Indian Programmer Exposes Code Injection, Gets A Cease And Desist From The Injectors

Next Story

Fashion Discovery And Shopping App Voonik Gets $5M From Sequoia And Seedfund

In an exciting example of the Streisand Effect, an Indian Airtel customer, Thejesh GN, discovered that the carrier had begun using Flash Networks Layer8 “monetization” (read “ad injection”) solutions. The code, which appeared on most mobile webpages downloaded via Airtel’s network, consists of a pair of basic JavaScript injectors. Thejesh published the code, which used to be freely downloadable via any browser, and was served a cease and desist letter.

The crime, it seems, was the uploading of public code to a public repository, Github. The code, which was publicly available here but now seems to be locked, is considered Flash Network’s proprietary property. However, like most code on the Internet, it is amazingly difficult to protect this claim barring proof of actual theft. However, like so many ridiculous cease and desist letters, that hasn’t stopped Flash Networks lawyer Ameet Metha at Solicis Lex from trying to scare Thejesh and Github, for their part, cravenly pulled the code as part of DMCA request.

Screen Shot 2015-06-10 at 10.07.26 AM

Screen Shot 2015-06-10 at 9.50.24 AM

The problem with this sort of back-and-forth between spammers and the spammed is that the spammer never comes out ahead. Almost every example of code injection of this sort, from Superfish to AT&T’s attack on Weev make the corporations out to be the bad guys. While the Internet nerd in my says that isn’t a bad thing, the realist in me says that’s just silly. Presumably some short-sighted monetization person at Airtel talked to some short-sighted monetization person at Flash Networks and struck a deal which, because of the code injection, is unsafe and unwanted. Exposing that isn’t a crime and it is a crime for Flash Networks to make it one.

Airtel, for their part, told Storypick that they have nothing to do with the C&D:

“This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of mega bytes used. It is therefore meant to improve customer experience and empower them to manage their usage. One of our network vendor partners has piloted this solution through a third party to help customers understand their data consumption in terms of volume of data used.As a responsible corporate, we have the highest regard for customer privacy and we follow a policy of zero tolerance with regard to the confidentiality of customer data.We are also surprised at the Cease & Desist notice served by Flash Networks to Thejesh GN, and categorically state that we have no relation, whatsoever, with the notice.”

I’ve contacted Flash Networks as well to see what they can make of this whole exciting ordeal. They write:

The Flash Networks solution that is under discussion is responsible for informing users in real time and over the web browser when they are about to consume their quota and offer them upgrade options and cost effective packages to avoid overcharging- providing them with a better user experience by saving them time and money. The service is designed so that subscribers can opt out easily if they choose. The javascript mentioned does not collect or store any user data but is used to deliver user messages. The service was not announced as the solution was still under testing and therefore not displaying any messages to users. It had not yet completed a launch process.
Relative to the legal notice sent by Flash to Thejesh GN – Thejesh GN published Flash Networks’ proprietary source code, without Flash Networks consent. This was done to protect and ensure Flash Network’s intellectual property. We are grateful that Github found our request reasonable and automatically removed the code. To clarify, no claims were made as to the discovery of the javascript injection as this is not confidential but rather to the disclosure of intellectual property source code.

We appreciate concerns about user privacy so we follow the most stringent ethical, regulatory and legal practices to ensure data confidentiality.

via TechDirt