Thejesh GN, an open data geek and Mozillian exposed Java Script Injection by telecom Operator into user browsing session , and now he recieved C&D notice from Injector, Flash Networks .
Read the story here with all relevant links. http://techcrunch.com/2015/06/10/indian-programmer-exposes-code-injection-gets-a-cease-and-desist-from-the-injectors/
And this discussion in hackernews https://news.ycombinator.com/item?id=9693987
Thejesh GN is an active scout in Mozilla Geolocation program in https://location.services.mozilla.com/leaders#thejeshgn.com
What interesting for me is following Interesting part with C& D notce is they are admitting that Telecos inject code to operator customer browsing
We need to build this as an #netsafety, #privacy and #Netneutrality argument .
The issue caught enough attention now including parliamentarians , See the tweets from Rajeev Chandrasekhar
, member of Parliament
1/4 shockd 2 lrn tht @airtelindia s using a surreptitious prog by flash ntwrks 2 mine user data & insert ad like assets wthout consent.— Rajeev Chandrasekhar (@rajeev_mp) June 10, 2015
Airtel India said it had nothing to do with the legal notice sent to Thejesh GN . This report raises interesting questions to airtel. http://www.medianama.com/2015/06/223-airtel-says-it-had-nothing-to-do-with-the-legal-notice-sent-to-thejesh-gn/ . This report further expands the perspective and the analyses that it is not airtel alone and other telecos are also injecting JS code to user session , and it is not an indian phenomenon alone . http://www.medianama.com/2015/06/223-mtnl-isp-advertising-airtel/
I think These questions are very important in an open Web context
- Should publishers be aggrieved? As a publisher,
it feels as if the ISP is hijacking my site while it is being delivered
to a user, and inserting their own code, and doing an ad overlay on my
site. My means of monetization is where I prevent others from
advertising on my site, and their only channel is through me. Here, a
competing channel is being created.
- Is the ISP liable for content being served? Intermediaries
such as ISPs aren’t liable for content on their platform, and have a
notional ‘safe harbor’, if they do not modify the content. Under section
79 of India’s IT Act:
- INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES
(1) Notwithstanding anything contained in any law for the time being
in force but subject to the provisions of sub-sections (2) and (3), an
intermediary shall not be liable for any third party information, data,
or communication link made available or hasted by him.
(2) The provisions of sub-section (1) shall apply if—
(a) the function of the intermediary is limited to providing access
to a communication system over which information made available by third
parties is transmitted or temporarily stored or hasted; or
(b) the intermediary does not—
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission;
One could argue that while the intermediary in this case doesn’t
initiate the transmission of the website, it does modify its information
by inserting the code. A lawyer can probably correct me on this, but on
the face of it, this is a possibility. If this is true, then we’ll have
to re-examine how ad networks are governed.
- Is consumer consent being taken, and do they even have a choice? Unlike
in case of ad networks, where consent for inserting the ad is typically
via the website terms and conditions, we’re not sure if consent is
taken from Internet users and/or publishers by the ISP. Look at it as a
situation similar to that of the ‘Fair Usage Policy’ regime. Almost
every single ISP today has an FUP on all Internet connections. Given
that there is no unbundling of the last mile in India, consumers often
only have a few ISPs to choose from, all of whom would have an FUP. If,
like in case of FUP and Net Neutrality, ISPs and/or telecom operators
cartelize, consumers won’t really have much choice.
4. What can publishers and websites do? I’m
wondering if it’s possible for websites to introduce a clause in their
terms that prevents the modification of the code of the website while
its being transmitted to a user, essentially holding the entity
modifying the code in transmission liable for tampering with it. Then
again, this is unlikely to happen because this is India. The last thing
companies want to do is go to court, the same way that the last thing
they would want to do is take on an access service provider like an ISP
or a telecom operator, fearing vendetta.
5. What stops telicos from spying on users? In
an era of mostly static IP’s and with telecom operators compiling user
data, what stops them from tracking an individual user and their
behavior via the insertion of a code or a cookie, and then selling that
data to ad networks or advertisers.