India’s telecom regulator now seems to be shifting focus on mobile apps and sensitive user info that the collect, as per this PTI report. TRAI Chairman R S Sharma was quoted as saying that TRAI is currently working on a consultation paper on how apps requesting access to sensitive data can be regulated.  “There should be a link between what an application does and information the application is asking for,” he said. While it’s not really in the TRAI’s jurisdiction to look into what applications are doing – privacy should come under the Department of IT (and Minister Ravi Shankar Prasad) and isn’t a telecom mandate – there are a few things that the TRAI can ensure that telecom operators and ISPs are more careful about data collection; browsing data is sensitive personal information, after all, and as the image above (from the Mobile World Congress a few years ago) indicates: networks know that no two customers are alike.

1. Improve the encryption standards and methodology 

The DoT has put a maximum limit of 40-bit on encryption that can be used by telecom companies in their system [read doc], and no minimum limit. This is just absurd given the fact that a graduate student in the US was able to crack a 40-bit algorithm in less than four hours back in 1997. The person used 250 workstations, and now the processing power and 250 workstations are present in most high-end PCs and gaming PCs. The TRAI needs to ensure that encryption levels for phone calls and SMS’s are improved, so that someone can’t set up a GSM sniffer near your house and listen to calls. Telcos can raise this limit after handing out decryption keys to the DoT, but a minimum level needs to be set.

Also Read: YOU Broadband’s terms of service prohibit VPNs with powerful encryption

Here is what DoT says regarding encryption:
A DoT notice in 2007 says that licensees (telcos, ISPs, or any company holding a license from DoT) shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.

2. Put clear restrictions on telecom operators sharing browsing data or inserting third party code into connections

For example, Airtel was found to be tracking user data using super-cookies using the amobee tracker in 2015. MTNL and BSNL routinely insert advertising into user connections. In 2013, Airtel had tied up with advertising network Vserv, to allow advertising targeting using demographic data, spending power, network usage, location, content relevance and device specific data. At present, there is little information on how much data is tracked, stored, how it is kept secure, and whether telecom operators are sharing personal data or not. MTNL has said that it’s forcibly injected advertising doesn’t capture user data, but we aren’t very convinced by that.

3. Mandate telecom companies to have a data security policy

India doesn’t have a uniform privacy law—neither online or offline—and this is probably the biggest reason as to why TRAI or DoT can look at laying down specific data security measures for telcos. Data security is different from cyber security; the latter is enforced within IT infrastructure owned/deployed by companies, while data security deals with how companies store and secure user or employee data which includes sensitive data points like email address, physical IP addresses, MAC IDs, phone numbers, etc.

So, TRAI could firstly start with discussing what constitutes “sensitive data” which is any kind of data point that can be used to uniquely identify a user. Such sensitive data must be stored and collected only with consent from user and telcos must apply some kind of encryption or a restricted access control system within their databases and hard disks. But this won’t suffice or guarantee data security. After the recent Jio data leaks, the company immediately distanced away from the data breach stating that these are “unverified and unsubstantiated claims”, and “the data appears to be unauthentic”. Jio had put out these statements even before investigating the leak.

However, police later tracked down the alleged hacker that gained unlawful access to Jio’s customer data, but it still isn’t clear how he was able to gain access. Note that even after these events, this is what Jio says in its Information Security policy section for its new JioPhone:

So clearly, there needs to be a uniform guideline from the regulator’s end which lays down specifically what telcos need to be doing in the case of a data breach/leak and thefts. Currently, the Ministry of Electronics & Information Technology has such a data security policy for any company looking to offer cloud services to government departments.

4. If a breach/leak is confirmed, govt audits must be conducted on telecom operators

In case a telecom company confirms a data leak, there must be some kind of government intervention especially since Aadhar is now being linked with mobile numbers. Apart from this telecom companies need to conduct regular periodical audits of their databases and disks that store sensitive info. This can be supported by a third party auditing organization. During a recent #NAMA open house discussion on securing online data, our speakers expanded on the need for periodical audits. This is needed because, organization tend to invest heavily in cyber/data security, but fail to patch systems when required leaving a huge gaping hole for attackers. Cyber/data security should be seen as a part of the organizational strategy and not just as an additional system, Manish Tiwari, Chief (Info.) Security Officer, Microsoft India said during the event.

5. Mandate companies to disclose what they do with sensitive user info and where it’s deployed

Data is a toxic asset. Telcos are now increasingly launching their own apps and clubbing it as an add-on service. From the Play Store permissions sections, My Airtel app wants access to contacts in your phone, SMSes,  GPS location, etc. while My Jio app seems to ask for access to sensitive logs, access to route and place calls on your behalf and even write call logs. Although there might be a reason behind why telcos need such sensitive info, users don’t, and as pointed out earlier the country’s law doesn’t mandate telcos to protect user privacy. It’s a choice that companies take upon themselves.

Mandating telcos to disclose how they use such data will provide a sense of where the data travels ( other apps, for targeted ads, etc.) and this empowers the user to make a choice on whether to continue using the app. Although there are several ways to revoke individual permission for each app installed on your Android phone, not everyone is aware of this, and this isn’t possible on all OSes. Telcos can also provide an optional opt-out from data collection. TRAI already has such a mechanism for filtering out telemarketing SMSes and calls.

This is needed because some mobile applications stores device and app specific information every time it executes a command, completes an update, or when a user logs-in with a new username. In some cases, the app can gain access to sensitive data like MAC ID, IMEI no, saved WiFi networks info, and other apps installed on the device. Sometimes a user authenticates with an app using his/her Gmail or Facebook account, and the app can read the info of these accounts from the log. By collecting WiFi network information, including network name (SSID), an app developer can employ data analytics and identify a cluster of users connected to the same network or an office network or a public WiFi location.

(with inputs from Nikhil Pahwa)