Indian coder, lawyer take on Israeli company’s threats

The Wire
June 16, 2015

On June 9, The Wire broke the story of a Bengaluru-based programmer who’d revealed that an Israeli company was injecting malicious JavaScript code into websites visited on Airtel’s 3G network. Thejesh GN had uploaded the script and screenshots of where he found it was being injected on his website to GitHub on June 3. In reply, he was threatened with overzealous punitive action under the IT Act 2000 by the company, named as Flash Networks, on June 8.

On Monday, in a heartening turn of events, Lawrence Liang, a reputed Bengaluru-based legal researcher and cofounder of the Alternative Law Forum, served a counter-notice to Flash Networks’ notice. Liang asserted his and Thejesh’s right to civil and criminal proceedings against Flash for the “unlawful insertion of code by your client into my clients source code”, which “amounts to a violation of the rights of my client, including but not limited to a violation of his privacy, an attempt to unlawfully access and hinder the operation of his website and a violation of the right to integrity of the work of my client.”

A copy of Liang’s reply was uploaded by Thejesh to his website on Monday. The document describes in detail Thejesh’s actions and the underlying intent – which were tantamount to a review of the JavaScript injection by Flash, their origin from an Airtel-owned IP address, and an inspection of their effects on his website. As the document states, “It is also commonly accepted that whenever one encounters any inserted scripts, viruses or spyware, you publish them as supporting document and evidence so other researchers can review your investigation by looking into it.”

Following Thejesh’s upload to GitHub on June 3, Flash put out its notice on June 8. The next day, in an effort to shut down the GitHub repository in which he had uploaded the screenshots, Flash served a notice under the American Digital Millennium Copyright Act. The repository was then automatically taken down by GitHub for until the matter is resolved.

In the aftermath of these events, Flash has repeatedly asserted that Thejesh violated the “confidentiality” of the script that it was injecting, called Anchor.js. Although Airtel issued a statement saying it had teamed up with Flash to track users’ monthly subscription usage, neither Flash nor Airtel have offered a substantive explanation as to how Anchor.js accomplished it. This is because Anchor.js was also found to be inserting ads onto webpages, which – thanks to their unsupervised nature – could just as well be inserting code that compromised security and user privacy.

Apart from asserting their right to legal recourse instead of the blind compliance that Flash’s DMCA notice expects, Liang has demanded that Flash should “offer an unconditional apology for attempting to insert a malicious piece of code into my client’s website which has affected the functionality of the same as well as lowering the reputation of my client” and “for violating the privacy of my client”.

Israeli firm strong-arms Indian techie for exposing suspicious code

The Wire
June 9, 2015

In an intriguing case of abuse, a Bengaluru-based programmer was on Monday threatened with a criminal lawsuit for attempting to expose an avaricious program that violated net neutrality.

On June 3, Thejesh GN, an activist and programmer, published screenshots and some text explaining how the Airtel 3G network was inserting some extra lines of code into his browser every time he visited a webpage.

A brief inspection revealed that the code comprised a few lines of JavaScript that loaded an asset like an advertisement on webpages that Thejesh was visiting. It was called Anchor.js.

A screenshot of the script found to have been injected without the user's permission. Credit: Screengrab from GitHub
A screenshot of the script found to have been injected without the user’s permission. Credit: Screengrab from GitHub

Using a web-based IP tracker, he was also able to find that the code was originating out of the IP address 223.224.131.144 – which belonged to Bharti Airtel Limited.

A screengrab of what the IP-tracker revealed about the source of the script.
A screengrab of what the IP-tracker revealed about the source of the script.

According to Vignesh Sundaresan, an Ottawa-based developer, JavaScript injection is a very clumsy technique to add extra functionality to certain programs. “It is often malicious when injected without notifying the user first,” he said. So, Thejesh uploaded the location and other details of the program to GitHub, a collaboration platform on the web for developers, to warn other users.

On June 8, however, he received a cease-and-desist order issued by Flash Networks, Ltd., a company based out of Herzliya, Israel, via their attorneys in Mumbai. The order required that Thejesh remove the description and implications of Anchor.js he had uploaded to GitHub because they violated Flash Networks’ copyright over it. His ‘act’ was alleged to be a criminal offence under the IPC 1860 and Information and Technology Act, 2000.

On June 9, the order was followed by a takedown notice (under the Digital Millennium Copyright Act of the US) posted to GitHub. After this, Thejesh’s files became inaccessible (although a cached version is available). Developers in the country are calling this a case of cyber-bullying.

https://twitter.com/r0h1n/status/608115292783407104

The case’s intrigue stems from the intent of Flash Networks, which it never discusses in its notices. In their C&D order, what the attorneys don’t mention is what Anchor.js enables for Flash as well as, and more importantly, the Airtel network. When Thejesh – or any susceptible user for that matter – visits a webpage on the Airtel 3G network, Anchor.js loads an asset, like an advertisement, on that page.

When the user views or interacts with that asset, whichever entity the asset has been posted by makes some money. In this case, since Flash Networks – the source of Anchor.js – is hosted on Airtel’s IP address, the implication is that Airtel is using Anchor.js to make money for itself using the user’s browsing experience. There is also the additional threat of Flash Networks using its unverified script to trawl for user data.

However, since Thejesh did not intend commercial use of Anchor.js (nor did he expose code that wasn’t already confidential), it’s unclear how Flash’s copyright was infringed. Pranesh Prakash, Policy Director at the Centre for Internet and Society, tweeted that irrespective of how Anchor.js harmed Thejesh’s experience, his act of uploading it to GitHub was protected by the Section 52(1)(ac) of the Indian Copyright Act 1957. It states that

the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied

… shall not constitute an infringement of copyright.

More troublingly, the intent of Flash Networks signals that the ISP is violating net neutrality because a user on the Airtel 3G network sees a website X differently than a user on, say, BSNL, because of the asset loaded by the injected script.

Recently, while the net neutrality debate was surging in India following a controversial policy document from TRAI, Airtel Zero was in the thick of things. It involved Airtel being paid by, say, Facebook to let users access Facebook for free on Airtel networks. The deal violated net neutrality because it implied the preferential treatment of data packets based on their sources.

Sundaresan added that should such dubious instances of JavaScript injection be discovered in the Western world, the inserter could be sued for millions.

Airtel has since issued a statement on the issue, claiming the JavaScript injection was a way for it to keep track of how much data the subscriber has consumed, for billing purposes, and termed it a “standard solution deployed by telcos globally”. At the same time, the statement doesn’t explain why the deployment was placing advertisements on the user’s destination webpages – a behaviour Sundaresan says is definitely not part of the standard solution.

In fact, Airtel also distanced itself from the order issued by Flash Networks to Thejesh: “We … categorically state that we have no relation, whatsoever, with the notice.” Even so, that the two companies are and have been associated with each other is betrayed by one of Flash’s press releases from 2014 that includes Airtel and Vodafone among its clients.

If the ISP’s complicity is more conclusively established, it is likely to face legal action for violating user privacy. Because the script could also have been injected when people viewed Thejesh’s website via Airtel’s network, the ISP is also liable to have misrepresented his content to his audience.

It has also emerged since Thejesh’s disclosure that Vodafone might also be engaging in similar insertions of third-party software into browsers.

Note: This article was edited on June 9, 2015, to link to a Flash Networks press release and to include Airtel’s statement.