No, thanks: Mobile device makers say to DoT on source code demand

Leading mobile device makers are jointly discussing a representation to reject a proposal of the Department of Telecommunications (DoT) asking them to share their source codes for enhanced security measures.

They oppose the proposal on the grounds that source codes are “commercially valuable, confidential, and sensitive information”.  

The mobile phone manufacturers are planning to plead with the government that the new rules suggested by the DoT could leave them with no option but to stop introducing new phone models in the country if the stringent rules are eventually approved.

They will be asking the DoT to set aside the demand for sharing the source code. This is not the only point of contention between the two sides. Unless the differences are resolved, millions of Indian consumers might be deprived of the latest high-tech models launched by their favourite global brand. If not deprived altogether, they may have to wait for months after it has already been launched across the globe to buy it here. 

Under the new rules proposed by the DoT, based on the Indian Telecommunications Security Assurance Requirements (ITSAR), device makers will be expected to have their source codes tested by third party labs accredited with the government.

The National Centre for Communication Security, a wing of the DoT, has told companies that these third party labs will take 12-16 weeks for security testing and certifying the mobile device. Only then can it be imported or sold.

Further, all upgrades, after the phone has been sold, will have to go through security certification. Mobile device manufacturers say that if security certification is required for updates, it will not be possible for them to launch new models in the country.

After all, software delivery-like upgrades or patches for enhanced security happen very frequently on mobile phones and they cannot tolerate such a long wait for certification. Apart from anything else, it increases costs.

The device makers point out that demand for a new phone is generally limited to the first 3-6 months of its launch with an average sales cycle of a model lasting between 9-12 months. This means that a 3-4 month testing cycle as proposed by the DoT is not conductive to business and might become a hindrance to the availability of advanced high tech phones that are on a par with other markets globally. 

Manufacturers say that though discussions on ITSAR have been ongoing for a year, it is only now that the DoT has made this demand about sharing source codes.

Justifying their reluctance to share the source code, mobile players say that, for one, encryption is the backbone of any cyber security infrastructure.

For another, producing software which is free of any vulnerabilities is a near impossible feat and, consequently, current best practice is to do a comprehensive risk assessment based on categorisation of the severity of security vulnerabilities and take action.

India, they point out, is already a member of the Common Criterion Certificate Issuing Authority (CCCRA) which includes founding members like the US, Germany and the UK among 31 others.

The CCC scheme provides for independent third party evaluation and certification of the security functions of IT products. Under this service, mobile phones can be evaluated in any of the 31 signatory countries, including India.

This also provides an opportunity for a global player to manufacture and certify its phones in India and sell it in other countries.

The industry has also brought to the DoT’s notice the fact that the current IT Act already imposes liabilities on companies to pay compensation in case of security violations. The move to demand the source code comes close on the heels of the DoT pushing for the same information from mobile equipment makers. Earlier, self-certification by the equipment maker was enough to allow imports by operators.

Global equipment makers have also opposed the DoT’s move, saying they too will not share their valuable intellectual property rights.