US Six Strike Policy – A Security Disaster for Users?

By Drew Wilson

Last week, we pointed to a report that the US Copyright Alert System was beginning to roll out this week. Now that it has, we’ve seen how alerts will be sent to users and it’s far worse than we originally thought.

Ars Technica able to obtain screenshots of what an alert looks like for Comcast users. What we originally thought was that the alerts would be sent via e-mail to the subscribers. We thought this because that was how DMCA notices are sent out. Instead, they will be injected into the users web browser session and shown when the user receives a strike. An excerpt from Ars Technica:

Those accused of infringing can file an appeal for $35. (Here’s the CCI’s new video explaining the process and its new promo video.)

[…]

Charlie Douglas, a Comcast spokesperson, also told Ars that the company already sent out a “small number” of alerts despite this being the first day of Comcast’s compliance. Douglas declined to disclose the actual number or why that number was being kept secret.

When Ars asked him to confirm that Six Strikes would not be able to see a potential violation if the user was using a VPN, he responded: “I think you’re right.”

Douglas did provide the language for alerts numbered one, two, four and five. He has not yet responded as to why Comcast is unable to provide the actual language for all six alerts or why he chose these particular ones to share with Ars. Comcast has also not shared any technical details as to how it serves up an in-browser pop-up alert.

The first thing that is wrong with this is that there is the utilization of a browser pop-up. Any scam or phishing website can implement a pop-up window. Whether this is a light box, interstitial, or a simple page, it doesn’t matter. At minimum, it requires a little knowledge in plain HTML. Second of all, it’s only a matter of time before the language of all six strikes on all carriers are revealed. A scam website, for instance, can easily copy and paste the language and change the URLs to point to a malicious website.

While an actual alert would be direct from Comcast, all a fraudster has to do is direct a user to the right page or open the right e-mail attachment. At that point, it could be game over for the less knowledgeable user. There are multiple ways this could be accomplished. It could be through an infected e-card. It could be through an infected e-mail attachment. It could be through an infected file from pretty much anywhere. It could be through a Facebook link in a post. It could even be through clicking on a bad URL on a search engine. In any event, the possibilities are almost endless on how a scammer can get you to click on a fraudulent copyright alert.

In fact, scammers have used copyright as a means to bilk users out of money already. Last year, there was a virus that went out claiming that the FBI had locked down a users computer and demanded money to unlock the computer. The scam was bad enough that the FBI had to post comments on their website to explain to users that this is a scam. From the FBI:

There is a new “drive-by” virus on the Internet, and it often carries a fake message—and fine—purportedly from the FBI.

“We’re getting inundated with complaints,” said Donna Gregory of the Internet Crime Complaint Center (IC3), referring to the virus known as Reveton ransomware, which is designed to extort money from its victims.

[…]

The Reveton virus, used by hackers in conjunction with Citadel malware—a software delivery platform that can disseminate various kinds of computer viruses—first came to the attention of the FBI in 2011. The IC3 issued a warning on its website in May 2012. Since that time, the virus has become more widespread in the United States and internationally. Some variants of Reveton can even turn on computer webcams and display the victim’s picture on the frozen screen.

In a few variations, the scam says that the FBI detected copyright infringement on the users computer and that the fine would unlock the computer and make the problem go away. That scam is not far removed from the kind of scam that could arise from the Copyright Alert System (CAS) alerts.

Because the CAS allows users to pay a fee to try and clear their name, there is now the expectation that money could be involved in an alert which would make it more difficult for the average Internet user to distinguish between a fraudulent alert window and a real one sent by the ISP.

Preemptively, when a scam starts making the rounds hijacking the CAS system to bilk users out of their money, we recommend that if you receive an alert (especially when you are unsure if it’s real) get in contact with your ISP that involves using a method other than that alert window. A great way is to call your ISP. There might be a phone number in your last bill so you know it’s an authentic way to contact them and verify that the alert you received is real.

In the mean time, if the users safety was ever taken into consideration, this idea of using a pop-up window should have been dismissed on the drawing board. The ISPs are involved in creating this system in the first place. ISPs should have known better because you’d think they would have someone with Internet security experience on staff.

There are two possibilities as to why such a bad idea was implemented. The first was that ISPs really failed to take security into consideration when coming up with the idea of how to deliver a copyright alert. It was a case of pure incompetence. The other possibility might be that ISPs knowingly implemented such a poorly designed system in an effort to deliberately sabotage the whole system so that the system would ultimately be disassembled because implementation would be impossible.

In any event, we don’t see how all parties involved in creating and implementing the system wouldn’t be legally liable sooner or later. The fact that they are using pop-ups in a browser session basically means that the ISPs giftwrapped and shipped their entire userbase to the wolves. Never mind all of the other fundamentally flawed aspects of the alert system such as false accusations and a guilt until proven innocent system. It’s only a matter of time before this policy becomes a critical liability for everyone in the US.

Drew Wilson on Twitter: @icecube85

8 thoughts on “US Six Strike Policy – A Security Disaster for Users?”

  1. I wonder how many of those alerts got sent to people on their neighbour’s router.

    I think someone needs to sit every US politician down and lecture them on how the internet works and why this dumb system won’t.

  2. @Linda – sounds like it modifies the web site to show the popup as part of the page, so a popup blocker won’t change things.

    Seems a few ISPs have been doing this kind of thing already. I read a report on new options to increase page security, with people who’d tried it finding that modifications made to their pages by people’s ISPs were triggering the security mechanisms and causing problems to end users, who of course blame the original company owning the web site and not their ISP.;

    – Richard

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top