Shrey Madaan, Indian Policy Associate, Consumer Choice Center
Every netizen wants a safer digital space. As cyber frauds become increasingly sophisticated, governments everywhere feel compelled to act, and India is no exception. With nearly 750 million smartphones in use, strengthening baseline security standards is a legitimate policy goal. But cybersecurity policy succeeds only when it protects users without taking control away from them. India’s proposed smartphone security rules risk crossing that line.
The framework under discussion would impose a sweeping set of obligations on phone makers from advance notification of software updates to long-term data logging and, in certain cases, access to proprietary source code by government-approved laboratories. While officials have publicly denied plans to mandate source code disclosure, consultation documents reviewed by industry suggest otherwise. That contradiction has alarmed phone makers and privacy advocates.
Modern cybersecurity runs on speed and trust. When vulnerabilities emerge, companies can push patches globally within hours. Introducing regulatory checkpoints into that process does not enhance security. Rather, it slows it down and increases risk for users. This is why most advanced digital economies avoid pre-clearance requirements for software updates: regulators set standards and enforce penalties after failures, not during deployment.
There is precedent for why this matters. In 2017, the WannaCry ransomware attack raced across the globe by exploiting unpatched systems. Devices that received updates in time stayed secure; those stuck in bureaucratic or technical delays were left exposed. The lesson was simple: timely updates save users. Slowing them down in the name of oversight is a dangerous trade-off.
India itself has seen how overreach can backfire. In late 2025, the government withdrew a mandate requiring smartphones to install a state-run cybersecurity app after widespread criticism from privacy groups and opposition parties. The concern was not opposition to security, but fear of persistent state presence inside personal devices. The current proposal risks reviving those concerns through technical standards rather than explicit mandates.
Other requirements raise similar questions. Requiring one-year log retention expands the pool of sensitive data sitting on personal devices, increasing both privacy and security risks. Frequent malware scans and warning pop-ups drain batteries and slow down low-end devices. When security starts disrupting everyday use, users don’t comply, they look for ways around it.
Many countries have adopted a more balanced approach. In Japan, smartphone security policy focuses on outcomes, clear certification standards, and close cooperation with manufacturers, rather than intrusive technical mandates. The government defines what secure design looks like, while companies remain responsible for implementation. South Korea follows a similar model, prioritising rapid patching, post-market enforcement, and clear penalties when firms fail to protect users, without embedding the state into operating systems or updating pipelines.
At its core, this is a consumer choice issue. Smartphones are privately owned devices, not state-managed devices. They are gateways to banking, work, healthcare, and personal communication. Turning personal devices into objects of continuous state oversight erodes trust and collapses the boundary between sensible regulation and control, with ripple effects across the entire digital economy.
India can and should strengthen smartphone security. But effective security is invisible, fast, and reliable. It does not require turning personal devices into regulated spaces. Protecting users should never mean taking control away from them.
