New Delhi: Wary of hacking and stealing of information from smartphones, the government has sent notices to Chinese and other device makers to provide the framework and procedures followed for data security.
As many as 21 phone makers, including leading Chinese brands Vivo, Oppo, Xiaomi and Gionee, have been asked to give “detailed, structured written response” on how they secure data and ensure its safety and security, a government order said.
The directive comes amid the stand-off between India and China over Dokalam as also rising concerns over imports of Chinese IT and telecom products. According to an estimate, mobile phone import stood at USD 3.7 billion in 2016-17. The directive follows fears of hacking of information on mobile phones — many Chinese manufacturers have their servers in China — as also personal information such as contact lists, messages and pictures being stolen. Non-Chinese phone makers such as Apple, Samsung, BlackBerry and Indian players are also among the companies that have been sent notice by the Ministry of Electronics and Information Technology.
“The ministry has given time till August 28 to all companies to furnish their responses,” a senior IT Ministry official said. He referred to international and domestic reports on data leaks from mobile phones and said that in the first phase, devices along with pre-loaded software and apps will come under scrutiny. Based on response of the companies, the ministry will initiate verification and audit of devices wherever required.
It has also warned of penalties under provisions of IT Act 43 (A) in case stipulated processes are not followed. “Any device sold in the country should be compliant with global security standards. If companies fail to comply, further action will be taken. The Act provides for penalties depending on the offences. In certain cases, the failure to take measures can result in penalty of about Rs 5 crore,” the official said.
The official said the objective of the exercise is to ensure required data security measures are being taken with regard to hardware and software in mobile phones. The IT ministry order, dated August 12, asked the companies to “provide a detailed, structured written response about the safety and security practices, architecture, frameworks, guidelines and standard etc followed and implemented in your product and services, provided in the country”.
It said there is a need to “ensure the security and safety” of the devices and they should provide “secure transmission and storage of data”. “The security of the mobile devices must address all layers, including security for hardware, operating system and application, securing network communications, encryption standards used and the like. Also, the updating of operating system, firmware and application must be done in a secure manner,” the order said.
The government wants the phone manufacturers to develop layered security measures that can guard against any unauthorised access. “Security measures must be developed and applied to smartphones, from security in multiple layers of hardware, firmware and software to the dissemination of information to the actual users,” the order said.
“Good security practices must be observed at all levels, from design to use through the development of operating systems, hardware, firmware and software layers and for the secure implementation of communication protocols and encryption standards,” it stated. According to the government, mobile phones particularly smartphones are playing a crucial role in achieving the goals of Digital India and have achieved a penetration of 65-75 per cent.
“Today, these devices hold valuable information of the users while empowering them to interact with their surroundings in innovative ways. Citizens place their trust in the convenience and productivity that these devices offer,” it said. IT Minister Ravi Shankar Prasad had called a meeting of senior officials in the department as well as representatives of Cert-In and others on August 14 to take stock of the situation.
When contacted, Indian Cellular Association (ICA) National President, Pankaj Mohindroo said that while there can be no argument on the need to have secure communication and protection of data, the issue needs to be viewed in its entirety.
“Different levels of consumer verticals need different levels of security, commensurate with the degree of risk. We need to move towards an ecosystem fostering innovation and creativity in the development of mobile applications services and transactions etc,” Mohindroo said. The mobile handset industry is “deeply cognisant” of the security requirements of the nation, said ICA, which is a body of mobile handset companies operating in India.