Article Details

India’s government denies it plans to demand smartphone source code. Says ongoing talks about security are about understanding best practice, not strong-arming vendors. India’s government has denied that it is working on rules that would require smartphone manufacturers to provide access to their source code. A Sunday report by Reuters claimed that India has circulated a package of 83 security standards, among them requirements to share smartphone source code and another requiring developers to give India’s government advance of major software updates. The report claims that Apple and Samsung have opposed the plan. Also on Sunday, India’s Ministry of Electronics and Information Technology (MeitY) issued a statement refuting the Reuters story. “The Government of India is continuously taking steps to ensure the safety and security of users and to protect their personal data in the rapidly evolving digital ecosystem,” the statement opens, before observing “With over a billion mobile users in the country, smartphones today hold vast amounts of personal and financial data, making them attractive targets for cybercriminals.” India’s government is therefore conducting “a structured process of stakeholder consultations … to develop an appropriate and robust regulatory framework for mobile security.” The statement characterizes those consultations as part of “regular and ongoing engagement with industry on safety and security standards.” The statement then refutes the Reuters report and says India’s government is “fully committed to working with the industry and address their concern. That is why, the government has been engaging with the industry to better understand technical and compliance burden and best international practices which are adopted by the smart phone manufactures.” India has had similar fights with big tech companies in the past, and nearly always backed down. Last December India’s Department of Telecommunications demanded that smartphone makers pre-install government apps on all handsets. Civil rights groups and tech industry lobbies both opposed the measure, leading India’s government to first water down the proposal and then abandon it in less than a week. In 2022, India introduced a directive requiring organizations operating locally to disclose any cybersecurity incidents within six hours of detection, and framed it so cloud operators would have to report on activities conducted by their tenants. Vendors and tech lobby groups pushed back, India’s government eased the requirement, and has scarcely mentioned it since the 2023 revelation that compliance with the law was very low. While it has handled some of its regulatory efforts badly, India’s government has made some fair points. The nation’s billion-plus mobile device users deserve strong security, especially as India’s government steers them towards digital services and away from using cash. But the nation’s lawmakers, and their advisors, must surely realize that it would be extraordinarily difficult for the likes of Apple and Samsung to share source code. It would also be vastly difficult for India to find alternatives, as while the nation has encouraged development of a home-grown browser and mobile OS neither has taken off.