The plan is part of the Modi government’s efforts to boost security of user data as online fraud and data breaches increase in the world’s second-largest smartphone market, with nearly 750 million phones
New Delhi:India proposes requiring smartphone makers to share source code with the government and make several software changes as part of a raft of security measures, prompting behind-the-scenes opposition from giants like Apple and Samsung.
The tech companies have countered that the package of 83 security standards, which would also include a requirement to alert the government to major software updates, lacks any global precedent and risks revealing proprietary details, according to four people familiar with the discussions and a Reuters review of confidential government and industry documents.
The plan is part of Prime Minister Narendra Modi’s efforts to boost security of user data as online fraud and data breaches increase in the world’s second-largest smartphone market, with nearly 750 million phones.
IT Secretary S. Krishnan told Reuters that “any legitimate concerns of the industry will be addressed with an open mind”, adding it was “premature to read more into it”.
However, an an official statement said on Sunday the IT and electronics ministry has started routine stakeholder consultations on mobile safety and security requirements with stakeholders and will address legitimate concerns raised by the industry before firming up any framework,
Mobile security is a critical aspect as smartphones are increasingly used for financial transactions, delivery of public services, and storage of sensitive personal information, which makes them attractive targets for cybercriminals, said the Ministry of Electronics and IT (Meity).
It said that any compromise on mobile security can lead to identity theft, financial losses, privacy violations and unauthorised access to sensitive information, such as banking details, photographs and login credentials.
“A structured process of stakeholder consultations is going on to develop an appropriate and robust regulatory framework for mobile security. These consultations are part of the ministry’s regular and ongoing engagement with the industry on safety and security standards,” the statement said.
The ministry said that unsecured mobile devices pose significant risks, including data breaches and operational disruptions for businesses as well.
“Meity has been engaging with industry representatives to better understand the technical challenges, compliance burdens, and international best practices adopted by smartphone manufacturers. The ministry reiterates that all legitimate concerns raised by the industry will be examined with an open mind, in the best interests of both the country and the industry,” the statement said.
The IT ministry also said that the government is continuously taking steps to ensure the safety and security of users and to protect their personal data in the rapidly evolving digital ecosystem, and remains firmly committed to strengthening cybersecurity and safeguarding the privacy of citizens.
The IT and electronics ministry has started routine stakeholder consultations on mobile safety and security requirements with stakeholders and will address legitimate concerns raised by the industry before firming up any framework, an official statement said on Sunday.
The Ministry of Electronics and IT (Meity) said that mobile security is a critical aspect as smartphones are increasingly used for financial transactions, delivery of public services, and storage of sensitive personal information, which makes them attractive targets for cybercriminals.
It said that any compromise on mobile security can lead to identity theft, financial losses, privacy violations and unauthorised access to sensitive information, such as banking details, photographs and login credentials.
Meity said that it routinely conducts consultations on various aspects, such as safety compliance, electromagnetic interference and compatibility parameters, Indian language support, interface requirements, and security standards.
“The government is fully committed to working with the industry and addressing their concerns. That is why the government has been engaging with the industry to better understand the technical and compliance burden and best international practices which are adopted by the smartphone manufacturers.
“The ministry repeats that any legitimate concerns of the industry would be examined with an open mind in the best interest of the country and the industry,” the statement said.
According to official sources, the ministry has also taken over discussions on safety standards in mobile phones and other communication devices from the telecom department to meet requirements under a telecom security assurance norm.
The ITSAR (Indian Telecom Security Assurance Requirements) broadly covers safety standards for telecom network gear, including those related to software updates and the source code of communication devices.
The India Cellular and Electronics Association (ICEA), which represents companies like Apple, Vivo, Xiaomi, Dixon, etc., said that the discussion on safety standards has been going on for several years, and multiple discussions on this issue have taken place.
“It is completely normal for the government to engage the industry in such discussions – ask technical and compliance questions, and for the industry to respond with international practices and what might be possible or not.This is a routine process of an open, transparent consultation. We are satisfied with the way the discussions are proceeding. There is no pressing concern as this is the very nature of transparent and in-depth consultation with specific stakeholders,” ICEA Chairman Pankaj Mohindroo said.
ONGOING TUG OF WAR OVER GOVERNMENT REQUIREMENTS
Apple, South Korea’s Samsung, Google, China’s Xiaomi and MAIT, the Indian industry group that represents the firms, did not respond to requests for comment.
Indian government requirements have irked technology firms before. Last month it revoked an order mandating a state-run cyber safety app on phones amid concerns over surveillance. But the government brushed aside lobbying last year and required rigorous testing for security cameras over fears of Chinese spying.
Xiaomi and Samsung – whose phones use Google’s Android operating system – hold 19% and 15%, respectively, of India’s market share and Apple 5%, Counterpoint Research estimates.
Among the most sensitive requirements in the new Indian Telecom Security Assurance Requirements is access to source code – the underlying programming instructions that make phones work. This would be analysed and possibly tested at designated Indian labs, the documents show.
The Indian proposals also require companies to make software changes to allow pre-installed apps to be uninstalled and to block apps from using cameras and microphones in the background to “avoid malicious usage”.
“Industry raised concerns that globally security requirement have not been mandated by any country,” said a December IT ministry document detailing meetings that officials held with Apple, Samsung, Google and Xiaomi.
The security standards, drafted ??in 2023, are in the spotlight now as the government is considering imposing them legally. IT ministry and tech executives are due to meet on Tuesday for more discussions, sources said.
COMPANIES SAY SOURCE CODE REVIEW, ANALYSIS ‘NOT POSSIBLE’
Smartphone makers closely guard their source code. Apple declined China’s request for source code between 2014 and 2016, and U.S. law enforcement has also tried and failed to get it.
India’s proposals for “vulnerability analysis” and “source code review” would require smartphone makers to perform a “complete security assessment”, after which test labs in India could check their claims through source code review ??and analysis.
“This is not possible … due to secrecy and privacy,” MAIT said in a confidential document drafted in response to the government proposal, and seen by Reuters. “Major ??countries in the EU, North America, Australia and Africa do not mandate these requirements.”
MAIT asked the ministry last week to drop the proposal, a source with direct knowledge said.
The Indian proposals would mandate automatic and periodic malware scanning on phones. Device makers would also have to inform the National Centre for Communication Security about major software updates and security patches before releasing them to users, and the centre would have the right to test them.
MAIT’s document says regular malware scanning significantly drains a phone’s battery and seeking government approval for software updates is “impractical” as they need to be issued promptly.
India also wants the phone’s logs – digital records of its system activity – to be stored for at least 12 months on the device.
“There is not enough room on device to store 1-year log events,” MAIT said in the document.
Agencies