India’s phone security plan faces backlash

Bengaluru: The Indian government's plan requiring smartphone makers to share source code as part of a raft of new security measures has drawn criticism from privacy advocates and technology experts ‌over fears of ‌heightened surveillance. Companies including Apple and Samsung have privately protested the proposed package of security standards, which also includes a requirement to maintain phone ‌logs on devices for a year, Reuters reported on Sunday, citing a review of confidential government and industry documents.The proposal is part of Prime Minister Narendra Modi's efforts to boost security of user data as online fraud and data breaches increase in the world's second-largest smartphone market, with nearly 750 million ​phones.India's IT ministry has said "any legitimate concerns of the industry ​will be addressed with an open mind" and consultations were ongoing. It also refuted ‌that it was ‍considering seeking source code, without commenting on the government or industry documents cited ‍by Reuters.The Internet Freedom Foundation, a privacy and free speech rights ‌organisation, said it "strongly rejects any proposed regime that effectively grants the state access to confidential source code and embeds persistent controls into devices used daily by hundreds of millions of Indians"."The proposals seek to micromanage how users interact with their own devices," IFF added in a statement.India's IT ministry did not respond to a request for comment.POTENTIAL CONFLICT OF INTERESTThe ministry called off a meeting scheduled for Tuesday with the tech giants to discuss their ‍feedback and concerns about the proposal, according to three people with direct knowledge.Seeking source code - the underlying programming instructions that make phones work - erodes trust and "is ‍a massive step backwards ⁠from India's goal of ⁠improving the ease of doing business," said Akash Karmakar, a partner at Indian law firm Panag & Babu who specialises in technology law. Last month, India revoked an order mandating a state-run cybersecurity app on phones following opposition from opposition parties and privacy advocacy groups.The latest proposal says tech companies should inform Indian officials before releasing security updates and they can test them if they want.That creates a conflict of interest as it allows the state to act as a regulator while potentially exploiting vulnerabilities for surveillance, said Raman Jit Singh Chima, global cybersecurity lead at internet advocacy group, Access Now.