Airtel allegedly injecting ‘suspicious’ code to track users’ browsing habits in India
Bangalore-based programmer finds suspicious code while browsing on Airtel’s 3G network and gets threatened with criminal wrongdoing notice
In a Twitter post dated June 3, Bengaluru-based Independent Technologist Thejesh G.N. has claimed that โAirtel 3G is quietly injecting java script into your browsing session.โ He also posted a screenshot of the code on GitHub. According to Mr. Thejeshโs post in GitHub, the IP address from which the Java code originated was from Bharti Airtel in Bengaluru.
Airtell 3G is injecting javascript into your browsing session https://t.co/QHPpSKinve
— Thejesh GN (@thej) June 3, 2015
The Wire.in reports that a brief inspection exposed that the code consisted of few lines of JavaScript that loaded an asset like an advertisement on webpages that Thejesh was visiting. It was called Anchor.js. Using a web-based IP tracker, he was also able to find that the code was originating out of the IP address 223.224.131.144 โ which belonged to Bharti Airtel Limited.
That’s all very vague. But that’s just the very beginning of this story. On June 8, Thejesh received the most absurd legal threat letter, coming from a lawyer named Ameet Mehta from the law firm Solicis Lex. It claims to be representing an Israeli company, Flash Network, which is apparently responsible for the code injection software and it claimed that by merely revealing to the public that Airtel was doing these injections, Thejesh had engaged in criminal copyright infringement under the Information Technology Act, 2000.
On June 9, the order was followed by a takedown notice (under the Digital Millennium Copyright Act of the US) posted to GitHub. After this, Thejeshโs files became unreachable although a cached version is available here.
So I got cease and desist letter for exposing JS injection by big a telco for publishing JS code & screenshots. I will probably remove it ๐
— Thejesh GN (@thej) June 8, 2015
Vignesh Sundaresan, an Ottawa-based developer, JavaScript injection said that it is a very awkward technique to add extra functionality to certain programs and โIt is often nasty when injected without notifying the user firstโ. So, Thejesh uploaded the location and other details of the program to GitHub, a collaboration platform on the web for developers, to warn other users.
The caseโs conspiracy stems from the objective of Flash Networks, which it never discusses in its notices. In their C&D order, what the attorneys donโt mention is what Anchor.js enables for Flash as well as, and more significantly, the Airtel network. When Thejesh or any susceptible user for that matter visits a webpage on the Airtel 3G network, Anchor.js loads a third party popup, like an advertisement, on that page.
When the user views or interacts with that popup, whoever has made that popup makes some money. In this case, since Flash Networks the source of Anchor.js is hosted on Airtelโs IP address, the implication is that Airtel is using Anchor.js to make money for itself using the userโs browsing experience. There is also the additional threat of Flash Networks using its unverified script to seek for user data.
However, since Thejesh did not intend commercial use of Anchor.js (nor did he expose code that wasnโt already confidential), itโs uncertain how Flashโs copyright was infringed. Pranesh Prakash, Policy Director at the Centre for Internet and Society tweeted that irrespective of how Anchor.js harmed Thejeshโs experience, his act of uploading it to GitHub was protected by the Section 52(1)(ac) of the Indian Copyright Act 1957.
It states that โthe study or test of functioning of the computer program in order to determine the ideas and principles which underline any elements of the program while performing such acts necessary for the functions for which the computer program was supplied.โ
The intent of Flash Networks signals that the ISP is violating net neutrality because a user on the Airtel 3G network sees a website X differently than a user on, say, BSNL, because of the asset loaded by the injected script.
Recently, while the net neutrality debate was rising in India following a controversial policy document from TRAI, Airtel Zero was in the thick of things. It involved Airtel being paid by, say, Facebook to let users access Facebook for free on Airtel networks. The deal desecrated net neutrality because it disguised the preferential treatment of data packets based on their sources.
Sundaresan commented that should such dubious instances of JavaScript injection be discovered in the Western world, the inserter could be sued for millions.
Airtel has since issued a statement on the matter, claiming the JavaScript injection was a way for it to keep track of how much data the subscriber has consumed, for billing purposes, and termed it a โstandard solution deployed by telcos globallyโ. At the same time, the statement doesnโt explain why the operation was placing advertisements on the userโs destination webpages.
In fact, Airtel also distanced itself from the order issued by Flash Networks to Thejesh: โWe โฆ categorically state that we have no relation, whatsoever, with the notice.โ Even so, that the two companies are and have been associated with each other is betrayed by one of Flashโs press releases from 2014 that includes Airtel and Vodafone among its clients.
If the ISPโs involvement is more convincingly established, it is likely to face legal action for violating user privacy as the script could also have been injected when people viewed Thejeshโs website via Airtelโs network, the ISP is also liable to have distorted his content to his audience.
It has also emerged since Thejeshโs disclosure that Vodafone might also be engaging in similar insertions of third-party software into browsers.
For those who argue that copyright is never used for censorship: explain this story. Of course, it all seems to be backfiring in a big way. Flash may have wanted to hide what they were up to, but now it’s getting much, much, much more attention. Maybe, next time, rather than threatening whistleblowers of your bad practices with claims of criminal copyright infringement, Flash and Airtel will think more about their own crappy business practices that put users at risk.