Thejesh GN

Bangalore-based infoactivist and programmer Thejesh GN, who had been sent a cease & desist notice by Flash Networks, has mentioned that his decision to publish the findings on GitHub “is a common practice for anyone involved with scholarly research on breach of security issues on the internet,” in his legal reply to the company.

He said that the intention was to highlight the malicious manner in which this code had been inserted unlawfully into his website, and to educate and inform the general public about it. You can read the entire reply here.

Thejesh also mentions that it is “commonly accepted that whenever one encounters any inserted scripts, viruses or spyware, you publish them as supporting document and evidence so other researchers can review your investigation by looking into it.”

Thejesh has demanded that Flash Networks should offer an unconditional apology for attempting to insert a “malicious piece of code” into his website, which has affected the functionality of the website (making it slow), for negatively impacting his reputation and for violation of privacy.

Thejesh Flash Networks

How it all began

Earlier this month, Thejesh had noticed that Airtel was injecting Java script into its users browsing session without seeking user consent. Apparently, the code had been trying to insert a toolbar into the user’s browsing session. He later received a cease & desist notice from the Israel-based Flash Networks, that had written the piece of Javascript code. Interestingly, the notice sent to Thejesh had alleged that Thejesh’s actions were an act of copyright infringement as per the IT ACT, 2000 and the Indian Penal Code.

Airtel’s response

At the time, Airtel had said that it had nothing to do with the cease & desist notice received by Thejesh from Flash Networks. As far as the allegation that Airtel had been surreptitiously injecting Java script into its users browsing sessions, in a bid to acquire user’s personal and browsing data, Airtel had told MediaNama that:

This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of mega bytes used. It is therefore meant to improve customer experience and empower them to manage their usage. One of our network vendor partners has piloted this solution through a third party to help customers understand their data consumption in terms of volume of data used. As a responsible corporate, we have the highest regard for customer privacy and we follow a policy of zero tolerance with regard to the confidentiality of customer data.

Based on this, we had written to Airtel with a few questions, but haven’t heard back from them yet. The questions are:

1. Since you’ve mentioned this is a standard practice, please indicate which other telecom companies deploy similar solutions?

2. Please identify what security measures Airtel has in place to ensure the script inserted in user’s browsing sessions is not used to spy on them.

3. Please provide documents to indicate what measures you have put in place to ensure that Airtel employees and vendors don’t misuse the data collected.

4. What kind of consumer consent have you taken, before allowing a vendor to track data usage patterns of customers?

5. Which Airtel vendor allowed Flash Networks to inject this code in user browsing sessions?

6. What restrictions are place on Airtel’s vendors and their vendors in such cases?

7. Do the vendors require Airtel’s approval before they deploy such a solution? Please explain how Airtel can absolve itself of any responsibility in this case?

8. What action is Airtel taking against its vendor and against Flash Networks for the harassment faced by an Airtel customer, due to the legal notice sent.

9. Please indicate what kind of Web usage data you collect on usage of websites and apps, and what kind of user information is shared with Airtel’s advertising partners such as Vserv.

Image credit: Thejesh GN’s Twitter profile