Source Code, Sovereignty and Security: India’s Debate on Smartphone Software Access

Why in News ?                                           

A recent Reuters report claimed that the Indian government was considering requiring smartphone manufacturers to share their source code with third-party testing agencies and to inform authorities before major software updates.
However, the Union government has denied any proposal mandating source code disclosure, stating that discussions, if any, are exploratory and no final decision has been taken.

What is Source Code ?

• Source code is the foundational set of instructions and digital assets that govern how a software system operates.
• In smartphones, it controls critical functions such as memory management, processors, sensors, connectivity, and hardware integration.
• While platforms like Android are partially open-source, device manufacturers apply extensive proprietary modifications that are closely guarded.
• Source code is protected not only for commercial reasons but also for cybersecurity, as exposure can allow malicious actors to identify vulnerabilities and launch targeted attacks.

Why Source Code Disclosure Is Highly Unusual ?

• Sharing source code outside a company is extremely rare, even in highly regulated sectors such as defence, and then only under strict conditions.
• Global technology firms have consistently resisted such demands. For example, Apple has not shared its source code with China, despite complying with country-specific data localisation and access laws.
• This underscores the exceptional and sensitive nature of any requirement to disclose source code.

Security and Commercial Risks

• Unlike preinstalling an application, source code disclosure would expose a company’s entire proprietary software architecture.
• Cyber attackers generally exploit externally visible weaknesses; internal visibility would significantly magnify security risks, especially if documentation reveals system design.
• Even Android devices do not expose all implementation details, precisely to protect intellectual property and user security.

Government Position on Source Code Disclosure

• The Indian government has clarified that it has not proposed public disclosure of smartphone source code.
• The debate traces back to a 2023 document issued by the National Centre for Communication Security (NCCS) under the Department of Telecommunications (DoT).
• This document outlined Indian Telecom Security Assurance Requirements (ITSAR) for consumer equipment, sparking speculation about deeper access to device software.

Regulatory Background and Shifting Oversight

• ITSARs are part of the Mandatory Testing and Certification of Telecommunication Equipment (MTCTE) framework, rooted in the Indian Telegraph (Amendment) Rules, 2017.
• After the enactment of the Telecommunications Act, 2023, the government decided to drop MTCTE requirements for smartphones, citing existing certification by the Bureau of Indian Standards (BIS).
• Oversight of smartphone software security has since shifted to the Ministry of Electronics and Information Technology (MeitY), which has stated it is keeping an “open mind” on future policy options.

Industry and Civil Society Responses

• The India Cellular and Electronics Association (ICEA) has downplayed the seriousness of the discussions, suggesting no immediate regulatory change is imminent.
• Government representatives have reiterated that no final regulations have been framed.
• However, the Internet Freedom Foundation (IFF) has questioned these assurances, noting that ITSAR documents remain publicly available and that stakeholder consultations lack transparency.
• IFF has demanded disclosure of meeting minutes and called for open public consultation, arguing that decisions affecting digital rights, cybersecurity, and consumer trust must not be made behind closed doors.