Indian programmer Exposes JS Code Injection, Gets A Cease And Desist From The Injectors, What is our take


#1

Thejesh GN, an open data geek and Mozillian exposed Java Script Injection by telecom Operator into user browsing session , and now he recieved C&D notice from Injector, Flash Networks .

Read the story here with all relevant links. http://techcrunch.com/2015/06/10/indian-programmer-exposes-code-injection-gets-a-cease-and-desist-from-the-injectors/

And this discussion in hackernews https://news.ycombinator.com/item?id=9693987

Thejesh GN is an active scout in Mozilla Geolocation program in https://location.services.mozilla.com/leaders#thejeshgn.com

What interesting for me is following Interesting part with C& D notce is they are admitting that Telecos inject code to operator customer browsing

We need to build this as an #netsafety, #privacy and #Netneutrality argument .

The issue caught enough attention now including parliamentarians , See the tweets from Rajeev Chandrasekhar
, member of Parliament

1/4 shockd 2 lrn tht @airtelindia s using a surreptitious prog by flash ntwrks 2 mine user data & insert ad like assets wthout consent.

— Rajeev Chandrasekhar (@rajeev_mp) June 10, 2015

2/4 @thej has thrown light on #Privacy and #NetNeutrality issues thru hs @github thread on the issue. thank u!

— Rajeev Chandrasekhar (@rajeev_mp) June 10, 2015

3/4 @rsprasad Govt needs to intervene immediately. hold telcos like @airtelindia accountable for ths violation of privacy!

— Rajeev Chandrasekhar (@rajeev_mp) June 10, 2015

3/4 @rsprasad Govt needs to intervene immediately. hold telcos like @airtelindia accountable for ths violation of privacy!

— Rajeev Chandrasekhar (@rajeev_mp) June 10, 2015

4/4 @airtelindia : "v hv highest regrd 4 user privacy". is ths like th #AirtelPledge on #NetNeutrality? Honestly, zero confidence inspired!

— Rajeev Chandrasekhar (@rajeev_mp) June 10, 2015

Airtel India said it had nothing to do with the legal notice sent to Thejesh GN . This report raises interesting questions to airtel. http://www.medianama.com/2015/06/223-airtel-says-it-had-nothing-to-do-with-the-legal-notice-sent-to-thejesh-gn/ . This report further expands the perspective and the analyses that it is not airtel alone and other telecos are also injecting JS code to user session , and it is not an indian phenomenon alone . http://www.medianama.com/2015/06/223-mtnl-isp-advertising-airtel/

I think These questions are very important in an open Web context

  • Should publishers be aggrieved? As a publisher,
    it feels as if the ISP is hijacking my site while it is being delivered
    to a user, and inserting their own code, and doing an ad overlay on my
    site. My means of monetization is where I prevent others from
    advertising on my site, and their only channel is through me. Here, a
    competing channel is being created.
  1. Is the ISP liable for content being served? Intermediaries
    such as ISPs aren’t liable for content on their platform, and have a
    notional ‘safe harbor’, if they do not modify the content. Under section
    79 of India’s IT Act:
    1. INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES
      (1) Notwithstanding anything contained in any law for the time being
      in force but subject to the provisions of sub-sections (2) and (3), an
      intermediary shall not be liable for any third party information, data,
      or communication link made available or hasted by him.
      (2) The provisions of sub-section (1) shall apply if—
      (a) the function of the intermediary is limited to providing access
      to a communication system over which information made available by third
      parties is transmitted or temporarily stored or hasted; or
      (b) the intermediary does not—
      (i) initiate the transmission,
      (ii) select the receiver of the transmission, and
      (iii) select or modify the information contained in the transmission;

One could argue that while the intermediary in this case doesn’t
initiate the transmission of the website, it does modify its information
by inserting the code. A lawyer can probably correct me on this, but on
the face of it, this is a possibility. If this is true, then we’ll have
to re-examine how ad networks are governed.

  • Is consumer consent being taken, and do they even have a choice? Unlike
    in case of ad networks, where consent for inserting the ad is typically
    via the website terms and conditions, we’re not sure if consent is
    taken from Internet users and/or publishers by the ISP. Look at it as a
    situation similar to that of the ‘Fair Usage Policy’ regime. Almost
    every single ISP today has an FUP on all Internet connections. Given
    that there is no unbundling of the last mile in India, consumers often
    only have a few ISPs to choose from, all of whom would have an FUP. If,
    like in case of FUP and Net Neutrality, ISPs and/or telecom operators
    cartelize, consumers won’t really have much choice.
    4. What can publishers and websites do? I’m
    wondering if it’s possible for websites to introduce a clause in their
    terms that prevents the modification of the code of the website while
    its being transmitted to a user, essentially holding the entity
    modifying the code in transmission liable for tampering with it. Then
    again, this is unlikely to happen because this is India. The last thing
    companies want to do is go to court, the same way that the last thing
    they would want to do is take on an access service provider like an ISP
    or a telecom operator, fearing vendetta.
    5. What stops telicos from spying on users? In
    an era of mostly static IP’s and with telecom operators compiling user
    data, what stops them from tracking an individual user and their
    behavior via the insertion of a code or a cookie, and then selling that
    data to ad networks or advertisers.

#2

What can publishers and websites do?

I have no idea about legal recourse (in the US you could certainly sue, and the likelihood of a class action lawsuit may be keeping this in check even if the suit’s success is unclear) but there are some technical measures:

  1. all sites should use https for privacy and security.
  2. sites should use the Content-Security-Policy (CSP) header to limit the domains from which scripts can be loaded to a small set of trusted partners. If you don’t do #1 the ISP can just rewrite your policy (though it might take them a while to catch on) so you must do #1 first.

#3

Thank you @dveditz. I was not aware about Content Security Policy