Govt puts mobile phone makers on notice over data privacy

Wary of hacking and stealing of information from smartphones, the government has sent notices to Chinese and other device makers to provide the framework and procedures followed for data security.
As many as 21 phone makers, including leading Chinese brands Vivo, Oppo, Xiaomi and Gionee, have been asked to give "detailed, structured written response" on how they secure data
and ensure its safety and security, a government order said.
The directive comes amid the stand-off between India and China over Dokalam as also rising concerns over imports of Chinese IT and telecom products. According to an estimate, mobile phone import stood at USD 3.7 billion in 2016-17.

The directive follows fears of hacking of information on mobile phones -- many Chinese manufacturers have their servers in China -- as also personal information such as contact lists, messages and pictures being stolen.
Non-Chinese phone makers such as Apple, Samsung, BlackBerry and Indian players are also among the companies that have been sent notice by the Ministry of Electronics and Information Technology.

"The ministry has given time till August 28 to all companies to furnish their responses," a senior IT Ministry official said.
He referred to international and domestic reports on data leaks from mobile phones and said that in the first phase, devices along with pre-loaded software and apps will come under scrutiny.

Based on response of the companies, the ministry will initiate verification and audit of devices wherever required.
It has also warned of penalties under provisions of IT Act 43 (A) in case stipulated processes are not followed.
"Any device sold in the country should be compliant with global security standards. If companies fail to comply, further action will be taken. The Act provides for penalties depending on the offences. In certain cases, the failure to take measures can result in penalty of about Rs 5 crore," the official said.
The official said the objective of the exercise is to ensure required data security measures are being taken with regard to hardware and software in mobile phones.

The IT ministry order, dated August 12, asked the companies to "provide a detailed, structured written response about the safety and security practices, architecture, frameworks, guidelines and standard etc followed and implemented in your product and services, provided in the country".
It said there is a need to "ensure the security and safety" of the devices and they should provide "secure transmission and storage of data".
"The security of the mobile devices must address all layers, including security for hardware, operating system and application, securing network communications, encryption standards used and the like. Also, the updating of operating system, firmware and application must be done in a secure manner," the order said.

The government wants the phone manufacturers to develop layered security measures that can guard against any unauthorised access.
"Security measures must be developed and applied to smartphones, from security in multiple layers of hardware, firmware and software to the dissemination of information to the actual users," the order said.