On June 9, The Wire broke the story of a Bengaluru-based programmer who’d revealed that an Israeli company was injecting malicious JavaScript code into websites visited on Airtel’s 3G network. Thejesh GN had uploaded the script and screenshots of where he found it was being injected on his website to GitHub on June 3. In reply, he was threatened with overzealous punitive action under the IT Act 2000 by the company, named as Flash Networks, on June 8.
On Monday, in a heartening turn of events, Lawrence Liang, a reputed Bengaluru-based legal researcher and cofounder of the Alternative Law Forum, served a counter-notice to Flash Networks’ notice. Liang asserted his and Thejesh’s right to civil and criminal proceedings against Flash for the “unlawful insertion of code by your client into my clients source code”, which “amounts to a violation of the rights of my client, including but not limited to a violation of his privacy, an attempt to unlawfully access and hinder the operation of his website and a violation of the right to integrity of the work of my client.”
A copy of Liang’s reply was uploaded by Thejesh to his website on Monday. The document describes in detail Thejesh’s actions and the underlying intent – which were tantamount to a review of the JavaScript injection by Flash, their origin from an Airtel-owned IP address, and an inspection of their effects on his website. As the document states, “It is also commonly accepted that whenever one encounters any inserted scripts, viruses or spyware, you publish them as supporting document and evidence so other researchers can review your investigation by looking into it.”
Following Thejesh’s upload to GitHub on June 3, Flash put out its notice on June 8. The next day, in an effort to shut down the GitHub repository in which he had uploaded the screenshots, Flash served a notice under the American Digital Millennium Copyright Act. The repository was then automatically taken down by GitHub for until the matter is resolved.
In the aftermath of these events, Flash has repeatedly asserted that Thejesh violated the “confidentiality” of the script that it was injecting, called Anchor.js. Although Airtel issued a statement saying it had teamed up with Flash to track users’ monthly subscription usage, neither Flash nor Airtel have offered a substantive explanation as to how Anchor.js accomplished it. This is because Anchor.js was also found to be inserting ads onto webpages, which – thanks to their unsupervised nature – could just as well be inserting code that compromised security and user privacy.
Apart from asserting their right to legal recourse instead of the blind compliance that Flash’s DMCA notice expects, Liang has demanded that Flash should “offer an unconditional apology for attempting to insert a malicious piece of code into my client’s website which has affected the functionality of the same as well as lowering the reputation of my client” and “for violating the privacy of my client”.