My ISP responded to the request with another user’s content, is that permissible? And if not, how can I prove it

ispprivacy

Over the past 3 months, I've had two instances when I visited stackoverflow.com only to discover myself logged in as a completely different user. This seems to have happened to others as well. In that question, the answerer writes:

your ISP illegaly responded to your request(s) with content it had previously requested on behalf of a different user

And indeed, that user is sharing the same ISP with me. There's no doubt there's some very serious privacy issue here – specifically, I was able to access that user's account page and see his personal details (such as e-mail), and if it happens one way, I wouldn't be surprised if that user is occasionally logged-in as me and can see my personal details.

That answer, however, writes that my ISP is doing something illegal. Is my ISP actually doing something wrong here, or is such "overzealous" caching permissible under whatever protocols govern this? Is it ultimately the website's (stackoverflow's) fault for not supporting encryption (https) for displaying sensitive pages with sensitive user information?

And if my ISP is indeed in the wrong here, is there any way I can produce some sort of incriminating report next time it happens, so I will have something concrete to send them to complain, or send the press if they ignore me? I should note that during the two times it had happened, subsequent requests did not always fix the situation, the "returning bad page" thing seemed to have lasted a few minutes.

Best Answer

  • That answer, however, writes that my ISP is doing something illegal.

    The answer uses "illegal" to mean "wrong" - they don't imply that in any particular location the government enforces Internet Protocol requirements as part of criminal law.

    Is my ISP actually doing something wrong here,

    Yes, they are probably deliberately ignoring Internet standards (RFCs) in order to conserve bandwidth, reduce their costs and increase shareholder profits at the expense of their customers.

    or is such "overzealous" caching permissible under whatever protocols govern this?

    No, the RFCs use (and define) words like "MUST" for this sort of thing.

    It is possible for this sort of experience to be caused by server-end bugs but I would be very surprised if Superuser had made a negligent error of this sort. Like many websites, Superuser login status is very likely based on session-cookies, not simply on client IP-addresses (that would imply a level of stupidity at Superuser which I strongly believe is simply not credible)