Is Airtel Using A Code To Spy On Its Users On The Web?

Posted on June 12, 2015 in Sci-Tech, Specials

By Abhishek Jha:

Airtel again earned the ire of netizens this week when Bangalore based programmer Thejesh G.N. found out that Airtel was injecting javascript into his browsing session. He also found that the code was originating from an IP address belonging to Bharti Airtel Limited. He posted the information on GitHub to caution other people after which he received a cease-and-desist-order issued by Flash Networks Ltd., an Israel based company.

Image Credit:  Arti Sandhu
Image Credit:
Arti Sandhu

The order states that the client (Flash Networks) “develops and markets a software product commercially known as Layer8. The Layer8 platform helps mobile operators engage with their subscribers as they browse the web, and to offer them services that generate new downstream revenues from over-the-top affiliations.” This is interesting, as Airtel has tried to distance itself from the javascript injection in a statement where it says that the code “is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of megabytes used.” Now exposed, an Airtel official told The Hindu, “We have stopped running the code because we found it was not helping our customer.” Flash Network, on the other hand, gave no explanation whatsoever as to what the particular injected code was meant for.

This has raised questions about violation of privacy of the user as the code was injected by the ISP and could apparently work through every webpage that the user visited. The description for Layer8 on Flash Network’s website says that it is “a clientless solution which appears over web pages on smartphones, tablets and PC enables users to get real-time access to carrier information, promotions, and other operator-based engagement” (sic). This is different from the data provided by other codes inserted on a webpage, like Google Analytics providing number of users visiting the particular website, to content providers on the internet. The communication between the content provider and the user remains between them, and the content provider informs the user of the amount of user’s personal information it is storing.

Thejesh had to meanwhile remove his post from GitHub as the cease-and-desist order threatened “legal proceedings, both Civil and Criminal” in case he did not comply, as his act, the order said, “amounts to criminal offence under the Indian Penal code, 1860 and the Information Technology Act, 2000”. However, as soon as he tweeted about the notice he had been served, Pranesh Prakash, Policy Director at the Centre for Internet and Society, tweeted saying that he could be defended under under Section 52(1)(ac) of the Indian Copyrights Act 1957 which allows “the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underlie any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied”. Apar Gupta, a Delhi based litigator, also posted on twitter that “injecting a script into a browser may technically be against the UASL license under which the private telecos offer ISP services” (sic). The word already spread, Airtel earned flak on the internet with twitterati questioning the statement issued by it even as it tried to distance itself from the cease-and-desist order.

Privacy on the internet, often vulnerable, is a sensitive issue for users, which is why Flash Networks says on its website that its “solutions are based on a non-intrusive approach coupled with very stringent adherence to privacy regulations”. In case it is found to be in violation of privacy regulations, it could spell trouble for Flash Networks and the mobile operators (Idea, MTS, and Vodafone are in a non-exhaustive list of customers published on its website) it provides the “Monetization solutions” to.