Airtel 3G Script Injection
We as users of telecom services and members of the Indian tech community, were shocked to learn a few days ago that Airtel was carrying out unsolicited packet injection into all content viewed over its 3G networks.
It was revealed that Airtel was tampering with its user's online communications on its 3G network, and maliciously inserting advertisements into its user's data. This ensured that all users of Airtel's 3G networks were forced to view certain specific advertisements inserted by Airtel, irrespective of the content they chose to view on the Internet. Further, by interfering with the data packets to and from its customers terminals, Airtel has clearly acted in violation of the privacy rights of at least thousands if not millions of Indian citizens and has rendered their online communications unsafe.
The aforesaid revelations, made in public interest, by an Indian citizen, Thejesh GN, has however brought about an absolutely unethical and disproportionate response. An Israeli company, Flash Networks, purporting to be the creator of the software responsible for the illegal packet injection on Airtel's networks has issued a 'Cease and Desist' notice, that threatens civil and criminal action against the Bangalore based developer. In a mala fide and clearly desperate attempt to silence any talk of Airtel's violations of Indian citizens constitutionally protected rights, Flash Networks has also had the relevant explanatory content posted by Thejesh taken down from the Internet. The initial violations of privacy and network neutrality are now being compounded by an attempt to violate an Indian citizen's rights to free speech!
FSMI appeals to all other groups working on net neutrality to oppose Airtel and Flash Networks illegal and unethical actions and share this code widely, thus defeating corporate attempts to muzzle citizens right to free speech (which are only intended to cover up acts of corporate malfeasance).
Sharing the relevant portion of the code is merely intended to illustrate the methods used by telecom companies to illegally and unethically mine user data thereby rendering their communications and personal data vulnerable. This serves the purpose of educating the public on a vital issue concerning the violation of Constitutionally protected rights and encourages others to continue to expose the use of malicious code against users by telecom companies, without their consent.
The statement is as follows:
On June 3, 2015, a Bangalore based programmer and activist Thejesh GN, exposed certain details of a software program utilised by the Airtel 3G network, which injected malicious code into a user's web browser, allegedly without notifying or taking the consent of the user. This code collected users' data and inserted advertisements into the data stream being received by all Airtel customers on its 3G networks.
This is a clear violation by Airtel of:
the principles of carriage (of telecommunications) and the terms of the licenses issued by the Government of India to service providers. This requires a service provider not to interfere with the communications / data stream of their consumers;
the principle of network neutrality – in that Airtel was able to prioritise its advertisements to users by utilising the fact that it was the source of access to the Internet;
as the program collects users data, this violates the users right to privacy - protected by the Constitution of India and various statutes as well as the service provider's license. Thejesh uploaded screenshots and some text explaining the relevant portion of the code (highlighting the malicious script injection) on the global code depository - github.
In response, an Israeli company, Flash Networks, purporting to be the creators of the relevant software, have issued a 'Cease and Desist' notice, that threatens civil and criminal action against him, for taking the dastardly step of exposing a malicious function in a program that acts so as to illegally invade the privacy of all customers of Airtel's 3G networks. The company has also issued a take down notice to Github under the US law – the Digital Millennium Copyright Act, requiring them to disable access to the information posted online in public interest. Github has now taken down the code. This is nothing but an attempt at bullying an Indian citizen for publicly disclosing Airtels' and its Israeli partner, Flash Networks' violations of Indian citizens rights of online access and privacy and to cover up their methods of using unethical, immoral and illegal means to make profits. The initial violations of privacy and network neutrality are now being compounded by an attempt to violate an Indian citizen's rights to free speech, in order to avoid exposure of corporate malfeasance.
Exposure of the malicious software being utilised by Airtel is not only in public interest, it is explicitly protected under the Indian Constitutional and relevant statutes. First, there is no contract between Flash Networks and the user of Airtel's network – and therefore a license covering the software cannot, per se, be enforced by Flash Networks against any individual user. Second, the Indian Copyright Act, 1957, clearly protects reproduction of portions of a computer program in certain circumstances that constitute fair use. Specifically, “the observation, study or test of functioning of the computer programme” is not a violation of copyright. Companies cannot surreptitiously insert code on users machines and then argue that such code should not be made public. The very fact that this code is surreptitiously inserted in the browsers of all Airtel's 3G network customers gives them the right to review such code and discuss this code in public – in addition to the right to take appropriate legal recourse against Airtel. The fact that the program was not reproduced in whole or indeed that there was no commercial motive whatsoever behind making the source code public, only makes the applicability of the fair use exceptions all the more clear. It is also interesting to note that despite Airtel having disowned all knowledge of the situation, it has not disclosed how is it that its 3G services are introducing this code, purportedly belonging to Flash Networks, into users browsers.
Accordingly, the FSMI demands that:
The relevant authorities – the Government of India, Department of Telecommunications and / or the Telecom Regulatory Authority of India - - should immediately initiate an inquiry and take action against Airtel for interfering with the communications of its users on its 3G networks, allegedly without consent or notification to this effect;
All telcos should be directed to ensure net neutrality, unimpeded access to the Internet and protect privacy of its users; and submit reports on what measures they have taken to give effect to the same;
Given the increasing number of violations of privacy and net neutrality seen in the online sphere, the Government and other relevant authorities act with appropriate urgency to put in place specific public interest regulations pertaining to privacy of online communications and net neutrality.