Update: Free Software Movement Karnataka (FSMK) has said that this incident has brought to the front three important dangers that Indian mobile subscribers and Internet users face today:
a. Blatant violation of the net neutrality principle
b. Unabashed breach of consumer’s privacy
c. Threat of unregulated mass surveillance by foreign technology companies
In regards to Airtel’s role in this, FSMK said that:
We do not believe Airtel can devolve itself from this issue as its Israeli vendor, Flash Network Ltd., has clearly mentioned in its letter to Thejesh, that the code to be injected into subscribers browsers was created and owned by Airtel. We do not agree with Airtel’s excuse that the said program is only to keep track of the user’s data usage. We doubt if it’s even the right technical solution for that problem. We demand Airtel and all other telecom companies to disclose to its current and potential users all such practices that might affect their data privacy. We are deeply concerned about interception and modification of content by ISPs, thus violating Net Neutrality in more than one way.
Earlier (June 9): Airtel has said that it had nothing to do with the cease & desist notice received by infoactivist and programmer Thejesh GN from Israel-based Flash Networks. An Airtel spokesperson told MediaNama that:
We are surprised at the Cease & Desist notice served by Flash Networks to Thejesh GN, and categorically state that we have no relation, whatsoever, with the notice.
As far as the allegation that Airtel had been surreptitiously injecting Java script into its users browsing sessions, in a bid to acquire user’s personal and browsing data, Airtel said that:
This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of mega bytes used. It is therefore meant to improve customer experience and empower them to manage their usage. One of our network vendor partners has piloted this solution through a third party to help customers understand their data consumption in terms of volume of data used. As a responsible corporate, we have the highest regard for customer privacy and we follow a policy of zero tolerance with regard to the confidentiality of customer data.
Based on Airtel’s statement, we’ve written back to them with a few questions, and will update once we hear back. The questions are:
1. Since you’ve mentioned this is a standard practice, please indicate which other telecom companies deploy similar solutions?
2. Please identify what security measures Airtel has in place to ensure the script inserted in user’s browsing sessions is not used to spy on them.
3. Please provide documents to indicate what measures you have put in place to ensure that Airtel employees and vendors don’t misuse the data collected.
4. What kind of consumer consent have you taken, before allowing a vendor to track data usage patterns of customers?
5. Which Airtel vendor allowed Flash Networks to inject this code in user browsing sessions?
6. What restrictions are place on Airtel’s vendors and their vendors in such cases?
7. Do the vendors require Airtel’s approval before they deploy such a solution? Please explain how Airtel can absolve itself of any responsibility in this case?
8. What action is Airtel taking against its vendor and against Flash Networks for the harassment faced by an Airtel customer, due to the legal notice sent.
9. Please indicate what kind of Web usage data you collect on usage of websites and apps, and what kind of user information is shared with Airtel’s advertising partners such as Vserv.
How did it all unfold?
Last week, Bangalore-based Thejesh GN had noticed that Airtel was injecting Java script into its users browsing session, without seeking user consent. The screenshots shared by him on a GitHub thread have unfortunately been taken down, after Flash Networks sent a DMCA notice. However, you can see the screenshots here. Apparently the code inserts a toolbar into the user’s browsing session.
— Thejesh GN (@thej) June 3, 2015
So I got cease and desist letter for exposing JS injection by big a telco for publishing JS code & screenshots. I will probably remove it 🙁 — Thejesh GN (@thej) June 8, 2015
Just to make it clear C&D was NOT sent by Airtel but by Flash Networks Ltd based out of Israel through their lawyers in Mumbai.
— Thejesh GN (@thej) June 8, 2015
Interestingly, the notice sent alleges that Thejesh’s actions were an act of copyright infringement as per the IT ACT, 2000 and the Indian Penal Code. Here’s a copy of the notice.
— Rohin Dharmakumar (@r0h1n) June 9, 2015
Trak.in reported that it’s not just Airtel, even Vodafone had been accused of something similar.
Their own press release mentions Bharti Airtel as a customer, and Vodafone (not clear in which countries). http://t.co/fOXZZC0shI…
— Rohin Dharmakumar (@r0h1n) June 9, 2015