Bad Hotel Cookies

I’m in Minnesota this week doing some work for Canonical. The hotel I’m staying at outsources their networking, like most hotels do.

I have always maintained that the only people that know less about Internetworking than hotel IT departments are the outsourced firms they use. And the Oak Ridge Hotel and Conference Center is no different.

I don’t know what company the hotel outsources to, but they have made some horrible decisions with regards to guest usability, privacy, and security.

Example 1: You can connect to the wireless network, but you need to visit a page in a Javascript-capable browser to actually activate your network connection. I have a Playstation Portable, and use it while on the road to conduct business and personal IP telephony with Skype. The PSP browser does not support J-script. So I had to call the ISP to get an exception added for the PSP’s MAC address. The PS3, Xbox, and and any other devices (including most handhelds) that do not have Javascript-capable browsers will have similar issues. And I’m in the 5% of hotel guests that understand the root cause and know how to ask the ISP to engineer around it.

Example 2: This is the killer. The hotel’s website sets a cookie in your browser. This cookie has two effects. First, it repeatedly opens pop-up windows. Repeatedly. Like, several per minute. Here’s an example:

popup1.png

Pop-ups are irritating, a harbinger of malware to the technically unsavvy, and very, VERY 1997. Don’t do that.

The second effect is that the cookie places interstitial pages as you browse! I noticed it when I clicked the “Back” button in Firefox and instead of my previous URL I was directed to

http://216.167.216.11/superclick/popup.php?popup=2&url=http%3A%2F%2Fbmneptok.com

After a few seconds, my “Back” request was honored, and the page I expected in the first place was loaded.

Needless to say, I am not amused by hotel ISPs playing traffic cop with my browsing habits. I certainly don’t want a hotel ISP’s cookies monitoring my URL visitation habits. I phoned the ISP, who told me “Yes, we could monitor browsing habits, but we don’t. Trust us.”

OK, how about I pay my room bill when I get home? Trust me, I’ll call you with my credit card number. Since you assume I’ll trust you, I think I’ll make the same assumption.

To their credit, they disabled the cookie for my IP. But thank whatever gods your family worships that I actually noticed. If I hadn’t, I’d be relying on the ISP having no disgruntled or morally deficient employees during my stay.

Look, I’m your customer. I don’t expect CCTV cameras in my room, peepholes in my shower, or invasive browser cookies that monitor my web surfing habits. And I certainly expect that IP-capable devices that work at home and with coffee shop access points to work in a premium hotel without the need for a phone call and request for MAC exemption in their routing tables.

Needless to say, I won’t be staying at any Dolce properties any time soon, if I can help it. And I recommend you avoid them, as well. At least until someone can explain this invasion of my privacy to my satisfaction.

Dolce, you listening?

5 thoughts on “Bad Hotel Cookies”

  1. I’m sure you didn’t do any private, non-encrypted browsing on that unsecured wlan, or did you? It’s not only the provider that can read anything you do, anyone who can listen in on your radio signals can do that. There can be no expectation of privacy.

    I suggest you either use a VPN connection to a network you control, or only browse using https (use a proxy you control if your device doesn’t support VPN).

  2. Again, the IP assigned by the hotel does not have the ability to pass packets through the router until you visit a website in a Javascript-capable browser and get the cookie set.

    VPNs require a valid IP, last I checked. 🙂

  3. I love traveling too but I remember staying in this one hotel that smelled like being downwind of a row of porta-potties, mixed with cigar smoke…it was disgusting!Have you every had any bad experiences, OMG please share! Gee what difficulty you were having BTW.

    Check out this funny video, called “Ballad of a Traveler”:
    http://www.youtube.com/watch?v=J2tgnUsj8NE>

    YouTube – Ballad of a Traveler

    I work with Hampton Inn, and I’d love to hear your horror stories! What’s the worst experience you’ve ever had at a hotel? (I always get a kick outta this!)

  4. I’m in a hotel and haven’t tried to switch to WiFi because I’m afraid iBahn goes by MAC address, and of course my wired and wireless are different MACs, and I don’t want to have to repay. I’d rather they used a login screen with your room number or something so I could be sure it was safe to switch between wired and wireles.

Leave a Reply

Your email address will not be published. Required fields are marked *