Recent Indian government directive to smartphone manufacturers to disclose security measures they adopt towards securing customer data is quite ominous on several counts. One of the most startling facts is that most of these manufacturers have been selling their products in India since long. If it is now suspected that their hardware or software might be complicit in stealing customer data, this directive may be a bit too late as data might already have been stolen.
In addition to this, quite a few of these manufacturers have been investigated for compromising security in India and abroad in the past. Their continuing operations in-spite of known vulnerabilities in itself is worrisome. Besides these obvious facts, this order for disclosures in some way understates the fact that our own policies have not been up to the mark in catching loopholes in these products. A brief look into recent past, nationally and internationally, highlights the immensity of this situation and calls for immediate and stringent measures.
In 2013, one of the smartphone manufacturing companies, Huawei, was investigated for possible hacking into BSNL networks in Rajahmundry. It was suspected that Huawei hacked into BSNL as revenge for losing out the contract of BSNL to its competitor, ZTE, another telecom manufacturer. In the aftermath of this hacking attack, it was reported then that a security lab would be setup to test all equipment coming into India. It appears that this lab too has not been able to check possible vulnerabilities, leading to this current order of disclosure of security measures to the manufacturers.
Internationally, in 2012 both Huawei and ZTE were banned from entering US markets on suspicion of them building back doors in their equipment to leak sensitive information from America to China. A claim both companies vehemently deny. It was in the same year, 2012 that the role of Huawei’s relationship with British Telecom was investigated by UK parliament’s intelligence and security committee for security issues with the Huawei supplied infrastructure. More recently, ZTE in March 2017 accepted USD 900 Million fine for selling US technology to Iran in-spite of US sanctions against such sale of US technology to Iran and North Korea.
In face of such threats to consumer data, strong regulatory measures are being put in place globally to handle this. One of the most prominent examples is the European Union. It adopted General Data Protection Regulation on 27th April 2016. Its primary objective is to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It mandates data breaches to be reported within 72 hours. Fines which can be imposed could be as high as 20 Million Euros or 4% of the worldwide turnover of the company, whichever is higher. This will become enforceable from 25th May 2018.
In India Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 were made under provisions of section 43A of IT Act 2008. These rules generically mention security control measures to be followed to safeguard personal information. There are provisions for claims of compensation and also imprisonment up to three years and fine up to 5 lakh rupees. While these are great steps, there is scope for improvement. Fine is too low and handling of compensation claims through adjudication may be diluting the criminal element of such instances. Besides this, it could be made mandatory for any manufacturer to have its source code both of firmware and software disclosed to authorities for possible security leaks.
In the end, these directives though welcome, without the backing of a strong policy framework and commensurate sanctions, possibly on lines of European Union, may fall short of producing intended results.