Taking a tough stand, the government has ordered all leading mobile phone manufacturers, majority of them Chinese, to provide some details about safety and security practices they undertake during production. The government of India will soon introduce standalone security standards for mobile phones. Ravi Shankar Prasad, Minister of State for Law and IT said during an event that “all mobile manufacturing units” in India will have to comply with certain standards, but he did not expand further on what the standards will comprise of. “We need low-cost cyber technology and low-cost well qualified cyber auditors,” Prasad added during the event.
The government will focus on banks, financial institutions, smartphone makers, and make them comply with standards that are yet to be revealed. It will also make cyber security a part of the curriculum in 44 universities and colleges across India, the report said. The development comes shortly after Ministry of Electronics and IT (MeitY) asked more than 20 handset makers to submit details about security architecture and standards that they follow for storing customer data.
MeitY’s direction focused on both domestic and foreign brands like Apple, Samsung, Micromax and especially a lot of Chinese brands like Oppo, Vivo, Xiaomi, Lenovo and Gionee. Apart from this, the Indian government recently pulled up out Chinese firm Alibaba’s UC Browser for allegedly leaking data of “Indian users” and threatened to ban it if it turned out to be true. Note that in 2015, UC Browser was found to be leaking location, search details, network operator and even mobile device identifier numbers like the IMEI.
TRAI had recently put out a consultation paper covering the aspect of data protection after the country witnessed a number of coordinated cyber-attacks (Ransomwares), and data leaks from companies like Jio and Zomato. The TRAI paper looked at how customer data is stored and accessed by companies, consent taken from users for accessing sensitive data, data localization and other regulatory issues around cyber/info security. The Supreme Court also recently upheld privacy as fundamental right, and the ruling will have effects on mobile developers and manufacturers. We have explained this below.
Fear of hacking is the main driving force
Wary of hacking and stealing of information from smartphones, the government has sent notices to Chinese and other device makers to provide the framework and procedures followed for data security. As many as 21 phone makers, including leading Chinese brands Vivo, Oppo, Xiaomi and Gionee, have been asked to give “detailed, structured written response” on how they secure data and ensure its safety and security, a government order said. The directive comes amid the stand-off between India and China over Dokalam as also rising concerns over imports of Chinese IT and telecom products. According to an estimate, mobile phone import stood at USD 3.7 billion in 2016-17.
The directive follows fears of hacking of information on mobile phones — many Chinese manufacturers have their servers in China — as also personal information such as contact lists, messages and pictures being stolen. Non-Chinese phone makers such as Apple, Samsung, BlackBerry and Indian players are also among the companies that have been sent notice by the Ministry of Electronics and Information Technology. “The ministry has given time till August 28 to all companies to furnish their responses,” a senior IT Ministry official said. He referred to international and domestic reports on data leaks from mobile phones and said that in the first phase, devices along with pre-loaded software and apps will come under scrutiny.
Based on response of the companies, the ministry will initiate verification and audit of devices wherever required. It has also warned of penalties under provisions of IT Act 43 (A) in case stipulated processes are not followed. “Any device sold in the country should be compliant with global security standards. If companies fail to comply, further action will be taken. The Act provides for penalties depending on the offences. In certain cases, the failure to take measures can result in penalty of about Rs 5 crore,” the official said.
The IT ministry order asked the companies to “provide a detailed, structured written response about the safety and security practices, architecture, frameworks, guidelines and standard etc. followed and implemented in your product and services, provided in the country”. It said there is a need to “ensure the security and safety” of the devices and they should provide “secure transmission and storage of data”. “The security of the mobile devices must address all layers, including security for hardware, operating system and application, securing network communications, encryption standards used and the like. Also, the updating of operating system, firmware and application must be done in a secure manner,” the order said.
The government wants the phone manufacturers to develop layered security measures that can guard against any unauthorized access. “Security measures must be developed and applied to smartphones, from security in multiple layers of hardware, firmware and software to the dissemination of information to the actual users,” the order said. “Good security practices must be observed at all levels, from design to use through the development of operating systems, hardware, firmware and software layers and for the secure implementation of communication protocols and encryption standards,” it stated.
According to the government, mobile phones particularly smartphones are playing a crucial role in achieving the goals of Digital India and have achieved a penetration of 65-75 per cent. “Today, these devices hold valuable information of the users while empowering them to interact with their surroundings in innovative ways. Citizens place their trust in the convenience and productivity that these devices offer,” it said.
When contacted, Indian Cellular Association (ICA) National President, Pankaj Mohindroo said that while there can be no argument on the need to have secure communication and protection of data, the issue needs to be viewed in its entirety. “Different levels of consumer verticals need different levels of security, commensurate with the degree of risk. We need to move towards an ecosystem fostering innovation and creativity in the development of mobile applications services and transactions etc.,” Mohindroo said. The mobile handset industry is “deeply cognisant” of the security requirements of the nation, said ICA, which is a body of mobile handset companies operating in India.
How the govt.’s mobile standards should be
Banking and wallet apps have been found to have multiple vulnerabilities putting a user at risk. Apps were found to record audio, retrieve info about other apps running on your phone, make calls (without user consent), snoop on users’ browsing history, reads call history and phone contacts among others. This was being collected without user consent in most cases. The government’s standards that Minister Prasad talks about should touch upon these issues and ban apps from accessing such sensitive details.
Users have no control over their data, and in the absence of a privacy law in India, they have no recourse over how their data is collected, used, how long it is stored, or even if it is stored. As of now, the IT act of India broadly specifies penalty to companies for failing to “protect information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.” However, the Act does not specify any uniform data security guideline or policy, does not classify what constitutes private or sensitive information.