Centre Seeking Smartphone Source Code 

Why in News?

• Government is considering legally mandating security requirements for smartphones sold in India.
• Draft framework: Indian Telecom Security Assurance Requirements (ITSAR), 2023.
• Most contentious proposal:
  • Access to smartphone source code for vulnerability analysis.
• Strong behind-the-scenes resistance from global manufacturers like Apple and Samsung.
• Ongoing consultations between IT Ministry and tech companies.

Relevance

GS II – Governance & Polity

• State regulation vs individual privacy.
• Role of executive rule-making.
• Digital sovereignty.

GS III – Internal Security & Science & Tech

• Cybersecurity.
• Supply-chain security.
• Technology regulation.

Basics: What is Source Code?

• Source code:
  • Human-readable programming instructions that define how software functions.
• Considered:
  • Core intellectual property (IP).
  • Central to:
    • Security architecture.
    • Commercial competitiveness.
• Access risks:
  • IP leakage.
  • Reverse engineering.
  • Loss of proprietary advantage.

What Are the Proposed Security Measures?

Under ITSAR (Drafted 2023):

1. Source Code Access

• Smartphone makers must:
  • Share source code (or parts) with designated Indian testing labs.
• Purpose:
  • Vulnerability analysis
  • Detection of hidden backdoors or security flaws.

2. Mandatory Malware Scanning

• Automatic and periodic malware scans on devices.
• Applies even after sale to consumers.

3. Data & Activity Logs

• Smartphones must:
  • Store device activity records for at least one year.
• Raises concerns on:
  • User privacy.
  • Surveillance architecture.

Government’s Rationale

• Smartphones now:
  • Handle critical personal, financial, and strategic data.
• Rising concerns:
  • Cyber espionage.
  • Supply-chain vulnerabilities.
  • Embedded malware or backdoors.
• India’s position:
  • Large digital population.
  • Increasing reliance on foreign hardware/software.
• Seen as:
  • National security and cyber sovereignty measure.

Industry Concerns

• IP Protection:
  • Source code disclosure risks trade secrets.
• Global Precedent:
  • Fear India becoming a high-compliance market.
• Trust Deficit:
  • Storage and handling of code by government labs.
• Privacy Risks:
  • Mandatory logging could violate:
    • Data minimisation principles.
    • User consent norms.

Legal & Policy Dimensions

Cybersecurity

• Aligns with:
  • National Cyber Security Strategy (proposed).
• Moves India towards:
  • Pre-market security certification for devices.

Data Protection

• Potential conflict with:
  • Digital Personal Data Protection Act, 2023:
    • Purpose limitation.
    • Storage limitation.
• Malware scanning and logging raise:
  • State vs individual privacy tension.

Trade & WTO Issues

• Possible violation of:
  • TRIPS Agreement (IP protection).
  • Non-tariff trade barriers.
• Risk of:
  • Retaliatory measures.

Global Comparison

• China:
  • Extensive source-code audits for foreign tech.
• EU / US:
  • Prefer:
    • Security certification.
    • Independent third-party audits.
  • Do not routinely demand source code access.
• India’s approach:
  • More state-centric and interventionist.

Strategic Implications

• Positives:
  • Enhanced device-level cybersecurity.
  • Reduced dependence on opaque foreign systems.
• Risks:
  • Reduced investor confidence.
  • Higher device costs.
  • Slower tech diffusion.
• Key question:
  • Can security be ensured without intrusive code access?

Takeaway

• India’s proposal to seek smartphone source code reflects a shift towards assertive digital sovereignty, raising complex trade-offs between cybersecurity, privacy, and intellectual property rights.

---