again--it mystifies me that anybody would privilege the literal capability of being an asshole over the moral responsibility of not being one.
That "may" there appears to refer to selecting among the choices (A), (B), or (C) within the statute.
The portion before the selection list (which I did not quote, as it can be read in full in the actual article) begins:
A service provider shall, before December 30, 2018, notify ...
This clause says they "shall" notify. So it is mandatory they notify. It is not mandatory that they perform the notification via the means they selected to perform the notification. The method is awful, but the method is allowed by at least clause (C) of the statute.
Which was my original point. The bill sponsor replied that their intent was "by email" or "with the invoice". But what they wrote as the statute not only encompasses that intent, but allows choosing a huge number of other, many very awful (as is this one), ways of 'notifying' as well. If the sponsor's intent was "email" or "with invoice" then their statute should have said "by email" or "with invoice".
Consider if such a law was written in the late 80s when fax machines dominated. Suppose that the law specified "send by fax" instead of "electronic communication".
No. The fault lies with CenturyLink. They're the ones who decided to implement this in the most repulsive way allowed by law.
The law only required notification using normal communications methods, not disruption of services. CenturyLink is the one who chose disruption of services.
Some lawyer-management meeting resulted in the argument that they didn’t want customers to be able to claim they had never seen the notice, most likely.
I don't know, specifically, but I do know that I once lived in an area (not Utah) where I had to have CenturyLink as my ISP and they were terrible in just about every respect. This action seems within their normal range of behavior.
A big portion of fault lies with the consumer. If 20% of CenturyLink customers canceled their service for a week in a very publicized way, CenturyLink would scramble.
For example, they could all wear yellow vests and block the entrance to the CenturyLink parking lot.
"Second, most of them do have other options for broadband and in fact use an alternative provider every day."
Are you sure? I don't know anything at all about the market in that part of Utah, but I do know that in almost every place I've lived, there has been exactly one broadband ISP available. If you don't want to use them, then you don't get broadband.
Most consumers do have a choice. "Reasonable" is a pretty squishy word often used to kill discussion.
If a consumer is abused by their vendor and continues to fund their abuser, who should be blamed? Obviously the abuser is to blame for the abuse. But shouldn't the person funding the abuser also get some blame? Or is it all the government's fault? Blame the police.
It seems to be a common response to consumer abuse to blame the government while continuing to fund the abuser. That strategy has made Wells Fargo number one. And Century Link number one. And Facebook number one. And the list goes on.
If you can't live without their service for one week, maybe their service isn't so bad. If you're not willing to lift even the smallest finger the smallest amount, just keep belly aching to the wind. That will fix the problem.
No, most consumers in the US either do not have a choice at all, or they have a choice between two equally-shitty companies.
> If a consumer is abused by their vendor and continues to fund their abuser, who should be blamed?
If the consumer does not have a reasonable choice in vendor, then the vendor should be blamed. That's kinda the whole point of this thread.
> If you can't live without their service for one week, maybe their service isn't so bad.
That makes no sense. If you can't live without their service for one week, that says nothing about their service, it just means the product is indispensable.
> If you're not willing to lift even the smallest finger the smallest amount, just keep belly aching to the wind. That will fix the problem.
What choice do people have? If there's no alternative ISP you can use, or if the only alternative is just as bad as what you already have, then there's very little you can do except complain.
> Most consumers do have a choice. "Reasonable" is a pretty squishy word often used to kill discussion.
Fine. Let's define 5 options as the bare minimum to inspire healthy competition. Now we can decisively say that they don't have that many options, with no squishy words.
Not a whole lot of broadband competition in the areas where CentruryLink operate, such as Utah. In some states, it's a sanctioned monopoly in exchange for rolling out subsidized rural broadband (which somehow never gets built...).
Imagine if it had said “written communication” and CenturyLink had chosen to block your driveway with a sign or toss a note pasted onto brick through your window. Would you be as quick to say it was the fault of the law rather than how they chose to interpret it?
Laws are not source code and they assume some level of good faith interpretation because most real-world activities are complicated and change over time. If “email” was written into the law then we'd get some equally silly complaint about how they're using a system favored by old people while younger users want SMS, Twitter, Facebook, etc. notifications or that an important notice was spam-filtered. Stating “electronic communications” leaves those options open so time doesn't need to be spent revising the law later.
It is generally bad practice to write laws with specific technologies listed as solutions, because then the law is easy to skirt by using another technology, or the law becomes stale as technology changes.
That being said, this law already had a specific expiration date, and there was little fear that email would be an old technology by the end of this month.
>It is generally bad practice to write laws with specific technologies listed
Exactly right. This is why fax machines still exist today. There are some laws that _require_ certain documents be faxed (not emailed) to healthcare providers. If the law was worded more abstractly, they could be using email or a smartphone app now. So to me this new language makes sense, but it can open up risk to being abused.
If the law is abused, the company should have it's day in court, and the courts can decide what to do.
Writing laws feels a bit like a monkey's paw. No matter how well written a law is they often have unintended consequences or are implemented manners that weren't imagined.
I don't think the bill's author/sponsor is fully to blame (they aren't guiltless either). Centurylink certain did not have to implement this requirement in the way it was done. The most depressing aspect to this is the lack competition. The author is unable to move to a competitor which did not behave this way.
There’s been a huge propaganda campaign since the 1930s trying to roll back the New Deal. So many familiar faces and concepts owe their familiarity to a stream of corporate money which started flowing to Christian libertarian pastors, magazines, etc. and, later, televangelists and movements pushing for Eisenhower-era introductions of public displays of business-friendly Christianity. Kevin Kruse wrote a great book outlining the history:
Laws should be written specifically. It should be expected that they will go obsolete and it should be routine to expunge/replace laws as tech changes. If they meant email they should have put email.
If they put email, then that would have required the use of email. That's certainly more narrow than they intended, as it would exclude other acceptable methods such as sending a physical letter, including a notice with the invoice, etc.
clause (B) of the statute specifically authorized "notice with the invoice" - which if the invoice were physical postal mailed, would have then included "sending a physical letter".
Disagree. Lawmakers are so clueless about technology. Insisting that they take in more responsibility for specifying precise technical details is the last thing we should do.
Writing a law that says "send an email" is the exact detail needed. In this situation, that is not the technical details that legislators should be staying away from.
I used the word "should" 4 times, never stating any expectation. What is naive about that? I realize how fucked is our current system of laws and lawmaking.
No laws are written in a vacuum. Century Link most likely even participated in having this law drafted. No doubt they have lawyers in every state capital watching for laws that affect their business.
The law required CenturyLink to notify its customers and intentionally did not mandate a particular means of doing so. This is a feature, not a bug.
Now, shady DNS spoofing may be one means of complying with the law (though it may violate others), but it was CenturyLink that chose this non-standard approach. They could instead have complied by sending an email, a physical letter, a messenger physically knocking on a customer's door etc., a flier hung on the doorknob, etc.
That's still misleading, at best, for CenturyLink to claim that the law "requires them" to do it this way. There are easier methods to provide the notice (email or with a bill), and there's nothing that could even be contsrued as encouraging them to do this DNS hijacking in the text you provided.
I don't really see this as an example of a "disconnect." It's simply the difference between talking about a law informally, and the actual formal implementation of the law.
The intent of the law is clear: customers should be notified that this content exists. The implementation language reflects that. CenturyLink is simply covering its ass: many people don't use ISP-provided email addresses, so if that's all they did they would be open to criticism that they are not actually trying to achieve effective notice.
Politicians don't actually write laws, they have legislative assistants (that work for the body itself usually). I think the entire law is stupid, but how is it his fault that CL took the law and notified its customers in the most obnoxious way possible?
Kinda changing topic, what does the law require wrt filtering? So all ISPs are required to provide harmful-to-minor filtering software? Is it pure DNS, HTTP, or based on initial TLS handshake using the domain? So it won't catch stuff on Reddit, right? And must they have their own filter lists or is there one shared across the state? Who are the arbiters determining what is harmful to minors?
I would really love any links to the implementation side of this bill. The text of the bill itself is vague with words like "good faith" and "generally accepted".
I'm sorry, what kind of ethical nonsense is that? "Bad behavior is OK as long as some authority didn't expressly disallow it" ???
CenturyLink is simply a bad actor here. They're acting in an anti-customer and anti-consumer way. Sure, we should have regulations to prevent abuse where appropriate, but you certainly can't blame the government for failing to imagine how they'd behave when faced with (let's be honest here) a bleedingly obvious and common sense notification requirement.
CenturyLink did not go this route because they had to. I'm guessing they get a kickback for each person that signs up for software through them, so they made it as intrusive as possible.
Further, and this is purely conjecture, it is possible their lawyers considered the alternative of email but decided it was too risky for reasons of uncertainty of message delivery/receipt.
I can imagine being an engineer in a room of lawyers and having them ask me how can I ensure that all customers see the message. I would say that's not possible, but there are ways to maximize the likelihood it will be seen.
I agree that the fault lies with the politician, but I would argue that the real issue is that they forced all ISPs to send notice to customers. If a politician wants something communicated, they can fund a public awareness program, not force it on ISPs. That fault doesn't exonerate CentryLink's action.
Haha I think you hit the nail on the head. Maybe this was Centurylink's way of giving a big F U to the politicians making them advertise something they don't want to advertise.
Right, CenturyLink probably could have legally hijacked DNS to send this message without the law too. Tons of laws have leeway for corporations to do shitty things. It doesn't make the corporations blameless.
Agreed, it is CL's fault for choosing the option the choose.
It is the politicians fault for writing a law that was so broad that it allowed CL the potential leeway to be able to choose the awful option they selected.
The issue I see is also that they didn't notify the customer of what the law requires. The law requires they notify the customer that the customer can request content guessed to potentially be somehow harmful to minors be blocked. It doesn't say anything about the customer having to pay to buy software that they then have to operate themselves in order to block such content. The law, at least as far as I read it, puts the entire responsibility for blocking the content on the ISP - not the customer. So what the ISP is doing seems in direct contravention of the law.
Note the difference in language breadth. Bill sponsor: "via email" - text of statute: "by electronic communication".
If the law was written to specify e-mail, then the HN crowd would be all over the lawmaker anyway for specifying an antiquated communication method that not everyone uses.
Since laws last generations, and technologies fall in and out of favor at the drop of a hat, the lawmaker was right in making this non-specific.
Regardless of how the law was written, they didn't HAVE to take all the leeway that was given to them. Just because a company can do something, doesn't mean that they should. Just because it's not illegal, doesn't mean that it's okay. They found an opportunity to get people used to this sort of tactic, and they took advantage of it. Please don't take the blame off of CenturyLink.
When we lived in Carson City, Nevada, I met an attorney who worked for the legislature to draft laws based on whatever idea they came up with. He was supposed to try to keep things Constitutional, decide whether to put in severability clauses, etc. All states and the federal government hire attorneys like this.
So, if there’s a drafting error, it may not technically be the politician’s fault, but it’s not Comcast’s either.
I mean, the notification wouldn't get to anyone who used alternate DNS services, so it doesn't seem like their method is even very effective. (Ignoring how awful it is)
absent any law they would still be free to DNS hijack you and show you an ad. there is no law against that.
this law says you have to notify customers of a thing.
century link then did so in a shady way, then claimed the law REQUIRED them to do it this way, which is not true.
This is such a silly POV. Enforcing too much specifics into law is how you end up with non-nonsensical actions that are done just to comply with a law, like intrusive cookie banners on every single website. This law seems to actually be well written, other than it doesn't seem to specify any penalties for non-compliance, at least from the part of the law shown in the article.
It's clear what the end goal of the law is, and gives several broad, reasonable ways to comply with the law. Century link is the ISP/tech experts here - they are the morons who chose to do DNS hihacking when they could have just as easily sent out an email or added a notice to the bill for the month.
> Enforcing too much specifics into law is how you end up with non-nonsensical actions that are done just to comply with a law, like intrusive cookie banners on every single website.
The cookie banners are probably a bad example: they were made to take advantage of a loophole in the first "cookie law".
I think the intention of the first cookie law was clear as well, it just wasn't clear enough.
Seems unlikely. Almost all of those examples are things you can do without Internet access at all, using phone or snail mail. (The one exception is running an online business, but AFAIK that is not specifically constitutionally protected.)
You can also get Internet access through other means, even if it's less convenient and/or more expensive. There might be a government-sanctioned monopoly on cable, but at least around here, there's also DSL, satellite, cellular data, dial-up, and even third-party fiber. Granted, not every place has all those options, but you'd be hard-pressed to find a place in the US where you can't access at least one.
I find this unique trait of the Internet tiresome at times. I’d prefer not to feel like I have to include a disclaimer on a question comment to avoid coming off hostile.
In the USA, Internet access is a luxury entertainment product. It is not a public utility, as you seem to be thinking of it. I'd argue it absolutely shouldn't be a luxury entertainment product, but our law is carefully constructed to ensure that it remains as such. This actively prevents government considering too deeply the idea that citizens need or should have access.
The original article title is more accurate. Replacing "CenturyLink" with "Utah ISP" as if they're some podunk lil' no-name ISP is misleading.
CenturyLink is a Tier 1 ISP, and 5th largest in the country by customer count. Maybe city folk haven't heard of CenturyLink but they have monopolies over vast swathes of rural copper networks.
They purchased Level(3) who already previously owned Global Crossing, Savvis Video and Genuity, among other acquisitions.
The Level(3) name was much more memorable in the carrier/enterprise/ISP field and it feels like they are starting from scratch on brand recognition, because as you said, lots of people haven't heard of Centurylink before.
Edit: And as noted by the thread "CenturyLink is totally shady.", Centurylink's retail consumer reputation is quite tarnished (as are most large consumer ISP companies) and mixing that reputation with Level(3) was a bad decision, IMO.
What? Level3 was huge as a fiber ISP at the enterprise level, but Qwest/CenturyLink has been a huge phone service/ISP in the west since the breakup of Ma Bell. They own the naming rights to the Seahawks's stadium.
They have huge brand recognition in the West, though you're right, little of it's positive. I remember a cover article in my sleepy mountain town's alt/leftist newspaper titled 'Qworst' when I was growing up.
Full disclosure I work at a shop that switched to CL fiber (e.g. Layer3) per my recommendation on coming on. The service quality/uptime is top-notch but the sales/PM process has left a lot to be desired.
True, I did forget about the Qwest acquisition from Centurylink because that was so long ago (to my memory). I do remember the days when routing problems and outages with Qwest in public forums always led to the 'Qworst' name popping up.
I also work for a shop that I recommended Level(3) DIA fiber/Layer 3 services on about 1.5 years ago. Now that it's CL, not much has changed on service or reliability.
The sales people however are still trying to expand their grasp into our organization so it's always a battle there.
I had CenturyLink service (in Phoenix) for years before I had ever heard of Level(3). I'd be really surprised if Level(3) has more brand recognition among the general public than CenturyLink does.
Yeah that's my bad. I thought saying Utah ISP might highlight that this is currently only a Utah issue and CenturyLink isn't blocking everyone's traffic... I think.
If the title said just Centurylink instead of Utah, people would be complaining of click bait, so I think Utah was the better choice. Using "Centurylink (only in Utah)" or something similar would have been the most ideal from an accuracy POV.
They're into some major metros. While it's theoretically nice to have competition for Comcast, it'd be nice if that competition weren't at least as shady...
I use Xfinity. (It’s my only option for internet.) They would routinely inject crap into unencrypted HTTP webpages, bill notifications, adverts for antivirus, stuff like that.
In the end I configured my (pfSense) router to forward all data on port 80 (and a small selection of other commonly unencrypted ports) through a VPN to a local VPS. Port 443 HTTPS is still allowed to connect directly.
Makes me feel a lot better. Comcast should be a dumb pipe, not fucking with my data.
I once had an ISP (non-U.S., won't name it here) that injects ads into plain HTTP. Didn't realize it was the ISP until I once accidentally loaded my personal website over plain HTTP.
Turns out to get rid of that, I just had to call them and complain about it; they pretended to be surprised and asked me for details, but after the phone call the injection stopped. Worked for other people too.
I have a municipal fiber connection, but the bandwidth is atrocious and Comcast seems to be much better priced for faster speeds.
What router do you have? Is it just something running OpenWRT, or something fancier? Also, how much do you pay beyond the listed service price (fees, taxes, etc), and can you waive the installation fee?
When I signed up there was no installtion fee, and no problem doing a self-install. But this was years so, so I have no idea if things have changed or not.
Thanks! That machine looks pretty awesome, and it even supports ECC and core boot.
I might have to pick one up and see if I can get more SATA through the mini PCIe and have to be a storage server that also routes traffic. I've been hoping for an ARM chip, but with ECC, this might just win out.
So what happens if a CenturyLink customer is not using their DNS, and using for example Google's DNS. They will suddenly have their internet disabled and will never see this page, where they have to click "OK" to reconnect their internet.
It'll work just fine with DNSSEC for the overwhelming majority of sites on the Internet, since virtually none of them are signed and DNSSEC doesn't actually encrypt traffic.
Encrypted DNS, though, like DoH or DNS-over-TLS or DNSCrypt, stops this cold.
It wasn't the case for me, however I'm not exactly sure how they've implemented this DNS hijacking and if I was just an exception or the rule. Other people using custom DNS seemed to have a similar experience from what I read on reddit though.
You could argue that they are failing to notify customers who do not use their DNS, and aren't complying with the law. Email or a notice on their invoice would not have had that problem.
It's sad that even ISPs seem to think that WWW = the internet these days. If I were traveling and I couldn't VPN into my home network because of this, I'd be really pissed.
This happened to my brother-in-law. He asked for help when his router wasn't "working". Since I'm pretty computer savvy, I agreed to come and "fix" it. Little did I know that it was this BS. I got to that notice and then finally the internet started working again.
This is a small reason why NET neutrality is important. Total BS. I'll never use CenturyLink. I've thought about it in the past, but after this, H no.
In order to reach the Internet, you have to agree to the hotel's terms of service. The page to accept the terms of service is presented by redirecting any HTTP request from an unauthorized device. But (!) the redirect page was resolved by DNS, and DNS traffic to the Internet is also blocked. Only the local DNS resolver is accessible.
The instant any machine that specifies a specific DNS resolver tries to connect, the attempted redirect fails silently. In order to get things working, you have to clear your DNS settings to use the DHCP-specified DNS resolver, click the "accept" button on the redirect page, and then re-enter your previous DNS settings.
I wasn't so much angry that this was happening, than angry that they did such a ham-handed, botched job of it. If you're going to block outside DNS, you have to redirect to an IP address rather than a DNS-resolved address.
I'm not going to defend CenturyLink, but in the interest of attributing this mistake to incompetence rather than malice, I'd like to suggest how this might have happened. CenturyLink is a multi-state ISP and their generic system has limited ability to support state-specific policies. They have a well-developed system for creating state-specific packet processing rules, but they don't have a well-developed way to notify all customers in a state.
Therefore, when Utah surprised CenturyLink with a new law, they didn't have a way to comply with the law quickly except by changing their packet processing rules. This was the ugly result.
CenturyLink should obviously have some way to add state-specific notifications to customers' bills. I hope they learn that lesson from this ridiculous event.
Would it be too difficult to select all service addresses where state is equal to "UT" and then send a bulk rate piece of paper to each of them with these same words?
On my CenturyLink bill in Washington State, I get state- and city-specific notices every month, but even if that's not easily changed, a piece of paper in the mail would have sufficed quite nicely with no packet blocking required at all.
> CenturyLink should obviously have some way to add state-specific notifications to customers' bills.
If only there was some relevant piece of data, already required to ensure the bill reaches it's destination, that could help them determine which customers are in which states.
They know billing addresses, and service addresses. They just didn't care.
The customer might not even see it without compatible software, or if using a different port number or protocol, or if not using DNS to access something, or using a different DNS. Or if you are using a web browser but with customized settings that make it incompatible.
Same with many hotels. If you are not even using HTTP(S), or DNS, then it won't work, and even if you are using HTTP but not with a web browser program, it won't work (there is a HTTP response code (511) defined for this purpose at least), using nonstandard port numbers, etc.
For terms of service requirements, one possibility to avoid these problem is to make the printed terms of service document with the wi-fi password mentioned in that document.
This happened to my brother-in-law. They told me that their internet went down and that they need help. Since I'm good with computers, I came over to "fix"
I don’t think CenturyLink thought through the implications of what they just pulled. I know that there are a significant number of people that use VoIP services like Vonage.
Imagine waking up in the middle of the night with a need to call 911, but your ISP purposely broke your internet just to sell you a “security offering.”
The comments here interesting but nuts for foreigners. I’m so used to a slight mention of an ombudsman being a 15 second turnaround to almost anything I ask for happening with ISPs / telcos. I worry about buying anything in the USA with such scant consumer protection.
Century link is my only option for internet here in rural Utah at a max speed of 3Mbs per second. Luckily our municipal network is going up soon with max speeds of 10GBs per second. I'm very excited.
Well this sucks. I have CenturyLink for residential gigabit fiber. Honestly, they've been a fantastic ISP for me. I also haven't received the notice and I'm one of those "SOL" customers that uses non-CenturyLink DNS. We'll see what happens. I'd be surprised if they didn't stop this immediately as soon as it blew up.
I have been noticing comments from people in my area on social media over the last month with the recurring theme "Is anyone else's CenturyLink down?" This must have been it.
Always on VPN on all your devices is pretty much a must today. Added benefit when using commercial VPNs is hiding your IP address, a key feature for tracking you by Adtech industry.
Finding good VPN provider is tricky though. Definitely avoid free ones. Look for ones providing configuration for native VPN clients, like profile.mobileconfig file for the native iOS / MacOS IKEv2 client. Using native (OS supplied) clients lets you avoid installing third party VPN apps.
"that the consumer may request material harmful to minors be blocked under Subsection (1)(a)" absolutely unequivocally does NOT translate to "inform the customer that they can pay for filtering themselves". The law really clearly puts the burden on the ISP to perform the filtering, and requires the ISP to inform the customer that they can request the filtering be turned on - not that the customer can purchase some product that does filtering.
Senior network engineer for an mid sized ISP here: These people should be ashamed of themselves. I honestly don't care even the tiniest bit about whatever sort of excuses or justification they put up.
It should not be necessary for a consumer end user (whether residential or business) of an ISP in the US or Canada to treat their ISP as hostile, and develop workarounds like VPN tunneling their traffic, such as I would do if I found myself using an ISP in Turkey for a month.
This bullshit of injecting content into pages has been tried before, a long time ago by Comcast. I really don't see the point to it in an era of LetsEncrypt and nearly everything worthwhile moving to TLS1.2 or better end-to-end.
Also you absolutely should not mess with DNS returns from your client-facing recursive resolvers. Various ISPs have tried things like redirecting nonexist results to pages laden with "suggestions" and "advertising".
My ISP (Time Warner/Charter/Spectrum) DNS hijacked bing.com [0] and non-existent domains for their own "search page" [1]. Since then I've been sure to always configure my own DNS in my router. (Used Google's 8s for a while, now on Cloudflare's 1s.)
It's unfortunate that I have to treat my ISP as hostile, but they are the only high speed provider to my address. I sadly can't even assume that there is anyone in management there that feels ashamed at their hostile practices. It's just "good business" to squeeze free ad dollars from your users as you take advantage of your monopoly position to keep prices as high as the market will bear while doing so.
[0] Even if I didn't prefer Bing, hijacking any of the major search engines just because it might be an "accidental default" and "no one would notice" is just wrong on so many levels.
[1] Scare quotes because it was 90% terrible ads and 10% barely legible search results from who knows what API.
I hate how the conversation goes when I ask them why they are adding fees to my bills that don't make any sense. (I intentionally own all my own equipment, why would I ever have an "equipment return fee" show up other than them trying to screw me over and see if I notice?) I complained to some friends that are very low on the totem pole and they agreed with me that DNS hijacking is extremely wrong but had zero power to do anything.
We need strong Regulatory Commissions to hold these sorts of Monopolists accountable, and right now the political climate in states like mine remains that "Regulations are Bad" and "Profit/Greed are Good".
I tried calling Earthlink about this once, back toward the beginning of the DNS hijacking craze. He didn't seem too familiar with it, and eventually matched it up in his script to something about redirecting web pages on typos. I tried to explain that I don't want to talk about the web, I want to talk about problems with their broken DNS servers, but it didn't really work.
Annoying and pointless conversation. I just cancelled.
I keep telling myself that one day when some company run this way does me wrong enough, I'm going to go score a pile of Adderall, some cell phones and a pack of Depends and patiently battle/harass my way through the entire scripted management hierarchy until the CEO himself gets on the phone, personally apologizes for the mishap and invites me to his birthday party.
Beyond a certain size of ISP (several tens of thousands of customers or more), there is literally no point in wasting your time or the phone representative's time. They'll have no clue what you're talking about and little or no power to escalate you to the people responsible for their internal network engineering decisions.
The right way, probably, is to educate folks, and nitpick w/ the sales guys. And call them out on the service's non-features, and/or if they lie. Once you're a customer, the support folks don't care, but the Sales folks are thirsty to close the sale.
Let’s not forget to include Belkin among the companies that have attempted variations of this. In this case, it was their wireless router which would grab a random out-going request and serve up advertisements instead. Imagine being in the middle of buying plane tickets and suddenly finding yourself at a random advertisement.
"It should not be necessary for a consumer end user (whether residential or business) of an ISP in the US or Canada to treat their ISP as hostile"
It should not be, I agree, but the sad fact is that if the ISP is one of the heavy-hitters, then you absolutely have to treat them as a hostile force to be defended against and worked around. Because they are.
Unfortunately enough ISPs have abused their position that treating them as hostile is where we're going.
VPNs are a stopgap. The future is end-to-end encrypted protocols like QUIC that obscure even connection state information and prevent anything from being modified in transit at all, DNS over HTTPS, etc. Everything has to be encrypted and authenticated end-to-end.
Yes, men in the middle cannot be trusted. Especially ISPs. Most mean well but are incompetent. Some don't mean well and are incompetent. ISPs that mean well and actually know what they are doing are relatively rare.
If you have a device with wifi, most of the time you are on untrusted networks. So, it makes no sense whatsoever to default to some random isp's DNS just because the wifi you are on is suggesting that you use it.
Yes, I agree. If the global internet community is developing software to deal with threat models that deal with a worst case scenario (the government of Uzbekistan ordering ISPs to randomly block things), the Chinese great firewall, and so forth, we absolutely need technology like encrypted SNI in TLS1.3 and similar.
If we develop software with end-to-end crypto to deal with repressive-regime threat models, its crypto should also be inherently sufficient to deal with more normal traffic interception and modification attempts.
A lot of non democratic regimes in places outside of North America take a very blunt approach, of having government agencies order all of their domestic ISPs to simply null route huge chunks of the Internet (like, entire ipv6 /16s belonging to Azure and AWS) in order to ban politically objectionable sites. Or to order all ISPs to be singlehomed to, and downstream of the government state run telecom. There is one ASN in Iran which is allowed to have international IP transit connectivity to other non-Iranian ASes, for instance.
> Everything has to be encrypted and authenticated end-to-end.
This isn't really enough. Even with QUIC / TLS your ISP can still know what endpoint you're connecting to, which may in itself be too bad. This is the problem VPNs are solving (or at least moving the trust). There's also the touted alternative of conglomerate everything onto Cloudflare and have encrypted SNI.
If your ISP is doing netflow analysis and DPI on your connection (like the Chinese GFW), with malicious intent specifically aimed at you, you're pretty much screwed anyhow. If they decide to start blocking traffic to VPN endpoints and such. This can be seen if you try running a non-obfuscated openvpn link into and out of China.
Without malicious intent, ISPs are already doing this, both to sell aggregated traffic data and to shit all over their network.
On Sprint and ATT Mobility I cannot maintain many TCP connections for long durations - websockets will be killed after a while and require reconnection, long-connected TCP games will drop after a few minutes, quite a handful of HTTPS/TLS sites do not load and immediately hardfail with a TLS protocol error or connection reset, traffic appears modified and periodically injected, DNS is hijacked, images' hash values do not match the server side on plaintext connections, NXDOMAIN DNS values are hijacked, traffic crossing any port will be tampered with as long as it looks like HTTP/1.x, etc.
Excluding steganography, an eavesdropper will know if they're unable to understand your communications. What's important is that what they can glean isn't enough for them to be specifically motivated or able to harm you.
Being seen to be using a VPN only labels you as a VPN user. In China, the authorities dislike individual VPN use, and attempt to curb it with technical measures, but for the most part, they don't go around imprisoning people only for VPN use, because there isn't much expected gain to be had from the average VPN user.
The new thing with the GFW in the last 3-4 years is to identify VPN-resembling traffic from DPI, using a fully automated/scripted system, and then over a period of several hours/days, the GFW causes incredibly high packet loss for all traffic to/from the non-china endpoint, eventually culminating in a nullroute of all traffic.
Unfortunately even QUIC and DNS over HTTPS can't save us from the ISPs (and Enterprise ITs) that think TLS/SSL proxies are a good idea, and especially sadly things like QUIC and DNS over HTTPS may push more ISPs towards that line of thinking.
That would still require a custom cert installed on the end user device, which may not be feasible in the case of some iot devices and generally a pain for most users in general, especially as more websites pin their certificates.
Just because it is handled automatically by "group policy" doesn't mean that users don't feel day-to-day pains from it. It just means it is more likely that don't understand where their pain is coming from. ("If I pull up google.com in Chrome or IE it works, but why can't I use Firefox?" "Because we don't support it here." [Because group policy deploying CA certificates to it is harder and it has stricter CA requirements, such as no self-signed certs.]) Enterprise IT can sweep some of that under the rug by controlling which software is allowable to be installed at all, but there's always going to be edge cases in a TLS Interception environment to cause users papercuts, at the very least.
To answer your direct question: So far pinning in browsers is still just TOFU [Trust on First Use], I think? So pinning alone still works with TLS Interception so long as it is intercepted on Day One.
The Chrome security team has been threatening for a couple versions now that certain pinned lists, including (but not limited to) Google's own sites, would be baked into the browser in such a way that no one should be able to disable them.
I wish they have the gumption to pull that off. With Chrome being the current darling browser of a lot of the same IT groups using TLS Interception, that might actually send a clear message that TLS Interception is a bad idea. Unfortunately, it might just be received as "Here's Google's list of sites that have to be whitelisted or outright blocked from our Interception Proxies so as not to confuse our users", but that would still be a step in the right direction in so far as end-to-end internet security.
Comcast is still doing content injection, for a similar reason. If you go over your monthly quota, they inject a pop-window into HTTP sites to inform you.
Every other business manages to inform customers by e-mail or text message or phone call, but ISPs have these additional options by virtue of the product they provide and they just can't seem to help themselves (at least for the large shitty ones, which they all become eventually).
1. The actions in the article don't seem possible. Google search is forcibly https, using HSTS. In Chrome and Clank (android), maybe others, google is additionally cert-pinned. It is not possible, through DNS or any other trick, to get forcibly navigated away from the google search page or to have content injected. He says he "turned to a google search on his phone" but he must have done something else before actually searching google, to get the injected notice. I feel this is an important point.
2. This doesn't meet the requirements of the law. The person using the internet, especially at some arbitrary moment, is not likely the subscriber. The law is that the consumer must be notified, with consumer explicitly defined as the subscriber. Email to the address on record, or an insert in a mailed invoice, or a special mailing, seem the only reasonable ways to meet the requirements of the law.
For any other Utah residents in areas that aren't served by cable, check out Utah Broadband. They've been fantastic for us, serving up 60Mbps over line-of-sight fixed wireless. Also their customer service rocks.
I don't know if they do this (I no longer have them), but Comcast used to do this for DMCA notices. They'd inject an iframe with the message into the websites you were viewing.
> I would switch ISPs but I have no other options where I live. Hopefully making this issue more public will help CenturyLink make better decisions,
Seriously? I won't trust such ISP to send/receive even one bit of information if I were him. Even if they changed their mind because of this, Don't trust them until all the boards resigned, all the employees implemented this be fired, lost the massive lawsuit from all the customers, and then, after acquired by other sane ISP.
This is an example of why the FCC needs to regulate ISPs and enforce net neutrality. CenturyLink needs to be fined $$$ per incident for stunts like this. Their shareholders need to feel the pain.
Wow this is a new low. Can someone say is CenturyLink a monopoly is most of the state? Can these customers vote with their wallet and go elsewhere for Internet? I really hope.
Really depends on the city and area. In some places, there is a plethora of options. But I currently cant vote with my wallet. They are the only provider in my neighborhood.
Canned soup is inherently inferior to homemade, but it only takes 2 minutes to heat up, travels well, lasts a long time, and can be bought almost anywhere for cheap.
If it can achieve 1 Gbit/s as advertised and scale to enough customers? It just might.
But I'm going to be interested to hear the first real customer's experiences. For example what is the latency they're seeing? Weather outages? How well does it handle peak hours?
Don't misunderstand, the current ISP competition in much of the US is super toxic, and I don't support it. But 5G promises a whole lot, and I cannot ignore the technical side of why it may fall short.
Why is this so surprising? You pay for your internet from this service provider and this is the trust you're putting in this private company. All your communication that goes down this channel is subject to their rules, and unless you encyrpt it they can do what they like.
I think these kind of crappy implementations just surface a bigger problem underneath. If you don't choose your own DNS servers, if you don't have proper DNS security, https by default everywhere etc. etc. you don't have a secure connection.
Your reasoning would be fine, were it not for the fact that an ISP's mere existence in an area, no matter how crappy, generally satisfies FCC's mandate to promote/fund broadband penetration. So, Crappy-ISP, LLC existing and being able to pencil-whip FCC filings about minimum speed expectations across its coverage area means the FCC will make no effort to provide funds for Less-Crappy-ISP, LLC or Moderately-Crappy-ISP, LLC to come in and fill gaps.
Fast forward to yesterday and we had a modem in the mail a $200+ bill for our landline that should be <$60. She called and the guy on the other end was very helpful (surprisingly). He went through the bill line-by-line and almost every time said something to the extent of, "Why is that here?" "I'm going to have to talk to {previous sales lady who 'upgraded' us}". Some of the items he didn't even know what they were and couldn't remove them, so he instead gave us a permanent $10/mo discount or whatever it was billing.
About the modem, he said, "You can keep it or mail it back. I can make a note on our software that you didn't want it and it shouldn't bill you for it. However, I recommend you mail it back because sometimes that note will disappear from our software and start charging you again".
Wait... what!? Did he just acknowledge what some of us has suspected all along? That their software has intentional "bugs" that don't remember to stop billing someone for something?
The whole thing feels like a scam to me. I don't trust them at all. This isn't the first time and won't be the last either.
The reason we haven't canceled? No other traditional landline offerings in our area. Everything is VOIP or Cell. My wife wants something independent for emergencies. She's starting to question the value of it all though.