As per an Economic Times report, the government is questioning 21 smartphone companies on their security. The government has questioned the security practices, architecture, frameworks, guidelines and standards they follow for providing secure transmission and storage of data. It has warned of action for failure to meet security standards.
Privacy and cybersecurity norms currently applicable in India impose penalties under limited circumstances. These do not compare with the international penalties for data privacy violations which, unfortunately, have no application to India. Knowing that the government is in the process of filing a data protection law, this investigation can be expected to have an impact on the law finally framed. While the trigger behind the move is unclear, if it results in greater privacy and security, it is a very welcome one.
The threat to national security
As per the ET report, this move of the government has followed reports of data leakage and theft. The current Indo-Chinese tensions are also considered to be a factor, especially because several of the smartphone companies being questioned are Chinese.
The dangers of leaks of smartphone data to national security are very real. This was seen in India about a year ago with the Smeshapp cyberterrorism attack. Here, crucial data from army personnel, like location data, was disclosed, revealing critical security information such as troop movements and counter-terrorism moves. This data was said to have aided in the Pathankot attacks. Here, the leak was not because of a smartphone defect, but because of a vulnerability introduced by an app.
2014 security accusations against Xiaomi
A smartphone-based vulnerability is usually in the form of a flaw in the operating system. One example of this was the smartphone-based data leaks which emerged in 2014/15 in India. Here, Chinese smartphone company Xiaomi, was accused of automatically transferring user data to servers located in China. The Indian Air Force, in fact, was reported to have warned its officers and their families against using Xiaomi phones. As per a Shanghai Daily report, Xiaomi admitted to the security flaw in its operating system, and fixed it immediately.
More recently, last week, a security company, eScan, released a report alleging multiple flaws in Xiaomi smartphones affecting user data, a claim which Xiaomi has denied. It is unclear if this report in combination with previous allegations have triggered the government’s investigation into smartphone security.
Limited application of Indian privacy laws
Turning to the laws which will apply to any privacy violations by smartphone companies, the privacy law applicable is Section 43A of the Information Technology Act, 2000. The protection offered by this, in combination with the IT Reasonable Security Practices Rules, 2011, as is well known, is minimal. This protects only sensitive personal data, a limited category of data like biometric information and financial information, and not other personal data like messages, location data, etc. Non-compliance with these rules also has very limited consequences, as discussed below.
Lack of enforcement mechanisms on par with international laws
Internationally, there are several laws which prevent such data leaks, and impose severe penalties for them. These laws prohibit transfer of data without user consent and prohibit cross-border transfer of data to any country without privacy laws of the same standard. While these provisions are present in the IT Reasonable Security Practice Rules, the lack of enforcement mechanisms and the restriction to sensitive personal data make them ineffective.
Internationally, violation of these norms is punishable with huge penalties and imprisonment. For example, the European GDPR (to be enforced by 2018) will impose a significant fine of up to 4 percent of the annual global turnover or €20 Million (whichever is greater). Similarly, Singapore imposes a penalty of up to $1 mn, while Hong Kong will impose a penalty of $1 mn and five years of imprisonment. Unfortunately, these laws are inapplicable to India, and will not protect the data of Indians.
No Smartphone specific cybersecurity norms in India
The IT Reasonable Security Practices Rules, 2011, require any body corporate handling sensitive personal data to adopt reasonable security practices, including the adoption of documented information security programs and policies. This requirement will also apply to smartphone companies using user data. While the obligation has been imposed, there are limited consequences for non-compliance, and there is no system of checks or audits in place.
Apart from this, there are no prescribed cybersecurity norms specifically for smartphones in India. Any existing cybersecurity norms are general in nature, taking the form of recommendations, based on which companies are expected to formulate suitable cybersecurity policies. Mandatory minimum standards and consequences for non-compliance have not been prescribed.
Consequences under Indian laws for security loopholes
Where the security loophole in the smartphone is not deliberate, but the result of negligence, and particularly due to the failure to adopt adequate security practices, then Section 43A of the IT Act will apply. However, this will apply only when the negligence results in some kind of monetary loss to the victim. In such a case only, the victim will be entitled to compensation of up to Rs 5 Crores.
Where the loophole is deliberate, or the smartphones are deliberately hacked for the data, then the company will liable to pay a penalty of up to Rs 5 lakhs under Section 66 of the IT Act.
Smartphone companies usually contract with their users for data use and disclosure, via their license agreements for the smartphones. Any disclosure in violation of this agreement is punishable with imprisonment of 3 years and a fine up to Rs 5 lakhs under Section 72A of the IT Act. However, given the wide-ranging consent that is sought from users today, this section is unlikely to apply.
Lastly, in the case of more serious loopholes like the Smeshapp case, which involved deliberate, large-scale disclosure of data threatening national security, provisions on cyberterrorism under Section 66F will apply. This is punishable with life imprisonment.
Hoping for mandatory minimum security standards
If this investigation results in greater privacy and security, through, say, mandatory minimum security requirements, then this move is more than welcome. There is, of course, a fear that the opposite will result, that the government will become conscious of its own inability to access data from the smartphones (as seen in the Apple-FBI fiasco last year), and prescribe lower security standards to enable decryption, surveillance, etc. Another fear is of course, the imposition of too stringent cybersecurity norms, much like China, which had recently, through a cybersecurity law, required companies’ data to be stored within China only.
Hopefully, the outcome of this move will be positive and will result in the framing of a data protection law on par with international standards in India.
The author is a lawyer specialising in cyber laws and a certified privacy professional