Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security Your Rights Online

Developer Draws Legal Threat For Exposing Indian Telco's Net Neutrality Violation 134

knightsirius writes: Indian broadband and cellular operator Airtel was discovered to be injecting third-party JavaScript files into web pages delivered over their wireless networks. A developer was viewing the source of his own blog and noticed the additional script when viewed on a Airtel connection. He traced the file back to Flash Networks, an Israel-based company, which specializes in "network monetization" and posted the source on GitHub. Since then, he has received a cease-and-desist from Flash Networks and the code on GitHub has been removed following a DMCA takedown notice.

Readers may remember Airtel from its previous dubious record with network neutrality.
This discussion has been archived. No new comments can be posted.

Developer Draws Legal Threat For Exposing Indian Telco's Net Neutrality Violation

Comments Filter:
  • Streisand effect (Score:4, Insightful)

    by gurps_npc ( 621217 ) on Tuesday June 09, 2015 @08:58AM (#49875119) Homepage
    Worse, the idiots never heard of the Streisand effect.

    Or it's political corollary: The cover up is always worse than the original crime.

  • How many people routinely check the source of their own web page through different connections to look for such injections? If some major US cell network or ISP did this, how likely they will be caught? Would https stop them from messing around with injections?
    • by heypete ( 60671 )

      How many people routinely check the source of their own web page through different connections to look for such injections? If some major US cell network or ISP did this, how likely they will be caught? Would https stop them from messing around with injections?

      So long as the injector can't issue SSL certs that the user will trust, yes, https will stop such injections.

      If the injector *can* issue SSL certs that the user will trust (e.g. the ISP requires users install their local CA, or they somehow have a global wildcard from a trusted CA [arstechnica.com]), all bets are off -- the injector can impersonate and inject content into any https-secured site.

    • Http should prevent code injection, provided the server that handles the http stuff isn't compromised. When the ISP that owns the server is the one doing the injection, the server is compromised.
      • It doesn't need to be the ISP owning the server. It could be an ISP adding data to webpages being transferred to their users. So a user requests the Slashdot home page using $SOME_ISP. $SOME_ISP pulls the page from Slashdot's servers but adds some JavaScript code to it before transferring it to the user. The user sees Slashdot plus the JavaScript code that $SOME_ISP added. Slashdot's servers haven't been compromised at all, but the transmission has been.

        If an individual did this, we might call it a man

  • It is a javascript file. Every user of Airtel and every victim of companies using Flash networks to monetize the traffic will get these files when they visit websites. So it is very easy to get a copy of the code. So what did they achieve by this DMCA take down notice against git hub?
    • The owner is objecting to the user redistributing the file which is apparently subject to a license. In this instance GitHub (in USA) needs to apply their own laws in making the determination of fair use or exemption but I think the DMCA notice will stand - unless I'm misinformed there is no exclusion to DMCA for academic purposes as there is in India's safe harbour provisions.
      • by gmack ( 197796 )

        How can a two line change to someone else's web page be covered by any sort of license?

        • Because DMCA takedowns are trivial to create, very difficult to remove, and very expensive to ignore. The law is hopelessly broken.

        • The content in question is likely not designed to be injected to a webpage on-the-fly, it is a standard script line that could have been provided to static pages or some other CMS presentation. Airtel is the one who decided altering content delivered to their clients, which they do not own, was appropriate. Flash Networks is blameless here, it's their customer who misbehaved.
      • The owner is objecting to the user redistributing the file which is apparently subject to a license. In this instance GitHub (in USA) needs to apply their own laws in making the determination of fair use or exemption but I think the DMCA notice will stand - unless I'm misinformed there is no exclusion to DMCA for academic purposes as there is in India's safe harbour provisions.

        The web site does not get to make its own determination, unless it want to lose the protection of the DMCA. The only way to keep it up is for the user in question to file a counter notice. In that case it become an issue between the user and the (alleged) copyright owner.

      • The owner is objecting to the user redistributing the file which is apparently subject to a license. In this instance GitHub (in USA) needs to apply their own laws in making the determination of fair use or exemption but I think the DMCA notice will stand - unless I'm misinformed there is no exclusion to DMCA for academic purposes as there is in India's safe harbour provisions.

        I think the authors of each and every web page viewed by Airtel customers that have been modified by Airtel should sue Airtel for copyright infringement. Airtel is producing a derivative work of the original web page sent by the web server without a license to do so from the web page author. This is a willful violation of the web page author's copyright and is done so for monetary gain. The copyright holders should seek punitive as well as compensatory damages.

    • Every user of Airtel ... will get these files when they visit websites.

      Exactly, which is why he would need to post to GitHub (or somewhere else) - not every person interested in or capable of analysing the code is a customer or Airtel (I know I'm not).

    • Maybe the DMCA takedown was successful because he posted it on github. A source code repository isn't really an appropriate place to post content claimed to be fair use / political criticism. Think about it.

      Blog that sucker instead.

      • There is no "successful" here. A DMCA takedown notice must be adhered to in the US, or you have to pay the money to appeal against it. You can not merely ignore the take down order. Github versus a blog is irrelevant, both places must respond to the take down notice in the same way.

        • You can't merely ignore a takedown notice but there are a number of things you can do instead of complying if you believe it to be in error. The only thing that happens with refusal is that -IF- the material is later judged by a court to be infringing, you -might- be subject to damages for your refusal. That seems rather unlikely in this case.

          I have no idea what you mean by "pay the money to appeal against it." How do you think DMCA takedowns work anyway? It's just a formulaic letter, not necessarily even f

  • by Anonymous Coward on Tuesday June 09, 2015 @09:04AM (#49875185)

    What is with these /. articles mixing up terminology? This isn't net neutrality. They aren't performing any packet shaping or anything like a "Fast Lane". They are injecting ads in other peoples sites. Actually this is more shitty than packet shaping, but let's not confuse terminology.

    Just in the last few days we had an article totally confusing what DRM is.

    • by MobyDisk ( 75490 ) on Tuesday June 09, 2015 @10:15AM (#49875809) Homepage

      This isn't net neutrality. They aren't performing any packet shaping or anything like a "Fast Lane".

      Altering the content is the very core of net neutrality violations. One could, debatably, argue that packet shaping and quality of service is part of what an ISP needs to do to maintain a good flowing network. But there is no excuse whatsoever for altering content, and it is far more dangerous. It is bad if getting to a competitors web site is slow. It is frightening if the competitors web site has different content on it.

      • by Anonymous Coward

        This isn't net neutrality. They aren't performing any packet shaping or anything like a "Fast Lane".

        Altering the content is the very core of net neutrality violations. One could, debatably, argue that packet shaping and quality of service is part of what an ISP needs to do to maintain a good flowing network. But there is no excuse whatsoever for altering content, and it is far more dangerous. It is bad if getting to a competitors web site is slow. It is frightening if the competitors web site has different content on it.

        This^2.

        Can you imagine...say...a hostile government, altering the content of a site critical to their position, so that it actually SUPPORTS their position? The blog writer can add whatever they want, but when someone views the site, they see a government shill.

        This would probably be done by a corporation at the government's behest.

    • Just in the last few days we had an article totally confusing what DRM is.

      Lots of people confuse the Derogatory Restriction Maker with a different technology which, from its name, would seem like it should help you export copyrighted material into a more useful format (as is your right).

    • by zlives ( 2009072 )

      If the web content is copyrighted... and then "modified" by third party code... is that a copy right violation and can be served with DMCA?!!

  • Another reason to get rid of DMCA alltogether.
    • DMCA has power over any site that hopes not to have to hire an army of reviewers and moderators just to serve user-generated content. The problem isn't necessarily with the copyright takedowns process, which in this case seems to be quite justified (it's copyrighted, clear) but when it is abused by censorious thugs and their lawyers.

      This one seems pretty clear, user infringed copyright.

    • Another reason to get rid of DMCA alltogether.

      More like "another reason to turn your brain on".

      Someone created a blog. He has a copyright on that blog. Someone inserted Javascript. Which created a derivative copyrighted work. Which (a) you are not allowed to store on Github, so that DMCA complaint and removal was 100% Ok, and (b) violated one of the exclusive rights of the blogger, namely the right to create derivative works, so he can take them to court for that.

  • by nitehawk214 ( 222219 ) on Tuesday June 09, 2015 @09:41AM (#49875539)

    Right then, all of you that attack people using adblock as "stealing" content.

    This is why we do it.

    • by Anonymous Coward

      I am a former employee. Not surprised about this at all. I want to run the same tests on T-Mobile because FlashNetworks is embedded inside T-Mobiles infrastructure.

  • Is there a mirror of that javascript anywhere? I'd really like to look at it.
  • The ISP can't inject stuff like that if your site is encrypted. This may irritate the 5-Eyes, but this isn't really to prevent content from being read by the government (they can read the page like anyone else), but to keep it from being molested in transit.
  • This looks like their Layer 8 product: http://www.flashnetworks.com/L... [flashnetworks.com] The Layer8 platform helps mobile operators engage with their subscribers as they browse the web, and to offer them information and services that generate new downstream revenues from over-the-top affiliations. Layer8 is a clientless solution which appears over web pages on smartphones, tablets, and laptops. Does anyone know if the javascript was archived somewhere? I'd like to see it.
  • Is this really a net neutrality issue? Did anyone verify whether they are injecting across-the-board or only specific sites of competing services?

    Disclaimer: I work for an ISP that does JS injection to notify users on quota-based accounts when they have used all of their data, the alternative is to hard redirect http and block all traffic until they log in to a portal.

    • It is. I am a system administrator and more than once I had problems with one of my systems - which is restricted use and very important - caused by rogue javascript code inserted by ISPs or viruses on the user's computer (such codes could never harm the system server itself but prevented the affected user to use it). And as example, if it was you who put this rogue code on the user's connection I could have you arrested for interfering with state emergency services. Point is, injected rogue javascript can
    • by Anonymous Coward

      "the alternative is to hard redirect http and block all traffic until they log in to a portal."

      That is the only valid, legal and moral path. That and sending the user email/text/snailmail/phone whatever notification if they've asked for it. Injection is Just Wrong, whether you're the ISP or the vendor of a router that randomly does something similar (I'm looking at you, Belkin).

      Exception -- the user has explicitly authorized (ie, opted in, not buried in the ToS) you to do injection for that purpose.

  • Not only Airtel, Vodafone also injects Javascript code into 3G users in India.
    If you are browsing from such a connection, just "View Source" of ANY webpage that is not https
    It shows a SCRIPT tag which includes the following files : [blogspot.in]

    http://223.224.131.144/scripts/Anchor.js in an Airtel connection

    Vodafone uses the similar http://1.2.3.4/bmi-int-js/bmi.js *Happens on all http but not https websites(like banking and secure websites with a lock symbol)
    *As of now injects an empty iframe which seems
  • Counter attack? (Score:4, Interesting)

    by everett ( 154868 ) <`efeldt' `at' `efeldt.com'> on Tuesday June 09, 2015 @03:11PM (#49878635) Homepage

    Perhaps someone should write a javascript library that can detect if this "ad injection" library has been injected to the page, counter/block its effects and display a notice to the viewer that their ISP is up to some jackassery. Now that would have value.

  • by SoftwareArtist ( 1472499 ) on Tuesday June 09, 2015 @04:36PM (#49879301)

    Really, the GPL is perfect for solving problems like this. Stick a GPL notice in the source of one of your webpages. Download it from their network. They've just created a derived product by modifying your source, and all their additions are now GPL licensed themselves.

Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"

Working...