An open letter to Perftech, Inc:

I have read on public forums that Rogers Cable in Canada is apparently using your technology to modify (many would say "corrupt") the Google home page:

I found your company's website and read the papers listed on

I could not believe what I was reading. I was stunned. ISPs have done many regrettable things, but this takes ISP misbehavior to a new level. Every one of your "services" brazenly intercepts, examines and modifies (corrupts) traffic addressed to the end user, not to you. And you actually think this is a good idea!

Imagine the US Postal Service opening all your mail (even first class), reading it, removing anything we might find "offensive" (perhaps material from Fedex or UPS), and inserting its own advertising. They're doing us a favor, they say. Sure, they already send separate flyers but they're lost in the flood of junk mail. They're so worried that we might run out of postage stamps that they must put flyers into personal envelopes from Grandma so we'll be sure to notice them.

Wouldn't you be outraged?

This is exactly what you're doing to the Internet. And yes, it is outrageous.

I've been involved with the technical development and deployment of the Internet for over 20 years. I know first hand the vital importance of the Internet end-to-end model. It's the key to the incredible success of the Internet and the rapid innovation and diversity of its applications.

The proper role of an Internet carrier is very well defined: delivering IP packets to their destinations exactly as they were sent. We pay them well for this service. Yet you proudly encourage and assist them to violate and corrupt the Internet in one of the most flagrant, shameless and self-serving ways I have ever seen. And you say this is a valuable service? Perhaps it is to the ISPs who want to shove their unwanted advertising down every user's throat without regard to the consequences. But please don't insult our intelligence by pretending it's for our benefit.

You must think that every HTTP response is displayed in a web browser to a human reader. Have you considered that this is not always the case? Many applications use HTTP for general purpose file transfers. They certainly don't expect an advertisement to be inserted into, say, a software security update.

Please don't tell me that your software is so smart that this can't happen. The proper way to ensure this is to obey the specs and not muck with protocols and data that aren't addressed to you in the first place.

Every function you cynically claim benefits consumers could be provided -- if they really wanted it -- in ways that don't do violence to the Internet model. I have never had any problem getting my ISP's announcements from their website, or communicating with them via email or the telephone.

It's curious that your "Address Bar Sentry" so closely resembles Network Solutions' notorious Site Finder corruption of the Domain Name System (DNS) several years ago. You may have forgotten that it triggered such a firestorm of protest that they were forced to abandon it and return to the service they were contracted to do.

I strongly urge you to abandon this extraordinarily ill-conceived product line and do something that contributes to the Internet instead of corroding it. The first reports of Rogers' apparent use of your product are already triggering what is likely to be (and I hope will be) an enormous backlash from users who are already gravely concerned about Internet neutrality -- or the lack of it.

Naturally, I expect you to summarily dismiss protests like mine. You probably think the carriers can use your methods simply because they can and no one can stop them.

Fortunately, we can do something about it. First, you and your customers will likely become the "poster children" for network neutrality legislation. Second, the more technically oriented among us can deploy a potent defense: encryption. Merely using https (SSL-encrypted HTTP) for as much web traffic as possible will thwart your attempts to scan and modify it. You can expect some high profile calls for just that.

I fully expect that ISPs' increasing use of deep packet inspection to block, interfere or otherwise discriminate against applications and protocols they don't like will soon make the IPSEC (IP security) protocols very popular. I was one of IPSEC's original designers and I will certainly do my part to advocate its wider use now.

IPSEC is available, stable and effective. Corporate virtual private networks (VPNs) use it. We specifically designed it so you can't even determine the transport protocol, much less its port numbers, the application protocol or the application data. In tunnel mode, IPSEC protects the number and identities of any other computers that may be using the encrypted link. And, of course, attempts by intermediate nodes to forge traffic are detected and ignored.

When we developed IPSEC, we did not expect that our own service providers would be our adversaries. But here we are.

The Internet protocols were carefully designed to put all the information an ISP needs to route and deliver packets into the IP header. They have no right to look past it unless the packet is addressed to one of the ISP's own servers. IPSEC merely puts some technical teeth into this increasingly violated rule.

My ISP can still see how much traffic I send and where I'm sending it. If they want to charge me on that basis, so be it. But they have no right to tell me what I can or can't put in my packet payloads. And they certainly have no right to modify them, even if you think they do. This must stop!

It is time to restore the Internet to its original, transparent, end-to-end nature that made it so powerful and flexible. If this does not happen through network neutrality legislation, I can assure you that I will do everything I can to help enforce it by technical means. And I suspect you are about to find out just how many people feel as strongly about it as I do.

Phil Karn, 10 December 2007