For years ISPs have been using DNS redirection, or redirecting users who visit misspelled or nonexistent domains to ISP run ad-laden search portals. The technology is a significant money maker for ISPs, estimated to bring them at least an additional $5 per user, per month. Recently however, DNS redirection companies like Paxfire have been taking things one step further, injecting themselves in between the traditional user and search engine relationship. Paxfire was recently sued for this practice, using search proxies to sniff user search requests and net search referral fees for both the hardware vendor and ISPs.

The folks behind the network tool Netalyzr at Berkeley have been at the forefront of investigating this new ISP technology for some time, and first described it in detail several months ago. Users in our Earthlink forum and the NANOG mailing list note that Earthlink is one of the most recent ISPs to employ this technology.

"Noticed past day or so that I started getting Captcha request for google searches saying that to many requests are originating from an IP other than my own," says a forum user. "Thought I was a victim of malware, but after troubleshooting noticed that 207.69.188.185 ns1.mindspring.com was returning 64.27.117.179 for www.google.com, www.bing.com & www.ask.com," they note. "It seems that 64.27.117.179 is a squid server which is configured to only proxy requests for major search engines."

While Paxfire insists they don't track this search data, there's no saying what search data ISPs are storing -- since none of them are willing to talk about this new technology. While DNS redirection technology can often be opted out of, ISPs aren't even admitting they're using this new search traffic hijack technology, much less giving users a way out of it.

In addition to privacy concerns, there's also a major annoyance for Earthlink users: in some instances they aren't getting the "real" Google and have to enter CAPTCHA passwords to actually see Google search results. We've confirmed with researchers at Berkeley that switching to alternative DNS providers like Google Public DNS and OpenDNS will stop the search engine traffic interception behavior.

"OpenDNS stops the search engine interception, but it doesn't stop the "helpful" results page when you have an incorrect hostname in a URL," says ICSI's Nicholas Weaver.

ISPs who currently use this technology or have in the past include Cavalier, Cincinnati Bell, Cogent, Frontier, Hughes, IBBS, Insight Broadband, Megapath, Paetec, RCN, Wide Open West, XO Communications, Charter and Iowa Telecom. While muted at the moment, political and legal inquiries about whether these technologies violate privacy and wiretap laws are expected to grow over the next year, with the lawsuit against Paxfire and RCN (and Paxfire's countersuit) playing center stage.

We've contacted Earthlink for comment and will update this post with any additional data received.