Sam Nazarko has written a blog post about how he discovered that Vodafone in Spain is injecting JavaScript into every web page he browses:
I’ve started noticing requests to ’1.2.3.4′. Seeing as most ISPs use this IP internally, I thought I’d check out what’s going on.
No response to ping, and HTTP requests to that page will return a 500 status code. However I noticed this nasty:
<script src="http://1.2.3.4/bmi-int-js/bmi.js" language="javascript"></script>This script is injected in to every HTTP page I request. When I request this web page, the server responds, identifying itself as WebProxy 6.0
(…)
For Vodafone to do this, they must be running a transparent HTTP proxy. This likely infers they are sniffing HTTP traffic for other purposes. It paves the way for deep packet inspection (DPI), much the same way that having a national web filter does. Vodafone can then implement infrastructure that allows the interception and modification of web pages in real time under the guise that this will deliver a better user experience.