State owned telecom operator BSNL has been injecting banner ads and other service related messages on web browsers within its broadband network. It has followed in the footsteps of the other state owned telecom operator: MTNL, which was found to be inserting code into what users were browsing in June last year.

Ads are injected by BSNL, just as they were by MTNL, in the browser through a javascript code. BSNL appears to be pushing these ads via a private ad network named Abeer Media, according to users on github and broadband forum, although the company hasn’t revealed this data in response to an RTI. Ads are visible across all websites, and we found them popping up while browsing TechCrunch, Naukri.com, MediaNama, The Indian Express,etc.

Privacy Issue: An injected javascript code can also be modified to track and store user data as noted by Thejesh GN when Airtel was found to be injecting Javascript into its user’s browsing session without seeking user consent. At that time Airtel said: “This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of megabytes used.”

One user from broadband forum (link) has submitted a screenshot showing a Snapdeal pop-up ad:

BSNL-pop-upads

 

Another user claims to have traced the Snapdeal ad’s IP address source to BSNL :

BSNL-ads-portal-23

We tried accessing multiple PCs with a BSNL broadband connection; the ads happen to appear on news sites regularly in three test PCs. At times, these ads are repetitive as it appeared multiple times on news websites. Take a look at the screenshots attached below:

BSNL ads-2

BSNL ads

BSNL refuses to provide info on injected ads

Sushubh Mittal wrote to Public Information Officer of BSNL through an RTI application (pdf), asking for the information on the technology used in the ads, provider of the technology, and revenues accumulated through this ad network. (Source: Github)

BSNL rejected all of these points by invoking Section 8(d) of the RTI Act which states that, “information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information”

Mittal notes that these injected ads do not appear on websites using HTTPS protocol as that would take “some extra steps which would most likely raise red flags everywhere”.

MTNL refuses info on injected ads: In a similar incident in March, MTNL also refused to provide information invoking Section 8(d) of the RTI Act to Sushubh Mittal when he inquired injected ads/service messages on MTNL’s network.

BSNL disabled injected ads upon user request: However, surprisingly Mittal pointed out to us that BSNL had disabled ads for a user who raised the issue on BSNL’s PGPortal, a grievance redressal portal of BSNL. Below is a copy of BSNL’s reply to the complaint, given to us by Mittal. BSNL calls these ads as ‘service messages’ and they are meant for dispersing information regarding BSNL’s service plans, and other products and that it is aimed at “fetching benefits to customers”

BSNL-ads-portal

Airtel found to be injecting scripts to track users

A report from Access Now in August 2015, indicated that in some cases, Indian telecom operator Bharti Airtel was inserting a “tracking header” in the connections of some users. According to the report, these tracking headers can capture data including IMEI, IMSI, and ICCID identities — that include information about who you are and where you are located.

Also Read: Injecting code in browsers only to improve customer experience: Ravi Shankar Prasad

Image Credit: Wikipedia User Aravind Sivaraj under CC BY-SA 3.0