The government of India will soon introduce standalone security standards for mobile phones, reports Economic Times. Ravi Shankar Prasad, Minister of State for Law and IT said during an event that “all mobile manufacturing units” in India will have to comply with certain standards, but he did not expand further on what the standards will comprise of. “We need low-cost cyber technology and low-cost well qualified cyber auditors,” Prasad added during the event.
The government will focus on banks, financial institutions, smartphone makers, and make them comply with standards that are yet to be revealed. It will also make cyber security a part of the curriculum in 44 universities and colleges across India, the report said. The development comes shortly after Ministry of Electronics and IT (Meity) asked more than 20 handset makers to submit details about security architecture and standards that they follow for storing customer data.
Meity’s direction focused on both domestic and foreign brands like Apple, Samsung, Micromax and especially a lot of Chinese brands like Oppo, Vivo, Xiaomi, Lenovo and Gionee. Apart from this, the Indian government recently pulled up out Chinese firm Alibaba’s UC Browser for allegedly leaking data of “Indian users” and threatened to ban it if it turned out to be true. Note that in 2015, UC Browser was found to be leaking location, search details, network operator and even mobile device identifier numbers like the IMEI
TRAI had recently put out a consultation paper covering the aspect of data protection after the country witnessed a number of coordinated cyber-attacks (ransomwares), and data leaks from companies like Jio and Zomato. The TRAI paper looked at how customer data is stored and accessed by companies, consent taken from users for accessing sensitive data, data localization and other regulatory issues around cyber/info security. The Supreme Court also recently upheld privacy as fundamental right, and the ruling will have effects on mobile developers and manufacturers. We have explained this below.
What the govt’s mobile standards should be looking at
MediaNama published a three-part series last year on how banking and wallet apps were found to have multiple vulnerabilities putting a user at risk. Apps were found to record audio, retrieve info about other apps running on your phone, make calls (without user consent), snoop on users’ browsing history, reads call history and phone contacts among others. This was being collected without user consent in most cases. The government’s standards that Minister Prasad talks about should touch upon these issues and ban apps from accessing such sensitive details.
As we pointed out in the three-part series, “Users have no control over their data, and in the absence of a privacy law in India, they have no recourse over how their data is collected, used, how long it is stored, or even if it is stored.” As of now, the IT act of India (pdf) broadly specifies penalty to companies for failing to “protect information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.” However, the Act does not specify any uniform data security guideline or policy, does not classify what constitutes private or sensitive information.