Venom, venom, venom. BSNL engaging in code injections.

Documents reports of code injections producing advertisments and images by BSNL's has led us to question security and legality of their actions. We write to BSNL to take necessary recourse in addressing the issue.

17 May, 2019
3 min read

Highlights

  • Background: IFF has received an increasing number of reports through its online reporting tool, of various net neutrality violations. A particularly interesting response also informed us of browser injections by BSNL.
  • Need for security: BSNL's disregard to the security of their networks is alarming given the sensitivity of the nature of information transmitted in these fields. We ask BSNL to take necessary recourse in addressing the issue.

Background

In our previous posts, we introduced our online reporting tool to keep a record of Net Neutrality violations around India. One of the responses that stood out informed us of browser injections by BSNL permitting advertisements, on non-HTTPS sites. We decided to look into the issue further, which led to the discovery of numerous public complaints on social networking platforms and discussion forums of similar injections.

Venomous code injections

Techniques such as code injections are generally used to gain unauthorised access to systems, compromise the integrity and safety of sensitive data or deny access amongst other significantly detrimental consequences. After learning of its prevalence within the BSNL services, it led to concern not only the security of the information involved but especially the illegality of their actions, so we put it to the test against various frameworks in existence.

  • The Information Technology Act, 2000
    Section 43 of the Act provides various protections to information that is within a computer resource, in order to maintain its integrity and security from unauthorised attacks. Hacking of a computer system deceptively, in such a manner, would even render one punishable by fine or imprisonment under Section 66 of the Act.
    Not only is injecting code done without the knowledge of the individual, its purpose is to undermine the vulnerabilities of the code to fulfil its own agenda.

  • Cellular Media Telephone Services Agreement
    As far as we could find, BSNL is governed by the provisions of Cellular Media Telephone Services agreement which specifies in clause 44.4 that the Licensee (BSNL) is to ‘ensure protection of privacy of communication and ensure that unauthorized interception of messages does not take place.
    Permitting such insertion of code definitely permits unauthorised interception of the original code which in all likelihood puts in jeopardy the security and protection of the privacy of the transmission. This is in clear breach of its own license conditions.

The Department of Telecommunications also circulated a notice providing for minimum requirements of security to be met by Licensee, in line with the DoT’s licensing conditions in May 2011. It specifically expects measures to be in place against intrusion of malware, protection of information in networks and its facilities, basic updated security measures in compliance with statutory, regulatory, licensing or contractual obligations. BSNL appears to be clearly failing to meet these requirements.

So we decided to write to BSNL stating exactly this; explaining how it is in contravention with a multitude of provisions (Read it here). In addition to this, we have also attached to this representation, a compilation of various reports of such code injections. Such thorough documentation has only been possible to the proactive users of India Broadband Forum, Twitter and Reddit (you guys have led us to some pretty intense discussion forums).

We provide BSNL with some necessary next steps, provided below,  in not only addressing the issue but to provide some accountability for their lack of redressal over user complaints.

  • Investigate: Formulate a working group to coordinate the legal and technological departments and then conduct an official audit, specifically investigating each reported incident and identify the reasons for its occurrence in different geographies.
  • Disclose: Public disclosure of the findings of the audit and take the proportionate corrective measures.
  • Fix: Take immediate actions in the interim as well as standing instructions which may be considered to prevent recurrence.

We are optimistic that BSNL will pay heed to our representation and take needed action.  We do mention that in case of failure to do so, IFF fully intends to move forward with strategic steps to approach Government authorities including CERT IN and the Department of Telecommunication to bring awareness and the required response in strengthening existing security measures.

  • Representation to BSNL on Code Injections [link]

Ads making you mad? Help IFF fight against it for you. Become a IFF member today.

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!