I’m very angry indeed to read about CNN’s cynical, don’t-give-a-damn, slap-in-the-face treatment of customers using its streaming video service. If you’re one of them (as I was, but am no longer), you might want to read this, and spread the word.
According to Windows Secrets:
Many people who watched live streaming video of the inauguration of U.S. President Barack Obama on Jan. 20 may not realize that their PC was used to send the video to other PCs, too.
Clicking “yes” to a CNN.com dialog box installed a peer-to-peer (P2P) application that uses your Internet bandwidth rather than CNN’s to send live video to other viewers.
The P2P application is called Octoshape Grid Delivery and is managed by Octoshape ApS, a company based in Copenhagen, Denmark.
Web surfers who visit CNN.com and select a live video stream for the first time see in their browsers a dialog box … saying, “This site requires the Octoshape Grid Delivery enhancement for Adobe Flash Player.” The dialog box doesn’t appear when playing an ordinary video file, only when starting a live feed. (Feeds labeled LIVE typically appear in the upper-right corner of CNN.com’s home page during business hours.)
According to Octoshape’s end-user license agreement (EULA), what’s installed is a peer-to-peer app that will “deliver parts of the video and audio stream to other end users of the Software.”
Why should you care? Windows Secrets contributing editor Ryan Russell, using a network sniffer, measured Octoshape using upstream bandwidth of 320 kilobits per second on a broadband connection. Dan Ferrell, in a comment on contributing editor Susan Bradley’s blog, reports seeing 600 Kbps of upstream traffic. At first glance, Ferrell adds, the multiple connections to his PC looked on his security alert system like some kind of SQL attack.
The Internet Storm Center, an Internet security organization, reported that traffic on Jan. 20 had jumped to a level thousands of times higher than usual on port 8247, which is used for UDP, the User Datagram Protocol. (See Figure 2.) The center quickly identified the source as legitimate — CNN — but security consultant Raul Siles warned in his report, “It would be easy for an attacker to hide his actions on this port if we simply ignore it.”
In a telephone interview, Octoshape’s P2P nature was confirmed by Mike Wise, group technical advisor for platform R&D at Turner Broadcasting System, the parent of CNN.
Wise emphasized that the news network had selected the most considerate software for the job: “The Octoshape technology uses a congestion control mechanism that’s less aggressive than TCP and most UDP implementations.” As one example of the way Octoshape gives priority to user tasks, he explained, “we chose an implementation that wouldn’t interfere with consumer’s VoIP [Voice over Internet Protocol] applications.”
As a European company, Octoshape’s technology was initially used on the continent to stream live feeds of such high-profile events as the Eurovision Song Contest and the UEFA Cup. “We’re their first big United States customer, as least that I know of,” says Wise.
“We did some limited trials leading up to the election” on Nov. 4, as Wise describes it. The big test came with the Jan. 20 inaugural address. More than 26 million live feeds (including restarts of crashed streams) were served that day by CNN.com, according to a Jan. 25 article and chart in the New York Times. CNN’s nearest rivals served “only” 9.1 million (MSNBC) and 8 million (AP).
The author goes on to list a number of concerns with CNN’s use of other people’s Internet connections in this way:
- Deceptive marketing;
- Cost-shifting to ISPs;
- Costs to end users;
- Ludicrous license terms;
- Company policies on outbound traffic;
- Use of Flash’s install mechanism;
- Security vulnerabilities;
- Corporate revolving doors.
I highly recommend reading the whole article. It’s worth the time and trouble. Kudos to Windows Secrets for publicizing this boondoggle. (Instructions to remove the offending software from your computer are given at the foot of the article, if you’re one of those affected.)
Quite frankly, I find it infuriating that CNN could try to use my Internet connection without a clear and easy-to-understand explanation that it was doing so, or why it wanted to do so, or why it was even necessary. I find this to be deceptive, underhanded and misleading. I can only hope that the FCC or some other regulatory body slams CNN with the heftiest possible penalties for its arrogance and breach of trust.
I also hope that viewers of its Web services will take note of CNN’s contempt for them, and take their business elsewhere. I certainly shall.
Peter
Welcome to the world of sleezy marketing. The even bigger issue is the possible security issues. You have just installed an application sending selected contents from your hard disk to an unvetted other. Oh, and by the way, it didn’t ask to start rooting and sending.
Have a look around for the fiasco Sears caused with their app for tracking user habits; it was an opt-in thing, but it was appallingly invasive, and finding out what it was doing was deliberately made difficult.
Shame on both, neither get any of my business.
Jim
Yes, saw this when I got the newsletter earlier. Appalling arrogance, as you say.
It reminds me of the trouble Sony BMG got into back in 2005 when they began to put what amounted to a rootkit on the computer of anyone who played one of their music CDs, in the name of copy protection. It’s the same kind of arrogance.
As for using the distributed model for sharing content, I can’t get too upset. It’s becoming increasingly common–World of Warcraft, for example, uses Bittorrent (the same idea) for distributing patches. Moving from the traditional one-to-many relationship between server and clients to a distributed, interconnected network makes much more efficient use of limited network resources.
I can’t say that I approve of the lack of notification, but the technical idea is a good one.
As for the rest of their behaviour…hang ’em high.