December 13th 2018

CenturyLink is blocking its customers' internet while saying Utah legislators told them to

tl;dr
  • CenturyLink is blocking its customers' internet until they confirm they've seen notification for paid security offering
  • Notification is injected into customers' browsing sessions using ethically questionable man-in-the-middle attack
  • CenturyLink claims this is required due to Utah S.B. 134 but bill sponsor says not like this
  • Those using streaming devices (FireTV, Chromecast, etc) or other communications unaffected by the MITM attack don't receive notification to unblock their internet and are effectively SOL

Update: I was contacted by a communications manager at CenturyLink that let me know this method of "block and notify" was only employed for residential customers and wanted me to relay CenturyLink's official position:

The intent of the Utah state legislation is to ensure that Utah internet consumers are aware of content filtering options to protect minors. The statute provides for various options, but the method of notification is to be conspicuous to ensure the message is read. We felt, given the gravity surrounding the protection of this most vulnerable population, the most conspicuous method of notification is a pop-up. CenturyLink did not engage in DNS hijacking and the pop-up message is being used to adhere to state law. -- CenturyLink

Unfortunately CenturyLink's representative would not provide me with further technical details and I'm unable to verify whether or not CenturyLink did in fact use DNS Hijacking for this notification as I was directed to the notice while on my phone. I do know that CenturyLink routinely engages in DNS Hijacking for invalid domain lookups, so using it for a notice would be unsurprising. If anyone has information on how this notice was delivered, please let me know through my contact form. Since I was forcefully redirected to this "pop-up", the best I can assume was that a man-in-the-middle attack was used to inject code into an insecure HTTP request. I'm not sure if that is ethically better or worse than DNS Hijacking, but would definitely still remain error prone considering the ubiquity of HTTPS and VPNs these days.

CenturyLink does not deny that they blocked customers' internet until the notice was acknowledged.

We've all experienced frustration with the internet going down. Now imagine how frustrated you'd be if you found out that your ISP intentionally blocked your internet access for the purpose of advertising their software; and better yet, your ISP claimed that state legislators required them to do it! Well that's exactly what is happening to CenturyLink customers in Utah right now.

A few days ago while watching TV through my FireTV the stream unexpectedly went black. After trying to debug the issue for a bit with no success I went to my computer, which was still connected to my ISP, but was also experiencing a strange lack of internet. Eventually I turned to a Google search on my phone only to be immediately greeted with an official looking notice.

At first glance I was worried that I had somehow been redirected to a malicious website and that this was some kind of phishing attempt... After all, I didn't navigate here. I attempted to do another search but still ended up at this same notice. I considered the idea that maybe my ISP had detected some kind of threat coming from my network and that's why I was seeing this official looking page. Eventually, after reading over the page several times, I clicked "OK" and my internet was back.

Your Internet service has been fully restored ... Thanks for your business. CenturyLink High-Speed Internet

What...? I went to the page CenturyLink referred to in the notice so I could see what was so important that it necessitated blocking me from the internet.

Centurylink @Ease puts the best names in computer security to work for you – industry leaders like Norton for AntiVirus protection and Identity Guard to help protect your identity.

$5 off per month for the first two months!

It was an advertisement for security products! ...and not very good ones...

I went to Twitter to see if I was the only one having this very bizarre experience and it turns out I was not alone. Fellow Utahns were also expressing their discontent with CenturyLink's behavior.

Eventually I stumbled upon a reddit thread, "Any century link customers lose internet until you read the filter message?", and discovered this behavior has been going on for quite some time with users mentioning it had also happened to them in the previous weeks. One of the reddit users specifically pointed out that this was most likely a "ham-fisted" approach by CenturyLink to comply with the provisions in S.B. 134.

(b) (i) A service provider shall, before December 30, 2018, notify in a conspicuous manner all of the service provider's consumers with a Utah residential address that the consumer may request material harmful to minors be blocked under Subsection (1)(a).
(ii) A service provider may provide the notice described in Subsection (2)(b)(i):
 (A) by electronic communication;
 (B) with a consumer's bill; or
 (C) in another conspicuous manner.
Relevant excerpt from Utah S.B. 134

Now I finally realized what was going on. CenturyLink was using the unethical practice of DNS Hijacking to push notifications (or in this case, advertisements) of products to customers and using Utah law as justification. For the lucky customers, they'll only have their internet browsing session interrupted for no reason, acknowledge they saw the ad, and move on. If they're using a streaming device, such as a FireTV or Chromecast, they'll have their video stop and receive no notification. If you're browsing the internet on a device not using CenturyLink's DNS (maybe using GoogleDNS or OpenDNS), your internet will stop working, you'll see no notice, and you'll either waste time debugging the issue (like me) or give up and waste hours talking to CenturyLink support.

Curious if this is really what Utah legislators were intending, I reached out to the listed sponsor of the bill on twitter.

I’m sorry you are having problems. SB134 did not require that — and no other ISP has done that to comply with the law. They were only required to notify customers of options via email or with an invoice.

— Todd Weiler (@gopTODD) December 10, 2018

CenturyLink is much less helpful on twitter, replying to any comments on this shady behavior with what is most likely their contextually unaware automated customer service bots.

Where I go from here, I'm not sure. I would switch ISPs but I have no other options where I live. Hopefully making this issue more public will help CenturyLink make better decisions, but when you consider our administration's successful repeal of net neutrality late last year, we'll probably just need to start accepting this kind of behavior as the new norm.