No Marketing, No Service

The ostensibly ‘free’ wifi you often get at pubs, hotels and other locations usually requires some form of sign-up to access the service. These are usually fairly dumb captive portals that ask for name, email address and permission to send you marketing. No great deal – if you don’t like it there are plenty of fictional names that work equally well.

However, one particular hotspot from a well-known brand stuck out the other day. To use their service you must provide your mobile number – “it’s just to confirm your identity,” they say, but the terms and conditions state something else entirely: by signing in you are automatically opted into marketing. If you opt out, you lose your right to use the service.

In other words, receive our junk or no wifi for you.

This is – on the face of things – not that unreasonable. You get something for free, and you receive wifi. Except, it’s not quite free, is it? Personal details; attention. Each has an implicit value: just look at advertising, where space on TV, radio, print and online is usually charged based on attention potential – i.e. how many people might see it.

So, is it really ‘free’? My feeling is not, but it’s hard to draw the line. A captive portal with a simple ‘Go Online’ and a banner ad is equally ‘non-free’ by this equation. Perhaps it’s the combination of giving up a mobile number and receiving marketing? But what’s the value…?

For me, the value of getting the wifi was less than the value of the data and rights I would have to exchange for it. From person to person, this is going to vary. Some might think nothing of it – in fact, given this is the company’s business model, I’d wager most do just that. In any case, the value of the ‘stuff’ we possess (data, privacy, attention) is unlikely to be always zero, and there is a limit to the amount people will give in return for a service or item.

Whatever – I didn’t sign up. Thankfully my mobile had signal and whatever I needed wasn’t that important anyway.

Quick Thinking

I’m currently managing a friend’s WordPress blog while they bugger off on a round-the-world trip. Goodness me they get a lot of spam.

Within a minute or so of turning off Spam Karma (it causes problems with the comment count, apparently) I/he had 15 new comments, all spam. So, without FTP access I quickly put in a hack to the comments page thusly:

<textarea name="quack" id="comments"></textarea>

<script type="text/javascript">

document.getElementById('comments').name = 'comments';

Nice and simple – a bit of Javascript that renames the comments field so it can be submitted correctly (if you fail to run the script, the comment fails). I know there are accessibility issues and all the smartarses who turn off their Javascript are stopped from commenting, but desperate times call for desperate measures. It’s quick & dirty, and for most people (this guy doesn’t get a massive amount of traffic) it works OK.

Anyway, I went to bed last night feeling smug that I’d robbed a load of spammers of their precious links. This morning I took a look: 38 new comments. They’ve already made their way around it.

This suggests one of three things:

  1. The spammers caught the error and changed their behaviour to suit. Doubt it, it’d be easier for them to move onto other blogs.
  2. They execute Javascript (maybe it’s a full-on Firefox session with a plugin script?. Likely, and rather smart!
  3. My code is rubbish and never worked in the first place. Never impossible.

Anyway, kudos to those guys for not being thwarted by a simple script! Now, let’s see what happens when I get Spam Karma re-enabled or I activate Akismet…

Update 22 Sept: Ignore the above. My code is rubbish. If the spammers do a simple POST to the server they will succeed, since I’d never updated the server-side code to match the client. Best bet for this hack would’ve been to rename the field both on the form and in the server code to something unpredictable (‘quack’ is just fine…) and not bother with the Javascript, Spammers would ignorantly continue to assume the field is ‘comments’ and their posts would fail. Thanks Brian and Neil T

A while ago I wrote a blog host service which included a more sophisticated spam filter. It would scramble all the fields client-side, include a couple of hashes and would only accept the comment as-is if all the hashes matched the server’s own records. It stopped blind POSTs and bots that did not use Javascript. It also cleverly spotted genuine users who might not have been able to run the Javascript (since there was a larger platform accessibility was a concern), and used timing information to identify real users (who take their time) versus bots (who tend to write/post immediately or in a regular pattern).

It worked for nearly 2 years without a single automated spam comment getting through (many tens of thousands were stopped; no false positives either). Manual spam got in, but was minimal. Finally the spammers changed their ways and (I guess) began using full browser sessions to post their spam – once they do that you need to start looking at content analysis or other methods.

Why I Might Not Reply

Spam List
Spam sucks. It really does. It affects your blog, your forums, your phone, your Skype account, and your email.
I am using quite aggressive spam filters at the moment (see above; 1476 spam emails today and it’s only 10:50 am). SpamPal is great – it’s unintrusive, uses a variety of methods to capture spam (Thunderbird‘s Bayesian just isn’t enough), and is easy to customise.
Spam filtering, of course, isn’t an exact science and some legitimate emails may well have been caught. If you have sent me an email – particularly if we haven’t spoken before or I’ve forgotten to add you to my whitelist – please try again. I do check the Junk folder but occasionally miss things.