Is the government seeking phones’ source code?: Explained

The story so far: The newswire agency Reuters reported that the Indian government was contemplating a requirement for smartphone makers to disclose their source code to third party testing agencies, and make this code open for review. A further requirement the agency reported was that phone makers would have to notify the government before pushing major software updates to user devices. The Union government has downplayed the nature of these conversations, and refuted the source code demand allegation.

What is source code?

Source code is the core repository of software programmes and their associated digital assets that drives a digital system. While some parts of the code, especially of Android phones, is open to begin with, there are significant modifications and adaptations that phone manufacturers make to that codebase. Also, each firm jealously guards the technology driving these respective changes. Source code is kept secret not just for commercial reasons, but also as a security measure. If a software system’s complete inner workings are visible to a malicious attacker, then the system is at risk of being probed for weaknesses that can be exploited, and can lead to data breaches and other types of cyberattacks.

Why is such a demand controversial?

It is highly unusual for source code of any kind of system to be disclosed outside a company, except perhaps in sensitive fields like defence, and that too in specific countries. Apple Inc., for instance, has not disclosed its source code to the Chinese government, even as the firm has carved out policies specific to that country to make user data stored on the cloud potentially more accessible in response to legal requests.

These reports have come shortly after a bruising episode for the government; just weeks before, the Department of Telecommunications (DoT) was at the receiving end of massive political and public pushback due to an order it sent to smartphone manufacturers to “pre-install” the spam reporting app Sanchar Saathi. There were widespread concerns that the app could be used for snooping at worst, and represent a security threat by a third party attacker at best. This was also a demand global smartphone makers generally don’t entertain.

But source code disclosure would be a far more intrusive demand, as it would require smartphone makers to essentially expose their entire code base to a third party. Cyber attackers that find and take advantage of software vulnerabilities often do so with aspects of computer systems that are visible externally; internal visibility would greatly amplify the risks of such vulnerabilities being found, especially if the source code includes detailed documentation on a system’s inner workings. As such, mobile phone operating systems, even if they are running on open source Android, do not expose every detail of their actual implementation.

Is the Indian government demanding that source code be made public?

In 2023, the National Centre for Communication Security (NCSS), under the DoT, finalised a document called an Indian Telecom Security Assurance Requirement (ITSAR) for “consumer equipment”. ITSARs are technical standards used in the Mandatory Testing and Certification of Telecommunication Equipment (MTCTE) framework, a key bureaucratic step for importing telecom gear into India.

The MTCTE framework stems from the Indian Telegraph (Amendment) Rules, 2017. However, shortly after the Telecommunications Act, 2023 was passed, the DoT and the Ministry of Electronics and Information Technology (MeitY) decided that the MTCTE regime should be done away with for smartphones, which already go through a certification process for India administered by the Bureau of Indian Standards. A senior MeitY official told The Hindu that since the baton had now been passed to the IT Ministry, the discussions were picking up where the DoT had left off. A press statement by MeitY stated that the IT Ministry was keeping an “open mind” and would decide on what was best for the country and for consumers. The India Cellular and Electronics Association (ICEA), which represents some smartphone firms, also downplayed the seriousness of the discussions.

The Internet Freedom Foundation, a digital rights advocacy group, pushed back on that denial, pointing out that the meetings the government was holding were not transparently conducted, and that the ITSARs remain public.

“If the government claims these proposals do not exist, it must explain the specific documentation currently hosted on its own website and also disclose the minutes of meetings,” IFF said in a statement.

“IFF asserts that “stakeholder consultation” cannot be limited to closed-door meetings with big tech giants. If the PIB’s claim that “no final regulations have been framed” is true, then the government should have no hesitation in releasing the current draft of the ITSAR for public scrutiny immediately. We reassert the need for transparency and an open public consultation.”