Disguised censorship isn’t a new theme on this blog – we’ve tracked instances over the last few years both in India and abroad where parties have tried to use shields such as defamation (no stranger to this blog, by the way) and copyright as swords to suppress content. The latest episode in this disturbing trend features Airtel, an Israel-based software company called Flash Networks, and blogger-activist Thejesh GN.
Background
Medianama’s Riddhi Mukherjee tells the story:
“Last week, Bangalore-based Thejesh GN had noticed that Airtel was injecting Java script into its users browsing session, without seeking user consent. The screenshots shared by him on a GitHub thread have unfortunately been taken down, after Flash Networks sent a DMCA notice. However, you can see the screenshots here. Apparently the code inserts a toolbar into the user’s browsing session.”
You probably knew where this was going: Thejesh received a cease-and-desist notice, and Github received a DMCA takedown request. Mike Masnick at Techdirt makes two crucial observations on the case. First, the most alarming aspect of the notice is its threat of penal sanction – he’s been accused of criminal copyright infringement, and threatened with punishment. In what seems to be a roundabout way of saying “Don’t mess with us”, Flash Networks’ lawyers have copied the Commissioner of Police and the ADGP in charge of the Cyber Crime Police Station in Bangalore on the notice for good measure. Second, GitHub seems to have taken down the screenshots without notifying him – something the company has vowed not to do.
Of course, as with most other instances of censorship on the internet, the Streisand effect seems to have propelled Thejesh’s findings into the limelight.
Flash’s Copyright Claim
The argument, in essence, is that Thejesh published a snippet of proprietary code belonging to Flash, thus infringing upon their copyright. This claim seems to be questionable on several counts, each of which I will outline below.
- Publication
Flash seems to have a problem with Thejesh “publishing” the snippet by uploading screenshots to Github. Paragraph 5 of the notice asserts that the code is closed-source, and therefore “no one can use the said code without obtaining license” from Flash. This seems to be a remarkable leap of logic. Closed-source software distribution models are implemented in one of two ways: either the provider keeps the source code outside everyone else’s reach, or he distributes the code to a small group of pre-approved recipients (licensees/clients) while inserting non-disclosure provisions into the license that become actionable upon breach. In this case, Flash has obviously not taken the first route (the snippet is visible to anyone who bothers to hit Ctrl + U on a browser), and it’s safe to assume that Thejesh has no contractual obligation towards Flash to keep the code he found to himself, in the absence of any legal relationship between them.
What’s more problematic, however, is the mischaracterisation of Thejesh’s “publication” of the snippet. Section 3 of the Copyright Act, 1957, for example, acknowledges that publication of a work occurs when it is made available to the public. The distinction here is between availability and access. The snippet was always available – in that sense, it Thejesh cannot be said to have “published” the code because it was always there for an interested viewer to read and examine. By putting out screenshots and pointing out the code to his sizeable Twitter following, Thejesh did not influence the availability of the code, but merely enabled greater access to it. In fact, he even did his best to attribute the code to its source. If such conduct is to be viewed as publication that infringes upon copyright, then Medianama could probably send me a similarly worded cease-and-desist for infringing upon Riddhi Mukherjee’s copyright by “publishing” his work without permission. To illustrate further, let’s extend this sort of claim to a non-software scenario. Let’s say the Ambedkar Periyar Study Circle at the Indian Institute of Technology, Madras drafts a pamphlet and puts it up in a publicly accessible noticeboard at the Institute. If we were to buy Flash’s claim, it would follow that copyright law could prevent me from taking a picture of this pamphlet and tweeting it for the purpose of holding a discussion on caste in India. In a nutshell, extending Flash’s argument to its logical conclusion, anyone who views and screenshots a webpage’s source code would be guilty of copyright infringement.
- Fair dealing
Even if Thejesh’s actions, prima facie, amounted to publishing an infringing copy of the code, he has several readily available defences. First off, there’s Section 52(1)(ac) of the Copyright Act, which provides that “the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied” shall not constitute infringement. The essence of Thejesh’s screenshots and tweets was the identification of the underlying principle of the snippet, and the highlighting of what can only be described as a Man In The Middle exploit inserted by Airtel or its partners unknown to its customers.
Similarly, another possible defence could lie in Section 52(1)(b) of the Act, which provides that a fair dealing of a copyrighted work (by means of photographs or otherwise) for the purpose of reporting current events would not constitute infringement. Thejesh’s actions seem to be squarely covered by this provision, since it’s quite clear that his only motivation in uploading screenshots was to report on Airtel’s practice, bringing it to the public’s attention.
A more interesting, although more tenuous defence presents itself in the form of Section 52(1)(t), which exempts the “making or publishing” of any work of artistic craftsmanship, if such work is permanently situated in premises to which the public has access. The challenge, of course, is whether a snippet of code would qualify as a work of artistic craftsmanship, but there certainly seems to be a principled argument in favour of Thejesh’s actions here.
As Medianama’s report states, Airtel has claimed total ignorance of the matter, claiming that one of its “network vendor partners” was responsible for the offending code.
Having covered his defensive options, there are a couple of counterclaims that Thejesh could make against Flash Networks. First, he could land Flash (and if there’s enough evidence, Airtel) in hot water over the implications of his discovery. A MITM-style exploit that is capable of monitoring user behaviour would amount to an egregious breach of privacy on a massive scale. Second, as Thejesh himself has acknowledged, the script’s presence could mislead visitors to his website regarding its origin, leading them to believe that it was part of the website’s source code. This would mean that contrary to Paragraph 6 of the cease-and-desist, it was Flash that was diminishing the goodwill of Thejesh’s website. This leads to the third and most interesting question – one that I’ll leave you to ponder. Does the addition of this Javascript snippet alter the website’s source code? If so, would such alteration of a website’s copyrighted source code become a derivative work? If this is true, then Flash Networks would be guilty of creating unauthorised derivative works on a massive scale, for which there would be hell to pay for.
Edit (18 June 2015): Lawrence Liang of the Alternative Law Forum has sent out a formal reply to Flash Networks on behalf of Thejesh. In it, he argues that Thejesh is well within his rights because of the provision in Section 52(1)(ac) of the Copyright Act. You can view a copy of the reply on Thejesh’s website here.
There is another issue here. The script inserted in this case was just some toolbar. But there is a chance that they may have, at some time, had scripts that store user credentials and so on. Also, if the coders of this toolbar didn’t pay much attention to security, there is a chance that hackers can exploit this and make the website into which this script was surreptitiously added vulnerable to all sorts of attacks.
Great job Thejesh GN. These big corporations will never get away with it as long as we have blogger-activists like you.
This interesting post deals with important issues. I’ll just make one pedantic comment about copyright. Infringement of copyright, defined in Section 13 of the Copyright Act, relates to the exclusive rights enumerated in Section 14. “Publish” is not one of them and the definition of “publication” in Section 3 is apparently for purposes of Chapter V (Term of Copyright) and for some of the compulsory licensing provisions in Chapter VI. The meaning of the term when used in Section 52(1)(t) has to be read differently (bad draftsmanship) since Section 52 can only refer to acts that would be infringing if not referred to in that section; in 52(1)(t) the term would appear to refer to communication to the public–it would make sense only if read as such.
Dear Mr. Sagar,
I wasn’t aware of this interpretation of S. 52(1)(t) – thank you for bringing that to our notice. I think that the core thrust of the post still stands, though – that what Thejesh was doing was not making available (or communicating) content to the public, but merely increasing access to what was already “out there” for all to see. Thanks for writing in!
Sir, if i may ask how does S. 13 define infringement? if you could just explain in a few words it would be really helpful.
Obvious typo. Nobody else bothered to comment on it.
I need to clarify one thing about my last post (and can’t find a way of editing it). The term “publication” in Section 3 is, in context, a one-time event.
Awesome and much useful information. Nice and detailed explanation.
Thanks for sharing this excellent info and tweeted 🙂