- Background: IFF has received an increasing number of reports through its online reporting tool, of various net neutrality violations. A particularly interesting response also informed us of browser injections by BSNL.
- Need for security: BSNL’s disregard to the security of their networks is alarming given the sensitivity of the nature of information transmitted in these fields. We ask BSNL to take necessary recourse in addressing the issue.
In our previous posts, we introduced our online reporting tool to keep a record of Net Neutrality violations around India. One of the responses that stood out informed us of browser injections by BSNL permitting advertisements, on non-HTTPS sites. We decided to look into the issue further, which led to the discovery of numerous public complaints on social networking platforms and discussion forums of similar injections.
Venomous code injections
Techniques such as code injections are generally used to gain unauthorised access to systems, compromise the integrity and safety of sensitive data or deny access amongst other significantly detrimental consequences. After learning of its prevalence within the BSNL services, it led to concern not only the security of the information involved but especially the illegality of their actions, so we put it to the test against various frameworks in existence.
- The Information Technology Act, 2000
Section 43 of the Act provides various protections to information that is within a computer resource, in order to maintain its integrity and security from unauthorised attacks. Hacking of a computer system deceptively, in such a manner, would even render one punishable by fine or imprisonment under Section 66 of the Act.
Not only is injecting code done without the knowledge of the individual, its purpose is to undermine the vulnerabilities of the code to fulfil its own agenda.
- Cellular Media Telephone Services Agreement
As far as we could find, BSNL is governed by the provisions of Cellular Media Telephone Services agreement which specifies in clause 44.4 that the Licensee (BSNL) is to ‘ensure protection of privacy of communication and ensure that unauthorized interception of messages does not take place.’
Permitting such insertion of code definitely permits unauthorised interception of the original code which in all likelihood puts in jeopardy the security and protection of the privacy of the transmission. This is in clear breach of its own license conditions.
The Department of Telecommunications also circulated a notice providing for minimum requirements of security to be met by Licensee, in line with the DoT’s licensing conditions in May 2011. It specifically expects measures to be in place against intrusion of malware, protection of information in networks and its facilities, basic updated security measures in compliance with statutory, regulatory, licensing or contractual obligations. BSNL appears to be clearly failing to meet these requirements.
So we decided to write to BSNL stating exactly this; explaining how it is in contravention with a multitude of provisions (Read it here). In addition to this, we have also attached to this representation, a compilation of various reports of such code injections. Such thorough documentation has only been possible to the proactive users of India Broadband Forum, Twitter and Reddit (you guys have led us to some pretty intense discussion forums).
We provide BSNL with some necessary next steps, provided below, in not only addressing the issue but to provide some accountability for their lack of redressal over user complaints.
- Investigate: Formulate a working group to coordinate the legal and technological departments and then conduct an official audit, specifically investigating each reported incident and identify the reasons for its occurrence in different geographies.
- Disclose: Public disclosure of the findings of the audit and take the proportionate corrective measures.
- Fix: Take immediate actions in the interim as well as standing instructions which may be considered to prevent recurrence.
We are optimistic that BSNL will pay heed to our representation and take needed action. We do mention that in case of failure to do so, IFF fully intends to move forward with strategic steps to approach Government authorities including CERT IN and the Department of Telecommunication to bring awareness and the required response in strengthening existing security measures.
Link to important documents
- Representation to BSNL on Code Injections [link]
From Internet Freedom (originally published on 17 May 2019)