BSNL's claim: "We have DND Mechanisms".
- Background: Over the last couple of months, IFF has been writing representations and filing RTIs on the very apparent code injecting BSNL continues to the engage in. Recently, we wrote to BSNL once again based on insights provided by IFF's pro-active supporters.
- New update: BSNL provides another response to an RTI we filed in August on which shed some light to some of the processes they apply while they admittedly engage in code injections.
The code injections by BSNL dialogue has been going on for a while now, so here's a bit of a timeline to make things slightly clearer.
- In May, we came across a report through our online reporting tool at savetheinternet.in and futher research on other social networking platforms and discussion forums of browser injections by BSNL permitting advertisements, on non-HTTPS sites. We wrote to BSNL informing them but also providing sufficient evidence of various instances (Read here for more).
- In July, with no acknowledgement from BSNL, we conducted our three pronged approach where we wrote to the DOT, filed an RTI on BSNL and also filed an incident report with CERT-In. This is where it got interesting, we received a response to our BSNL RTI claiming that the code injections contain no malware, but acknowledging the existence of such code injections nonetheless (Read here for more).
- In September, with the support of IFF community, we were informed that these injections continue to exist so we wrote to the DOT filling them in on the BSNL's intentional code injection activities (Read here for more).
Update numero Uno
The RTI we filed when we informed you of our three pronged approach, was forwarded to a few other CPIOs, which is why we have recently received another response to our queries.
- The first reply was on August 8, 2019 where BSNL claimed that no malware is being injected, however, admitting to the insertion of injections as we explained in our previous post.
- The second reply we received is a line by line response on September 12, 2019.
1. First, we asked for information on BSNL enagagement in the insertion of browser injections or code injections to which they claimed 'commercial confidence' and providing such information would harm BSNL's competitive position.
2. Second, we asked for reasons for the use of browser or code injections. They say that they rely on such activities to communicate with customers on available offers and useful information like Parental Control Guidelines.
3. Third, we requested for copies on file of action taken by BSNL in addressing complaints. BSNL claims that if they receive complaints via mails, they enable the their 'DND' mechanism after confirming and collecting User Ids.
4. Lastly, we asked for physical copies on the file of action taken but as the queries are being received by email they do not maintain any physical files.
Update numero Dos
Going back to our previous three pronged approached, we had filed an incident report with CERT-In to which we received no response. However, we have seemingly made enough of a push with our recently filed RTI to the Ministry of Electronics and Information Technology which enquired on the action taken by CERT-In in response to our incident report as the ministry has responded to RTI informing us that CERT-In has written to BSNL on the issue and is awaiting a response, which is a definite win!
Our next steps: Is your privacy being sold?
As BSNL has been more than clear about their commercial benefit from their code injection activities, the advertisements can't possibly be injected without BSNL deriving some value, we have filed a new RTI enquiring on the streams of revenues being made through these code injections.
We are also considering further advocacy actions and examining what may be the best way to approach the Department of Telecom. As always, we will make sure to keep you updated with any further information.
Note: This may seem like a small problem to those who live in cities where there are multiple options of ISPs, but BSNL in certain parts of India is often the most viable method of internet access. Specially for large parts of our government offices. We are especially worried for their cyber security, privacy and productivity that is often compromised by these ads.
Links to important documents
- Second response to our RTI filed with BSNL (link)