( Update : Airtel wrote to us with a clarification after we published this story. Please scroll down to the bottom to read Airtel’s note.)
On Jun 8 an Indian coder known as Thejesh GN on Twitter received a cease-and-desist order by an Israeli firm Flash Networks ltd. a company based out of Herzliya, Israel, via their attorneys in Mumbai. Thejesh was being targeted for exposing the Israeli company for malpractice. He found that the company had been spying and collecting personal data and browsing information and selling it to Airtel India.
Airtell 3G is injecting javascript into your browsing session https://t.co/QHPpSKinve
— Thejesh GN (@thej) June 3, 2015
On June Thejesh posted some screenshots and explained how the Airtel 3G network was inserting some extra lines of code into his browser every time he visited a website.
A brief inspection revealed that the code comprised a few lines of JavaScript that loaded an asset, like an advertisement on webpages that Thejesh was visiting. It was called Anchor.js.
Screen shot of the script found to have been injected with the user’s permission | Source: The Wire
Thejesh used a web-based IP tracker and found out that the code was originating out of the IP address 223.224.131.144 – which belongs to Bharti Airtel Limited.
Source: The Wire
JavaScript injection is a very clumsy way to add extra functionality to certain programs. If users are not notified first, the injection of JavaScript can be construed as malicious. It is therefore fair that Thejesh decided to post this and other information on GitHub – a platform for developers to warn other users of malicious content, viruses or other such problems on the web.
A few days later he received the cease-and-desist order. The order required him to remove the description of Anchor.js he had uploaded to GitHub because Flash Networks has a copyright over the content. His ‘act’ was alleged to be a criminal offence under the IPC 1860 and Information and Technology Act, 2000.
So I got cease and desist letter for exposing JS injection by big a telco for publishing JS code & screenshots. I will probably remove it 🙁
— Thejesh GN (@thej) June 8, 2015
And here, an Israeli co. inserting code surrepticiously into Indian’s browsers, threatening Indians under IPC. pic.twitter.com/JrPNJV9iUL
— Rohin Dharmakumar (@r0h1n) June 9, 2015
The following day the company posted a takedown notice on GitHub ( under the Digital Millennium Copyright Act of the US). After this Thejesh’s files became inaccessible to anyone who visited the website.
For an Israeli co. to sue Indian users for merely reporting an unethical (and possibly illegal) practice is intimidation.
— Rohin Dharmakumar (@r0h1n) June 9, 2015
This incident has evoked serious concern over the issue of cyber bullying. In this case it is fairly clear that big corporates like Flash Networks and Bharti Airtel are using their magnitude to intimidate Thejesh. Unfortunately their methods have worked, and the victim succumbed to their demands.
What is also intriguing about this case is the intent of Flash Networks, something they very cleverly hid from everyone. In their C&D; order, what their lawyers have not mentioned is how Anchor.js benefits Flash Networks and more importantly Bharti Airtel.
When a user visits a webpage on Airtel’s 3G network, an asset like an advertisement on that page appears. Every time a user clicks on that advertisement, whichever entity that asset has been posted by, makes some money. In this case since Flash Networks – the source of Anchor.js – is hosted on Airtel’s IP address, the implication is that Airtel makes money by manipulating the user’s experience. There is also the additional threat of Flash Networks using its unverified script to trawl for user data.
Source: digit.in
However, since Thejesh did not intend any commercial use of Anchor.js, it is unclear how Flash’s copyright was infringed. Also his act of uploading his experience of Anchor.js onto GitHub was protected by Section 52(1)(ac) of the Indian Copyright Act 1957.
Net Neutrality
This incident has also re-energised the debate on net neutrality. Flash Networks has violated net neutrality by only choosing Airtel. This is because, a user on Airtel broadband will have a different view of a website than a user on a BSNL network.
Airtel hasn’t yet spoken up on the issue. It remains unclear if it is aware that an Israeli company is injecting code into Indian browsers via an Indian ISP (Airtel). If Airtel’s complicity is established, on the other hand, it is likely to face legal action for violating user privacy. Because the script could also have been injected when people viewed Thejesh’s website via Airtel’s network, the ISP is liable to have misrepresented his content to his audience.
Update:
Airtel has issued a statement saying:
This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of mega bytes used. It is therefore meant to improve customer experience and empower them to manage their usage. One of our network vendor partners has piloted this solution through a third party to help customers understand their data consumption in terms of volume of data used. As a responsible corporate, we have the highest regard for customer privacy and we follow a policy of zero tolerance with regard to the confidentiality of customer data.We are also surprised at the Cease & Desist notice served by Flash Networks to Thejesh GN, and categorically state that we have no relation, whatsoever, with the notice.
Feature image source: Reuters