Does Your ISP Spy On You?

written byShashidhar CN
posted on

Do Airtel, Jio, ACT spy on fiber internet users? ISP-supplied routers raise privacy, digital rights concerns

Airtel, Jio, ACT and others insist on bundling their free routers with their fiber connection. Users are not given any choice, and that is now sparking privacy and digital rights issues, with some believing that these free routers allow Airtel, Jio, and others to snoop on users.

It is not just that Airtel, Jio, ACT and others supply their own routers to fiber connection users, the bigger problem is that they insist on users putting these routers in their home network. (Representational Image: Getty Images)

Anyone who has taken a fiber internet connection from Airtel, Jio, ACT -- or, for that matter, a few other popular internet service providers -- in recent times will recognise the issue. Even if the issue may not be evident at first to regular users. With every fiber connection, there is a free router bundled with the service. All major internet service providers in India, and primarily Airtel, Jio and ACT, supply a router to the user. While they do so in the name of "free router" and "convenience", the reality is that it is mandatory. Airtel, Jio, ACT and others no longer allow users to take fiber connections unless they also agree to take the "free" router.

While seemingly the issue has not been a concern to most users, largely because of the zero cost associated with the bundled routers, some power users and users conscious of their privacy are raising the alarm over it. The concern is that because the router is owned and managed by the internet service provider, companies like Airtel, Jio and ACT, which supply and manage these routers as well software inside them, can snoop on all internet traffic passing through the router.

The concern is also related to the matter of choice and ability to own a gadget. It is not just that Airtel, Jio, ACT and others supply their own routers to fiber connection users, the bigger problem is that they insist on users putting these routers in their home network. If users want to buy and use their own routers, Airtel, Jio, and ACT often refuse the connection.

For example, take the case of Nikhil Pahwa, co-founder SaveTheInternet and a digital rights activist. He recently took to Twitter to complain about Airtel that insisted he would have to take the Airtel supplied router with an Airtel connection.

Pahwa wrote on Twitter, "Don't understand why @Airtel_Presence insists on installing their own modem with their broadband connection. Anyone else faced this issue with them? How did you get them to allow your modem? I have better quality modems which work with other fiber connections."

To the uninitiated or anyone not particularly concerned with digital rights and privacy, the whole issue may not be apparent at first. So, it is worth taking a back step to look at the exact problem.

India Today Tech reached out to Airtel, ACT and Jio, seeking detailed comments on why they insist on forcing "free" routers on users. All three internet service providers refused to comment.

Airtel, Jio and ACT routers mandatory 

The issue, as many Indian internet users can confirm, is that whenever Airtel, Jio, ACT and other internet service providers put up a fiber connection in a home, they insist that the user will have to use the company-supplied router. In the early days of the fiber connections, say around 6 to 7 years ago, the ISPs provided two pieces of networking gear: an ONT (optical network terminal) that would convert the fiber line into a regular internet connection that could be used within a home, and a router that would connect to the ONT and provide WiFi as well internet link to a computer or laptop.

In this scenario, users were allowed to use their own router, but the ONT had to be ISP-supplied.

But after a few years, and particularly after the arrival of Jio, which had always insisted that users must take the free router whether they wanted it or not, even Airtel and ACT started moving to a single piece of networking gear. This single device is "ONT Plus Router" combined in one device, and it is mandatory.

In some cases, when users insist on using their routers, Airtel, Jio, ACT, and others allow users to connect another router to their own router. While this step helps users increase WiFi coverage in their house, as well as gives them a sense that they are in control of their network, the reality is different. The primary router remains the machine supplied by Airtel or Jio, and there is almost no control users have on the network. Putting two routers back-to-back on the network also tends to create usage issues, particularly with video gaming, where firewalls inbuilt into routers can mess up internet connectivity.

In a few other cases, Airtel does allow a further concession to some users if they insist a lot and know the right people. The company allows users, after approval from Airtel engineers, to operate its router in "bridge mode" and hence gives the control of the network back to the user. But these cases are rare, and Jio and ACT don't even allow that.

Neither Airtel nor Jio and ACT replied to questions sent to them by India Today Tech.

Privacy and digital rights issue 

It is possible that Airtel may allow Pahwa to take a fiber connection, use the Airtel-supplied router in bridge mode and hence solve his issue. But Pahwa is aware of the trouble that ISP-supplied free routers can pose to users.

"The problem is with how Airtel configures its modem, which allows it to control it externally. From a privacy perspective, Airtel should not have access to what I am accessing on the internet. Jio also forces people to use their own modem," says Pahwa.

Pahwa's problem is not just the fact that a user has privacy risk and cannot own a piece of gear on his or her network, but also that these free routers aren't as good as what someone can buy from the market. "This is as if a mobile company is giving you the internet connection where the ISP is forcing you to use their handset and is locking you into their handset, or if you don't, they will not give you a connection. These handsets are antiquated, and they deserve to die," he says.

Pahwa has a point. While many power users want to run feature-packed and more capable routers on their network, the ones supplied by Airtel, Jio and ACT are often standard basic routers made in bulk by companies like Huawei, ZTE, Nokia and others for the Indian companies. These routers have only basic features. They also run software and firmware customised by companies like Airtel and Jio, with most of the settings not even accessible to users.

For example, Airtel routers run a firmware that allows Airtel engineers to reset them remotely or change settings without the user even coming to know about it. This is reportedly done using TR-069 protocols.

This remote access, the fact that the firmware in these routers is created and managed by Airtel or Jio, and the inability of users to access or change router settings mean that there is a very real privacy risk here. In theory, these routers can allow an internet service provider to not just monitor and record but also analyse internet traffic and logs of any user for data mining.

Rizwan Sheikh, a Mumbai-based cyber-security expert and CTO and Founder of Pristine Infosolutions, says that potentially there is a grave risk to user privacy here. "In case of a cybercrime or in case there is a suspect, law enforcement officers seize the routers and carry out a forensic analysis of it to get the logs of the contacts of the devices connected to the WiFi network or internet. But now, because of the online customised router that they provide, it gives the law enforcement officers (and ISP engineers) direct access to the logs," he says.

It is a risk that Abhay Rana, a security researcher who often identifies and points out flaws in various ISPs systems, also highlights. However, he adds that currently, no good documentation or proof is indicating that companies like Airtel and Jio are spying on their users.

"We cannot really say what these devices are keeping track of -- there is no research about these devices carrying out malicious activities, but these are insecure routers. One can only speculate about the privacy or data these ISPs keep track of -- it could be for traffic analysis or the websites that you are visiting, we can't really say," he says.

Rana agrees that these questions will not arise if Airtel and Jio allow users to buy their own networking gear, including routers.

"If we buy a router of our own choice, we can rest easy without many of these concerns. Interoperability is a consumer right, I believe, even if it is not specifically laid down by law. For example, if I buy a SIM, I can use it on any device. It should also work for the internet. I am not sure about its legal implications, but the internet is a public utility, and I would want to do the same with routers as well," says Rana.

Pahwa, too, comes back to the same argument. Choice. He says that users must have a choice. But he doesn't see a way out unless TRAI, which regulates Indian telecom space, takes a look at the issue.

"I have been using the internet since 1996, and this is the first time that an ISP is forcing me to use their modem," says Pahwa. "I think with more ISPs now trying to lock in customers to their own devices, we will face the same issue that we faced with DTH connections and set-top boxes. The TRAI has moved towards interoperability there. I think it should also mandate similar regulations when it comes to broadband connections."

When it comes to choice, privacy and digital rights, the case of Airtel and Jio forcing their own routers on users also highlight how poorly India compares with some other countries.

"If you cannot control your router, it is not free, and your digital freedom is likely to be compromised," reads a line from an article of the Freedom Software Foundation Europe (FSFE), a voluntary organisation that was founded in 2001 and has been "fighting for Router Freedom in Germany," as the article puts it.

In the US in 2020, the regulators came out with a rule saying users will have a choice in routers while taking a connection and that they cannot be forced to pay for a bundled router. Sadly in India, without any regulatory mechanism in place and with poor awareness among users about the risks of ISP-supplied routers, currently, there doesn't seem to be any relief available to broadband users.

Do subscribe, like, share for News, Views, Updates and notifications by subscribing below.