Smartphones have become ubiquitous, and are forcing us to re-imagine the contours of privacy and data protection. This is for several reasons: we carry our phones everywhere we go, we use them for accessing critical services including banking and payments, we use them to store personal and sensitive data, to access our social networks and emails, and many “apps” are connected to servers and facilities that consumers and governments, often have no line of sight to.
Unsurprisingly, reports of phone hacks, theft of personally identifiable information and user-tracking, misguidance of consumers and evasion of law, by stakeholders within the digital ecosystem, has become an everyday phenomenon. The Indian smartphone user is particularly vulnerable.
The sheer pace of expansion of the smartphone market in India is unparalleled. Over 110 million new smartphones are added here every year—making India the world’s second largest smartphone market. Smartphone penetration is a key metric against which the success of India’s digital economy is often measured.
The rapid scaling up of sales of electronic goods and services that our aspirational market allows calls for greater vigilance, as there are limited disincentives to errant behaviour. Chinese handset brands for instance, command more than half of India’s smartphone market share, and are often pre-loaded with bundled apps. Reports of malware and backdoors embedded in these nifty smartphones and apps, are particularly troubling.
The prospect of free products and services are very compelling for the best of consumers. Consequently, Indians are voracious consumers of “free” apps—from Facebook and Google-run apps, which dominate digital advertising and direct their energies and algorithms to monetizing user data, to more pernicious Chinese-made apps like UC Browser, which have been linked to serious surveillance concerns.
The common thread in this spectrum is that most free apps seek to exploit user data and get omnibus permissions to do so from their users. Informed consent is the permission granted by users to app providers, in full knowledge of the possible consequences of the use of their data. Juxtaposed against complex terminology and lack of awareness about potential pitfalls, this “opt-in” framework may itself require revisiting.
Another Chinese app, which leverages the rather innate urge to take “selfies”, has an exclusive version for India, and is so attractive to consumers that many handset makers are bundling it with devices. This is despite evidence to suggest that the app leaks sensitive personal information to Chinese servers.
It gains extensive access to personal data and numerous features of smartphones: access to users’ GPS location, cell carrier information, Wi-Fi connection data, SIM card information and identifiers like the IMEI number, which can be used to track and actively monitor its users.
The government seems acutely aware of these context-specific risks, and has constituted cyber-security and data protection committees and working groups, which may help ring-fence the digital ecosystem. The B.N. Srikrishna Committee which has been tasked with creating a data protection framework for India is one such example.
However, laws and regulations cannot substitute for greater consumer awareness—apps will continue to try to exploit lack of user awareness, even after obtaining legal sanction. And since technology will always outpace regulations, apps and phones can exploit national security vulnerabilities just as easily.
In 2014, the Indian Air Force red-flagged the use of Chinese origin smartphones by its personnel and their family members due to a “flaw” in the operating system causing automatic and unencrypted transfer of user data to servers located in China. This data leak could have revealed and compromised the location and movements of air force personnel and their families, jeopardising lives and the safety of security infrastructure.
More recently, Indian troops posted along the Line of Actual Control have been issued a cybersecurity advisory to delete 44 apps, mostly of Chinese origin, to guard against espionage.
The national threat from bundled apps also extends to the content ecosystem. Bias in both the sequencing and substance of online content, available on apps such as UC News, can influence opinions of citizens at large. The US is finding out that Facebook campaigns were manipulated by Russian intelligence operatives the hard way. And Facebook is attempting to respond and show a higher degree of responsibility towards consumers by “flagging” paid advertisements.
However, can anyone expect similar apologetic behaviour by Chinese-origin apps and handset makers, even if found guilty of spreading false news, malware, spyware and so on? We wouldn’t hold our breath.
For netizens of a “mobile-first” economy, much greater caution and sensitivity is warranted. It is necessary for both policymakers and ordinary citizens to understand the security implications of using foreign origin smartphones with bundled, pre-installed apps.
We must not be naïve recipients of digital Trojans—and must begin to put a price on our data and privacy. We can start to do so by making informed consumption choices and nurturing a healthy scepticism of “free lunches”.
Arvind Gupta is head, Digital India Foundation, and Vivan Sharan is a technology policy expert based in New Delhi.