Bad Hotel Cookies

digital 5 Comments

I’m in Minnesota this week doing some work for Canonical. The hotel I’m staying at outsources their networking, like most hotels do.

I have always maintained that the only people that know less about Internetworking than hotel IT departments are the outsourced firms they use. And the Oak Ridge Hotel and Conference Center is no different.

I don’t know what company the hotel outsources to, but they have made some horrible decisions with regards to guest usability, privacy, and security.

Example 1: You can connect to the wireless network, but you need to visit a page in a Javascript-capable browser to actually activate your network connection. I have a Playstation Portable, and use it while on the road to conduct business and personal IP telephony with Skype. The PSP browser does not support J-script. So I had to call the ISP to get an exception added for the PSP’s MAC address. The PS3, Xbox, and and any other devices (including most handhelds) that do not have Javascript-capable browsers will have similar issues. And I’m in the 5% of hotel guests that understand the root cause and know how to ask the ISP to engineer around it.

Example 2: This is the killer. The hotel’s website sets a cookie in your browser. This cookie has two effects. First, it repeatedly opens pop-up windows. Repeatedly. Like, several per minute. Here’s an example:

popup1.png

Pop-ups are irritating, a harbinger of malware to the technically unsavvy, and very, VERY 1997. Don’t do that.

The second effect is that the cookie places interstitial pages as you browse! I noticed it when I clicked the “Back” button in Firefox and instead of my previous URL I was directed to

http://216.167.216.11/superclick/popup.php?popup=2&url=http%3A%2F%2Fbmneptok.com

After a few seconds, my “Back” request was honored, and the page I expected in the first place was loaded.

Needless to say, I am not amused by hotel ISPs playing traffic cop with my browsing habits. I certainly don’t want a hotel ISP’s cookies monitoring my URL visitation habits. I phoned the ISP, who told me “Yes, we could monitor browsing habits, but we don’t. Trust us.”

OK, how about I pay my room bill when I get home? Trust me, I’ll call you with my credit card number. Since you assume I’ll trust you, I think I’ll make the same assumption.

To their credit, they disabled the cookie for my IP. But thank whatever gods your family worships that I actually noticed. If I hadn’t, I’d be relying on the ISP having no disgruntled or morally deficient employees during my stay.

Look, I’m your customer. I don’t expect CCTV cameras in my room, peepholes in my shower, or invasive browser cookies that monitor my web surfing habits. And I certainly expect that IP-capable devices that work at home and with coffee shop access points to work in a premium hotel without the need for a phone call and request for MAC exemption in their routing tables.

Needless to say, I won’t be staying at any Dolce properties any time soon, if I can help it. And I recommend you avoid them, as well. At least until someone can explain this invasion of my privacy to my satisfaction.

Dolce, you listening?