The Hindu: Published on 12th Jan 2026:
Why in News?
The issue is in the news because the Union Government of India is considering imposing new telecom security standards that may require smartphone manufacturers to provide access to their phone source codes for “vulnerability analysis.” These proposed standards have triggered strong opposition from major global technology companies such as Apple, Samsung, Google, and Xiaomi. The controversy has intensified following reports that the government may legally mandate these requirements, raising concerns about privacy, proprietary technology, feasibility, and global precedent. The matter has gained further attention because similar attempts by China and U.S. law enforcement to access Apple’s source code were earlier rejected, highlighting the sensitivity of the demand.
Background of the Issue:
India is the world’s second-largest smartphone market, with nearly 750 million devices in use, making cybersecurity and data protection a major governance challenge. In response to rising online fraud, malware attacks, and data breaches, the government drafted the Indian Telecom Security Assurance Requirements (ITSAR) in 2023. These include a set of 83 security standards aimed at strengthening device-level security.
Previously, the government faced backlash for mandating the installation of a state-run cyber safety app, Sanchar Saathi, on smartphones. Due to concerns about surveillance and privacy, that order was revoked last month. The current proposal appears to be part of a broader effort by the Centre to assert greater regulatory oversight over digital infrastructure, particularly consumer devices that handle sensitive personal data.
Key Provisions of the Proposed Requirements:
At the heart of the controversy is the requirement that smartphone manufacturers share access to their source code, which contains the core programming instructions of the device. This code would be analysed and tested in designated Indian laboratories to detect vulnerabilities. Additionally, phones would be required to conduct automatic and periodic malware scans, and maintain logs of device activity for at least one year.
Manufacturers would also have to make software changes to ensure users can uninstall pre-loaded apps, and to block background access to cameras and microphones by applications to prevent malicious surveillance. Another significant provision requires companies to inform the National Centre for Communication Security in advance about major software updates and security patches, allowing the government to test them before public release.
Government’s Rationale and Objectives:
The government argues that these measures are necessary to protect user data and national digital security in an era of increasing cybercrime. With smartphones becoming central to banking, payments, governance services, and personal communication, vulnerabilities in devices can have systemic consequences.
From the Centre’s perspective, source code analysis would help identify hidden backdoors, spyware, or security flaws that could be exploited by criminals or hostile actors. The proposals align with Prime Minister Narendra Modi’s broader agenda of digital sovereignty and data security, ensuring that devices sold in India meet standards suited to India’s security needs rather than relying solely on foreign assurances.
The IT Secretary has emphasized that discussions are ongoing and that industry concerns will be considered, suggesting that the government is still in a consultative phase.
Concerns Raised by Technology Companies:
Technology firms and industry bodies such as the Manufacturers’ Association for Information Technology (MAIT) have raised serious objections. They argue that sharing source code compromises trade secrets, intellectual property, and competitive advantage. Source code is considered the most sensitive asset of a technology company, and any exposure risks leaks, misuse, or reverse engineering.
Companies also point out that no major global jurisdiction, including the EU, North America, Australia, or Africa, mandates such access. They warn that the requirement could make India an outlier, potentially discouraging investment and innovation.
Operational concerns have also been highlighted. Continuous malware scanning could drain battery life, degrade user experience, and overload system resources. Storing one year’s worth of device logs may be technically impractical due to limited storage capacity on many devices. Further, requiring government clearance before software updates could delay urgent security patches, paradoxically increasing vulnerability rather than reducing it.
International Comparisons and Precedents:
The controversy is amplified by international precedents. Apple had refused China’s request for source code access between 2014 and 2016, and similarly resisted attempts by U.S. law enforcement to access its encrypted systems. These examples underscore how even powerful governments have struggled to justify such demands in liberal democracies and advanced economies.
Globally, cybersecurity regulation typically focuses on standards, audits, and compliance certifications, rather than direct access to proprietary source code. This makes India’s proposal particularly sensitive in the context of international trade and diplomatic relations.
Implications for Privacy, Industry, and Governance:
If implemented without safeguards, the proposal could have far-reaching implications. From a privacy perspective, mandatory logging and government access could raise fears of mass surveillance, undermining user trust. For the industry, it could increase compliance costs, legal risks, and reluctance to launch advanced products in India.
On the governance front, the issue highlights the tension between national security and economic openness. While stronger cybersecurity is essential, excessive regulatory intrusion could conflict with India’s ambition to become a global technology and manufacturing hub.
Way Forward:
A balanced approach is essential. Instead of direct source code access, the government could explore independent third-party audits, secure sandbox testing, or confidential vulnerability disclosure frameworks aligned with global best practices. Transparent legal safeguards, strict data handling protocols, and limited scope for government intervention could help address industry concerns.
Meaningful stakeholder consultation, clear definitions of “security threats,” and alignment with international norms will be crucial if India wants to strengthen digital security without undermining innovation, privacy, and investor confidence.
Conclusion:
The Centre’s proposal to seek access to smartphone source codes reflects a genuine concern for cybersecurity in a rapidly digitising society. However, the resistance from global technology firms underscores the complex trade-offs between security, privacy, intellectual property, and ease of doing business. How India navigates this debate will shape not only its digital governance framework but also its standing in the global technology ecosystem.
