TELKOM Indonesia Secretly Injects Advertisements

TELKOM (https://twitter.com/TelkomIndonesia), the biggest telco company in Indonesia has been secretly injecting advertisements into nearly every non-secure (HTTP) webpage viewed by its customers. It sniffs the traffic and injects javascripts which potentially loads ads at the top of the page without the website owner’s and the customer’s consents. This shady practice has been going on for years without any actions from the government.

TELKOM is not the only one (XL is also known for doing a similar practice) but I decided to focus this article on TELKOM because it is partially owned by the government, it has the biggest number of customers and internet network in this country.

When confronted by many in 2014, the company stated that it had the legal rights to utilize its network for anything including (secretly) injecting ads into web pages loaded into its customers’ browsers. Here are a few of many articles related to this issue.

Indonesian Operators Seeks Deal for Intrusive Ads Problems | Indotelko

The Unethical Advertising Behaviors of Mobile Telcos

This smiling idiot from the regulator board (BRTI) said it’s OK! (because TELKOM owns the infrastructure, its entitled to do anything with it including, but not limited to, shoving ads to your face, making you pay for it, and ruining your websites)

Soal Iklan Sisipan Operator, BRTI: Itu Hal yang Wajar!

Victim 1: The Customers

So what would happen if you used TELKOM internet service? Here are some examples if you visit some non-secured (HTTP) web sites.

STACK OVERFLOW

TELKOM sniffs the traffic between your browser and SO and then injects JavaScript code into SO page on its way to your browser. The script looks like this:

The script Injected into the victim web page

Ad injected into SO header

The Ad comes from TELKOM Ad Server

Once the script is loaded onto your browser, it talks to TELKOM ad server to get an ad. When it gets one, it loads more assets that are required to show the ad to you.

Because of that script, the page you’re viewing becomes at least 125KB heavier and of course, feels slower. Obviously, if you’re on a time/volume-based connection, it is you who pays for the extra KB — it’s not FREE.

Some Other Sites

www.lazada.co.id

www.tiket.com

When there’s no ad to show, TELKOM’s script throws an exception

BBC

CNN

RedHat

Even its competitors like Indosat becomes a victim. The script is injected into its home page and also all HTML iframes in that page (see it yourself on Indosat home page).

Victim 2: Website Owners

If you make money from Google ads, you will be hurt.

If you use Google’s IMA SDK, don’t be surprised when you find out ads suddenly gone from your pages. That fucking TELKOM script can break IMA.

Here’s an example that I just saw on one of my clients sites.

Syntax error on Line 74

On Line 74, there it is. That fucking ad script.

Also notice, the different size of bridge.html with and without TELKOM script. That certainly makes your website loads slower. A lot slower.

WITH TELKOM script

WITHOUT TELKOM script

If you spend a lot of time and money crafting a beautiful website …

TELKOM will ruin it. Just one big ad on the header.

Your pretty site is no more

What can you do?

If you can switch to another provider, go for it. Don’t ever look back. Don’t even think twice. Just leave TELKOM. Now.

But if you live in an area, like most other places in Indonesia, where TELKOM is the only provider available then you can use ad blocker and/or a VPN.

If you’re a website owner, secure your website with SSL to keep everyone, including your ISP, from sniffing the traffic.

Last but not least, share this post and let the Indonesian government know that we don’t like being treated like idiots.