The Ministry of Electronics and IT has directed 21 handset makers to submit information on security architecture and standards that they follow for storing customer data online, according to an Economic Times report.  Both domestic and foreign brands like Apple, Samsung, Micromax and especially a lot of Chinese brands like Oppo, Vivo, Xiaomi, Lenovo and Gionee have also received the direction, the report said.

A government official told ET that cyber security issues aren’t addressed under any law in the country and that security standards are voluntarily followed. “The government will know if standards need to be tightened or made mandatory,” added the official. During March 2017 quarter, handsets worth $3.74 billion (~Rs 23,754 crore) were imported into India according to government data accessed by ET. During the same quarter, locally manufactured handsets worth Rs 90,000 crore were produced in India.

What info Meity is looking at

The report added that the companies have time until August 28 to disclose info on security practices they follow on handsets, mobile operating system, browser on the device and pre-loaded apps. The official added that it will conduct security testing at government labs from samples received from the handset companies. The directive was issued after data leaks and ransomware incidents were reported in the country, the official said. CERT-In claimed to have received reports of more than 27,000 cyber security threat incidents in the first half of 2017 alone.

As of now, the IT act of India (pdf) broadly specifies penalty to companies for failing to “protect information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.” However, the Act does not specify any uniform data security guideline or policy, does not classify what constitutes private or sensitive information. The IT Act only has a broad cyber security section ad defines data as “information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner,” by companies.

TRAI recently put out a consultation paper covering the aspect of data protection. It looks at how customer data is stored and accessed by companies, consent taken from users for acceding private data, data localization and other regulatory issues around cyber/info security.

MediaNama’s Take

What’s required is a central response system that actively monitors threats reported to it by private/govt companies in India; as of now, the Cyber Computer Emergency Response Team(CERTIn) setup under the Meity looks into this function. The Meity or the CERT-In should also be looking at collecting information about how private/govt companies use sensitive info for targeting ads since new ways of hacking/cracking into smartphones are unearthed. Recently, researchers discovered that over 234 Android apps were silently talking to other Android phones near to them using micro-sounds emitted from devices. These were used for ad targeting purposes.