India's Shocking Plan: Will Smartphone Makers Be Forced to Hand Over Secrets? You Won't Believe the Fallout!

By Aditya Kalra and Munsif Vengattil

NEW DELHI, Jan 11 (Reuters) - In a move aimed at bolstering cybersecurity, the Indian government is proposing a set of stringent regulations for smartphone manufacturers, including the requirement to share source code with the government. This measure has raised concerns among major tech companies like Apple and Samsung, who fear it could compromise their proprietary information.

The proposed package, which includes 83 new security standards, mandates that companies notify the government of significant software updates. Industry insiders have highlighted that this level of scrutiny lacks a global precedent and could lead to the exposure of sensitive technical details. The push for these measures comes as online fraud and data breaches rise in India, which has nearly 750 million smartphone users.

According to IT Secretary S. Krishnan, the government is willing to engage in discussions with the industry to address legitimate concerns. However, he emphasized that it is too early to draw conclusions about the proposals. The Ministry of Electronics and Information Technology (MeitY) did not provide additional comments, citing ongoing consultations with tech firms on the matter.

This isn't the first time Indian government requirements have ruffled feathers among tech giants. Just last month, an order mandating a state-run cybersecurity app was rescinded due to privacy concerns. Furthermore, India had previously imposed rigorous testing requirements for security cameras amid fears of Chinese surveillance.

In the fiercely competitive Indian smartphone market, Xiaomi and Samsung command market shares of 19% and 15%, respectively, while Apple holds 5%, according to Counterpoint Research. The proposed regulations are seen as a potential roadblock to maintaining that competitive edge.

Among the most contentious provisions in the new Indian Telecom Security Assurance Requirements is the demand for access to source code, which would undergo analysis and potential testing in Indian labs. Additionally, the proposals require companies to implement software changes to allow users to uninstall pre-installed apps and disable app access to cameras and microphones to mitigate malicious usage.

Concerns have been raised by industry representatives, including MAIT, the Indian industry group representing smartphone companies, regarding the feasibility of such stringent security requirements. A document from the IT ministry dated December 2023 noted that no major country imposes similar mandates. The group has urged the government to reconsider the proposals, which they claim would have impractical implications for both device manufacturers and consumers.

The new security standards, which were drafted in 2023, are currently under consideration for legal enforcement. Upcoming discussions between the IT ministry and tech executives are expected to focus on these contentious issues.

Manufacturers typically guard their source code closely; for instance, Apple previously denied requests from China to access its source code between 2014 and 2016. U.S. law enforcement has similarly faced challenges in this regard. The Indian government's proposals would require smartphone makers to carry out comprehensive security assessments and subject their source code to review and analysis by designated labs in India.

Among the additional requirements is the implementation of automatic and periodic malware scanning on devices. Companies would also need to inform the National Centre for Communication Security prior to releasing major software updates and security patches, giving the government the authority to test those updates before they are rolled out. However, MAIT has expressed concerns that frequent malware scanning could significantly drain device batteries and that seeking government approval for timely updates is impractical.

Furthermore, the proposals stipulate that devices must retain system activity logs for at least 12 months, a requirement MAIT argues is not feasible due to storage limitations on smartphones.