Comcast is once again under fire for injecting JavaScript code into websites its customers visit.
Last week, user bham3dman took to the Xfinity forum to complain about Comcast inserting hundreds of lines of code into their browsing session. The code surfaced a pop-up telling them to upgrade to a new modem.
This is far from the first time Comcast has taken heat for secretly injecting code into devices on its network. In 2014, the company got called out for pounding wi-fi hotspot users with pop-ups, and the modem-upgrade pop-ups first surfaced early last year. But the company’s response this time around only added fuel to the simmering flames.
“I just learned of this dispicable [sic] Comcast practice today and I am livid,” bham3dman wrote.
Comcast’s solution? The user should have checked their email spam folder.
A Comcast representative—who, it turns out, is Comcast’s vice president of policy and standards, Jason Livingood—confirmed the code injection, pointing bham3dman to a 2011 white paper outlining the practice. Titled “Comcast’s Web Notification System Design,” the document interestingly has a clause specifically saying injecting code is permissible but not for advertisements.
R3.1.12. Advertising Replacement or Insertion Must Not Be Performed Under ANY Circumstances Additional Background: The system must not be used to replace any advertising provided by a website, or to insert advertising into websites. This therefore includes cases where a web page already has space for advertising, as well as cases where a web page does not have any advertising. This is a critical area of concern for end users, privacy advocates, and other members of the Internet community. Therefore, it must be made abundantly clear that this system will not be used for such purposes.
Livingood, who confirmed to Gizmodo that he responded to bham3dman, insisted to the user that the pop-ups aren’t ads at all. He instead said they were notifications alerting users that their modems were “either end of life (EOL) or that you are about to get a speed upgrade that the model will be unable to deliver.” The specifics of the language is important: Simply notifying users they have a faulty modem isn’t the same as enticing them to upgrade to a new one for no reason. One could be considered a mere notification, while the other would be a forbidden ad.
Motherboard surfaced one of the modem pop-ups when similar complaints came up last year. The message links to Comcast’s My Device page. Clicking through links to a list of modems you can purchase via Amazon. A Comcast spokesperson told Gizmodo that the company also offers customers the option to rent a modem from the company.
On the question of whether this qualifies as an ad or not, bham3dman called bullshit. Livinsgood said the messages only show up if your modem is dead or dying, but bham3dman said they’d been assured by Comcast’s own support team that their modem was perfectly fine, neither end-of-life nor incapable of handling increased speeds. Further, when bham3dman reached out to customer service supervisors to complain, the user said, most had never heard of the practice of injecting code or, if they were aware, didn’t know how to turn it off.
Incredibly, Livingood suggested it was all bham3dman’s own fault: “The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?”
Creepily invasive code-injections aside, for a telecommunications giant to say, in 2017, that pop-up notifications are unavoidable is absurd. No one can stop the notices? If they’re triggered by ignoring emails, can’t the trigger be disabled? And why send emails in the first place, when the user has been assured they have a fully functioning modem?
Livingood, who declined our request to further comment on the pop-ups, was careful in his replies not to debate whether it’s actually fair to users to send them messages this way, but that’s the real issue here. If this is meant to help customers, it’s as self-serving a way to do it as possible—and it could be dangerous. As Motherboard noted, using these types of pop-ups can train users to be less vigilant about pop-ups, which hackers can use for malicious purposes.