EFF’s headline-making research earlier this year showed that T-Mobile’s Binge On program wasn’t exactly working as advertised. Now, researchers at Northeastern University and the University of Southern California have published a paper confirming EFF’s findings in detail—even revealing a major weakness in the program that would allow T-Mobile customers to trick the system.

Binge On is one of T-Mobile’s zero-rating programs, in which certain types of data—videos, in this case—don’t count toward customers’ data caps. When launching Binge On late last year, T-Mobile loudly proclaimed that it “optimized” data for mobile devices, which certainly sounds like a good thing. Sadly, EFF’s test showed T-Mobile wasn’t being entirely truthful: the “optimization” was actually just throttling, and T-Mobile was also throttling some video it wasn’t zero-rating—which meant that in some cases customers were getting lower quality video and still having to pay for it. Not so good, after all.

The researchers at Northeastern and USC confirmed that Binge On works by throttling video data to 1.5Mbps without doing any sort of optimization. But the researchers went even further, showing how Binge On can result in worse-quality video (especially for mobile devices with high-resolution screens), and explaining how it could also result in decreased battery lifetime (due to the longer download times Binge On causes).

And they didn’t stop there. They actually reverse-engineered the classifier T-Mobile uses to decide whether or not data should be zero-rated. In other words, they figured out exactly what parts of a data stream T-Mobile looks at to decide if a flow of packets should count against a customer’s data cap or not, and which values triggered zero-rating. With that knowledge in hand, they also figured how to subvert the classifier into zero-rating any data—not just video streams.

Super-Technical Digression

There was one technical discrepancy between the researchers’ findings and our findings from back in January. The researchers found that changing the “Content-Type” HTTP header from “video/mp4” to something else prevents T-Mobile from recognizing that a file is actually video, and thus causes Binge On not to throttle or zero-rate the file. Our test, on the other hand, showed that changing the file extension (and thus the Content-Type header) wasn’t sufficient—T-Mobile still recognized the file as video and throttled it.

To figure out the source of the discrepancy, we ran our test again, and also provided a packet log of our test to the researchers. They confirmed our results, and also ran some different tests to explore further what was going on. Together, we realized that both of our results were correct. That’s because in addition to matching against the “Content-Type” header, T-Mobile also scans the first response packet for the string “mp4.” (This string was present in the video file we used for EFF’s tests, since it’s part of the headers of the file itself.) If either match is found, Binge On throttles the stream. Thus, our test with different headers did show throttling, since our file had the string “mp4” in it. And the researchers’ test with different headers didn’t show throttling, because the content payload in their test didn’t include the magic string.

Non-CS Folks Can Start Reading Again

Either way, the fundamental point is that T-Mobile is doing deep-packet inspection to support a brittle zero-rating service that discriminates against edge providers who don’t want to make a private deal with T-Mobile. As a result, Binge On throttles—not optimizes—video regardless of whether or not it’s zero-rated, sometimes resulting in a poorer video streaming experience for T-Mobile customers. We said it back in January, and the researchers at Northeastern and USC have done a great job confirming it and going much, much farther to document it methodically and in rigorous detail.

While T-Mobile has made some positive changes since January (they’ve made it much easier to disable or re-enable Binge On, they’re now allowing edge providers to opt out, and their explanation of how Binge On works is more accurate), Binge On still suffers from two fundamental violations of net neutrality principles. First, it only applies to video, which means other large downloads or types of streaming data don’t get the same zero-rating treatment, thus putting artificial limits on how customers can choose to use their data. And second, it still puts T-Mobile in the position of acting as gatekeeper, forcing video providers to ask T-Mobile’s permission to get zero-rated. That’s an extra barrier that shouldn’t exist.