Recently, the Internet Freedom Foundation (IFF) has revealed how the Bharat Sanchar Nigam Limited (BSNL) is injecting a code into browsers that continues to persist on their networks. In their representations, the IFF has highlighted the BSNL’s vague replies and other past responses.
In May 2019, the IFF had voiced its concerns regarding these codes’ injection and how they’re not legal under various legislations. They however had not received any response and ultimately filed the RTI with BSNL, Department of Telecommunications (DoT), and CERT-IN.
Responding to the RTI, BSNL acknowledged the existence of these injections and claimed that there was no malware in the code. In addition, BSNL stated that providing information on BSNL’s engagement in the insertion of code injections would violate “commercial confidence” and it would harm their competitive position.
Further, BSNL said they rely on such activities to communicate with customers on available offers and information on Parental Control guidelines. If they receive complaints via emails, they enable their ‘DND’ mechanism after confirming and collecting user IDs.
The IFF analyzed the code and concluded that a host of information is presumably shared with the third-party advertiser. It includes details about the website and also the information that could potentially identify the user. Generally, when user data is shared with advertisers, it is done in an aggregated manner. It does not allow the advertisers to see who these users are. However, with BSNL that is not the case. According to IFF, BSNL is sharing non-aggregated browsing data directly.
Privacy Focused Suggestion
IFF has made various suggestions to protect user privacy. BSNL must make this practice strictly “opt-in.” It means users must provide explicit consent for such services.
In addition, BSNL needs to respond to queries regarding the decision which allows the implementation of these services. It should make details of any agreements it signed for these services and any revenue it generates from the services.
Apart from non-consensual data gathering, code injection through browsers also runs the risk of malicious code injection. The IFF says BSNL should provide details of all the security measures they have in place, to ensure a compromised code is not injected into users’ browsers.