There’s a saying that “when it’s free, then you’re the product,” which alludes to data harvesting by free services such as Facebook. But shouldn’t it be different for a paid service?
Cybersecurity researcher Teguh Aprianto from the group “Ethical Hacker Indonesia” on Thursday night exposed that Telkom-owned internet service provider (ISP) IndiHome might have been stealing data from its 7 million users. “I used the term ‘stealing’ because they are taking it without permission, and it’s been done stealthily,” he wrote in a blog post.
According to Aprianto, IndiHome was using a website tracker to get browsing history and gadget screen resolution—which reveals the customer’s device when visiting sites without a data exchange protector like secure socket layer (SSL). Websites with SSL display ‘https’ instead of ‘http’ in its address.
“Every time you go to a site unprotected by SSL, IndiHome can freely harvest the data from websites you are visiting,” he said.
Aprianto then went further to discover the purpose of the stealth tracking. He checked the URL for the website tracker from Google, and found two links. The first one brought him to an internal login portal that might be owned by Metranet, a subsidiary of Telkom, and is focusing on digital content creation, advertising, financial services, and e-commerce.
The second one is more interesting, according to him, as it led to a page displaying the statistics and codes used for the tracking. Aprianto saw that the website tracker got more than 1 billion daily hits since September 13. Both links are now inaccessible.
The researcher is still not clear about the reason behind all this, “but we all know that browsing history data sells well to advertising agencies,” he said.
IndiHome responded on Twitter, saying that Telkom Indonesia, its parent company, followed Indonesian law, including for data protection. The monitoring was an attempt to “increase the quality of service, including technical configuration.”
Aprianto found on Friday morning that the website tracker had been removed. On another blog post, he pointed out that this type of tracking violates the electronic transaction law, which disallows any kind of alteration, transmission, hiding, or transferring of public and/or personal digital documents and information.
Not the first case
It wasn’t the first accusation directed at the provider. In 2018, a Twitter user found that IndiHome planted ad injectors that slow down the browsing speed. When confronted with it, the company claimed through its Twitter account that the action was legal.
Aprianto told KrASIA that the most recent case is very similar. “In my opinion, it’s not legal,” he said. “It violates the electronic transaction law. Customers can bring this case to the court.”
Even though the tracker has been removed, Aprianto asked IndiHome for a public acknowledgment that they have stopped the practice. “We don’t know if this removal is temporary or permanent,” he said. “If temporary, then it’s meaningless.”
He further observed that IndiHome users are often redirected to multiple IndiHome or Telkom-owned pages such as Uzone or Dunia Games, before reaching the page they actually want to access. This increases loading time as the browser needs to accomplish multiple requests. He promises to tackle this issue next.