A report from human rights organization Access indicates that in some cases, Indian telecom operator Bharti Airtel was inserting a “tracking header” in the connections of some users. While the data sample is clearly very small – only four tests from Airtel were confirmed as being tracked by Access over a six month period, it is also dependent on users testing their own connection on Access’ AmIBeingTracked.com tool. All in all, 702 tests were conducted from India, of which 418 (59.5%) were inconclusive, 280 were not being tracked (39.8%), and 4 (0.56%) were being tracked. Only 702 (0.39%) of the 180,000 tests included in this report were from India. Clearly, India needs a bigger sample size, and across operators, not just Airtel. You may test your connection here.

Access points out that tracking headers are in fact not cookies at all because they are injected at the network level, out of the reach of the user. A more accurate term would be Carrier-Injected HTTP Header. “Headers are an essential part of internet communications. When you use the internet on a mobile device, you normally transmit one or more unique identifiers — including IMEI, (8) IMSI, (9) and ICCID(10) identities — that include information about who you are and where you are located. But tracking headers go beyond such normal data sharing,” the report says.

We sent Airtel the following questions

1. Please confirm or deny whether Airtel was ever used a tracking header from Amobee (a Singtel company), as indicated in the report: https://www.accessnow.org/page/-/AIBT-Report.pdf

2. Please clarify whether Airtel has ever added/inserted any tracking header in user connections. If yes, then which ones and when?

3. Does Airtel still insert code into user Internet connections from Flash Networks, which had been pointed out in the media (including us) earlier this year?

4. Does Airtel intend to insert any code into user Internet connections after the Telecom minister Ravi Shankar Prasad said in Parliament that this code is only being used to enhance consumer experience?

5. What other kinds of tracking does Airtel do? Is Airtel providing access to its telecom network under the Central Monitoring System?

6. What kind of data user data is currently being tracked by Airtel, apart from data on which websites are being surfed by its users? This is with reference to the traffic information I saw at the Airtel NOC when I had visited.

An Airtel spokesperson sent the following statement in response, which doesn’t address the questions:

“We take customer privacy laws/ rules very seriously and do not track our customers’ journey online. Specifically, we do not use super cookies on our network. Infact – www.amibeingtracked.com, the testing website created by Access, validates this and confirms that the Airtel network does not track its customers’ data.”

A couple of things:

– Firstly, the Access report clearly points out that tracking headers are not supercookies.

– Airtel is correct when it says that amibeingtracked.com suggests that Airtel is not tracking users. This still doesn’t address question 2, where we asked if Airtel has ever done this.

– Airtel hasn’t responded to questions 3, 4 and 5 (regarding CMS).

– India doesn’t have a privacy law.

Amobee tracker on Airtel

According to the report, the tracker x-amobee-1 was found in these users Airtel connections; it’s a tracker that, according to access, remains on even if users have ‘do not track’ options in their browser. It’s worth noting that Amobee is an advertising network which Singtel, a company that has investments in Airtel, had bought a few years ago. I just tested my Airtel connection, and the AmIBeingTracked.com tool indicated that my data connection does not have tracking headers. This doesn’t change the fact some users did face this issue, and that any inclusion of tracking headers, especially when users aren’t aware or don’t have the option of turning off these headers, is a violation of users right to privacy. Network service providers should ideally not be interfering with user connections, nor should they be inspecting individual users traffic.

Airtel has inserted code in connections before

In June, Bangalore-based Thejesh GN had noticed that Airtel was injecting Java script into its users browsing session, without seeking user consent. The screenshots shared by him on a GitHub thread have unfortunately been taken down, after Flash Networks sent a DMCA notice. However, you can see the screenshots here. Apparently the code inserts a toolbar into the user’s browsing session.

Airtel had passed the buck on to a vendor at that time, so we sent them some questions, which they’re yet to respond to:

1. Since you’ve mentioned this is a standard practice, please indicate which other telecom companies deploy similar solutions?

2. Please identify what security measures Airtel has in place to ensure the script inserted in user’s browsing sessions is not used to spy on them.

3. Please provide documents to indicate what measures you have put in place to ensure that Airtel employees and vendors don’t misuse the data collected.

4. What kind of consumer consent have you taken, before allowing a vendor to track data usage patterns of customers?

5. Which Airtel vendor allowed Flash Networks to inject this code in user browsing sessions?

6. What restrictions are place on Airtel’s vendors and their vendors in such cases?

7. Do the vendors require Airtel’s approval before they deploy such a solution? Please explain how Airtel can absolve itself of any responsibility in this case?

8. What action is Airtel taking against its vendor and against Flash Networks for the harassment faced by an Airtel customer, due to the legal notice sent.

9. Please indicate what kind of Web usage data you collect on usage of websites and apps, and what kind of user information is shared with Airtel’s advertising partners such as Vserv.

MTNL also inserts code in connections

MTNL inserts code into users wireline broadband connections, which allows it to serve advertising on publisher websites, and has pitches which have been sent to potential advertisers, with charges of Rs 150 per 1000 impressions. Our story and some sample screenshots here.

India’s telecom minister doesn’t mind

India’s Telecom Minister Ravi Shankar Prasad, in a written reply to a query on Internet privacy raised in the Rajya Sabha by MP Rajeev Chandrasekhar, about ISPs inserting codes into user Internet connections, said that “such solutions are already deployed and continue to be deployed by operators globally to enhance information, customer service and experience.”

The dangers of tracking headers

Access points out the following issues with tracking headers:

– Users cannot block tracking headers, because they are injected by carriers out of reach at the network level

– “Do not track” tools in web browsers do not block the tracking headers

– Tracking headers can attach to the user even when roaming across international borders

– Even if tracking headers are not used by the carrier itself to sell advertising, other firms can independently identify and use the tracking headers for advertising purposes

– Certain tracking headers leak important private information about the user in clear text, including phone numbers

– Rich data profiles about users that tracking headers create make them prime targets for government legal requests or surveillance.

– Using tracking headers also raises concerns related to data retention. When “honey pots” of sensitive information, such as data on browsing, location, and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike.

It’s important to note that tracking headers do not work when users visit websites that encrypt connections using websites with HTTPS.

Access makes the following recommendations:

– Government: Authorities should hold carriers accountable for false or misleading statements or practices regarding tracking headers, and require carriers to provide affected users with an adequate remedy, and to make guarantees of non-repetition

– Carriers/telecom operators: All carriers should publicly disclose their use of tracking headers and not enroll users by default for any reason, such as advertising. Any use of tracking headers or similar tracking technology should require users toclearly, specifically, and explicitly opt-in, after being fully informed of the potential risks. Carriers must provide a clear, easy-to-use opt out mechanism for users, regardless of whether they previously opted in.

– Websites: Websites and apps should use encrypted HTTPS connections by default.