BSNL's claim: "We have DND Mechanisms".

Highlights * Background: Over the last couple of months, IFF has been writing representations and filing RTIs on the very apparent code injecting BSNL continues to the engage in. Recently, we wrote to BSNL once again based on insights provided by IFF's pro-active supporters. * New update: BSNL provides another response to an RTI we filed in August on which shed some light to some of the processes they apply while they admittedly engage in code injections. Background The cod

Joanne DCunha
Joanne DCunha

11 October, 2019
3 min read

Highlights

  • Background: Over the last couple of months, IFF has been writing representations and filing RTIs on the very apparent code injecting BSNL continues to the engage in. Recently, we wrote to BSNL once again based on insights provided by IFF's pro-active supporters.
  • New update: BSNL provides another response to an RTI we filed in August on which shed some light to some of the processes they apply while they admittedly engage in code injections.

Background

The code injections by BSNL dialogue has been going on for a while now, so here's a bit of a timeline to make things slightly clearer.

  • In May, we came across a report through our online reporting tool at savetheinternet.in and futher research on other social networking platforms and discussion forums of browser injections by BSNL permitting advertisements, on non-HTTPS sites. We wrote to BSNL informing them but also providing sufficient evidence of various instances (Read here for more).
  • In July, with no acknowledgement from BSNL, we conducted our three pronged approach where we wrote to the DOT, filed an RTI on BSNL and also filed an incident report with CERT-In. This is where it got interesting, we received a response to our BSNL RTI claiming that the code injections contain no malware, but acknowledging the existence of such code injections nonetheless (Read here for more).
  • In September, with the support of IFF community, we were informed that these injections continue to exist so we wrote to the DOT filling them in on the BSNL's intentional code injection activities (Read here for more).

Update numero Uno

The RTI we filed when we informed you of our three pronged approach, was forwarded to a few other CPIOs, which is why we have recently received another response to our queries.

  • The first reply was on August 8, 2019 where BSNL claimed that no malware is being injected, however, admitting to the insertion of injections as we explained in our previous post.
  • The second reply we received is a line by line response on September 12, 2019.
    1. First, we asked for information on BSNL enagagement in the insertion of browser injections or code injections to which they claimed 'commercial confidence' and providing such information would harm BSNL's competitive position.
    2. Second, we asked for reasons for the use of browser or code injections. They say that they rely on such activities to communicate with customers on available offers and useful information like Parental Control Guidelines.
    3. Third, we requested for copies on file of action taken by BSNL in addressing complaints. BSNL claims that if they receive complaints via mails, they enable the their 'DND' mechanism after confirming and collecting User Ids.
    4. Lastly, we asked for physical copies on the file of action taken but as the queries are being received by email they do not maintain any physical files.

Update numero Dos

Going back to our previous three pronged approached, we had filed an incident report with CERT-In to which we received no response. However, we have seemingly made enough of a push with our recently filed RTI to the Ministry of Electronics and Information Technology which enquired on the action taken by CERT-In in response to our incident report as the ministry has responded to RTI informing us that CERT-In has written to BSNL on the issue and is awaiting a response, which is a definite win!

Our next steps: Is your privacy being sold?

As BSNL has been more than clear about their commercial benefit from their code injection activities, the advertisements can't possibly be injected without BSNL deriving some value, we have filed a new RTI enquiring on the streams of revenues being made through these code injections.

We are also considering further advocacy actions and examining what may be the best way to approach the Department of Telecom. As always, we will make sure to keep you updated with any further information.

Note: This may seem like a small problem to those who live in cities where there are multiple options of ISPs, but BSNL in certain parts of India is often the most viable method of internet access. Specially for large parts of our government offices. We are especially worried for their cyber security, privacy and productivity that is often compromised by these ads.

  • Second response to our RTI filed with BSNL (link)

Code injections ruining smooth browsing? Become an IFF member today!

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!