While much of the attention has been focused on Airtel inserting javascript into users internet connections, apparently without their consent and without informing them (we’re awaiting responses from Airtel regarding its approach to privacy), it’s not lost on us that state owned MTNL has also been inserting code into what users are browsing.

While Airtel claims that this code was inserted to monitor user bandwidth consumption- something they should be able to do without having to insert code, so this could be about deeper tracking of Internet usage – MTNL has been pushing advertisements into user Internet connections. This is something I should have written about a year ago (had even planned to file an RTI), which is when it started happening, but somehow never got around to it. A few things to note about the ads:

– Ads inserted by MTNL have typically been for their own services, and have identified my landline number in the message delivered to me.

– Ads have popped up on both the desktop and mobile, but always in browsers. On mobile, it’s particularly irritating since it’s difficult to cancel the ads.

– In a few cases, they have been for value added services (called BBVAS) such as anti-virus tools.

I’ve been regularly taking screenshots of these ads. Some samples from my Internet browsing over the past year, where MTNL ads have popped up, on TechCrunch, Naukri.com, MediaNama, The Indian Express, Hindu BusinessLine, Flipkart:

These advertisements were being pushed via a service called Adphonso, and this post has more details, and indicates how these ads can be blocked. Wish I’d read it earlier, but frankly, it’s cumbersome for me to block these advertisements on all devices, especially the mobile. Each time I add a new device, will I have to figure out how to block ads from my ISP?

Some things to note:

1. Should publishers be aggrieved? As a publisher, it feels as if the ISP is hijacking my site while it is being delivered to a user, and inserting their own code, and doing an ad overlay on my site. My means of monetization is where I prevent others from advertising on my site, and their only channel is through me. Here, a competing channel is being created. We don’t run Google Adwords on MediaNama, but here, in this case, we’re helpless, since the ISP is inserting the code. There have been rumors that European telecom operators are considering blocking ads on websites, in a bid to extract a revenue share of advertising from companies like Google. This is the other approach: put ads in the browser.

2. Is the ISP liable for content being served? Intermediaries such as ISPs aren’t liable for content on their platform, and have a notional ‘safe harbor’, if they do not modify the content. Under section 79 of India’s IT Act:

79. INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hasted by him. (2) The provisions of sub-section (1) shall apply if— (a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or (b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

One could argue that while the intermediary in this case doesn’t initiate the transmission of the website, it does modify its information by inserting the code. A lawyer can probably correct me on this, but on the face of it, this is a possibility. If this is true, then we’ll have to re-examine how ad networks are governed.

3. Is consumer consent being taken, and do they even have a choice? Unlike in case of ad networks, where consent for inserting the ad is typically via the website terms and conditions, we’re not sure if consent is taken from Internet users and/or publishers by the ISP. Look at it as a situation similar to that of the ‘Fair Usage Policy’ regime. Almost every single ISP today has an FUP on all Internet connections. Given that there is no unbundling of the last mile in India, consumers often only have a few ISPs to choose from, all of whom would have an FUP. If, like in case of FUP and Net Neutrality, ISPs and/or telecom operators cartelize, consumers won’t really have much choice.

4. What can publishers and websites do? I’m wondering if it’s possible for websites to introduce a clause in their terms that prevents the modification of the code of the website while its being transmitted to a user, essentially holding the entity modifying the code in transmission liable for tampering with it. Then again, this is unlikely to happen because this is India. The last thing companies want to do is go to court, the same way that the last thing they would want to do is take on an access service provider like an ISP or a telecom operator, fearing vendetta.

5. What stops MTNL or Airtel from spying on users? In an era of mostly static IP’s and with telecom operators compiling user data, what stops them from tracking an individual user and their behavior via the insertion of a code or a cookie, and then selling that data to ad networks or advertisers.

Meanwhile, we’re yet to hear from Airtel regarding the following questions that we sent to them:

1. Since you’ve mentioned this is a standard practice, please indicate which other telecom companies deploy similar solutions?

2. Please identify what security measures Airtel has in place to ensure the script inserted in user’s browsing sessions is not used to spy on them.

3. Please provide documents to indicate what measures you have put in place to ensure that Airtel employees and vendors don’t misuse the data collected.

4. What kind of consumer consent have you taken, before allowing a vendor to track data usage patterns of customers?

5. Which Airtel vendor allowed Flash Networks to inject this code in user browsing sessions?

6. What restrictions are place on Airtel’s vendors and their vendors in such cases?

7. Do the vendors require Airtel’s approval before they deploy such a solution? Please explain how Airtel can absolve itself of any responsibility in this case?

8. What action is Airtel taking against its vendor and against Flash Networks for the harassment faced by an Airtel customer, due to the legal notice sent.

9. Please indicate what kind of Web usage data you collect on usage of websites and apps, and what kind of user information is shared with Airtel’s advertising partners such as Vserv.