India: Internet Freedom Foundation raises concerns over proposed smartphone security requirements

On 12 January 2026, the Internet Freedom Foundation (IFF) published a statement responding to draft proposals for the Indian Telecom Security Assurance Requirements (ITSARs), a set of rules that would apply to smartphone operating systems and device manufacturers in India. The proposals became public through Reuters reporting on 11 and 12 January 2026 and are reportedly being considered by the Ministry of Electronics and Information Technology for mandatory notification.

According to the reports cited by IFF, the draft ITSARs would introduce several new obligations for smartphone manufacturers. These include requirements to retain certain device and user activity logs for up to 12 months, submit operating system source code for review by government-designated laboratories, notify authorities before issuing major software updates or security patches, and implement controls designed to prevent or detect practices such as rooting or jailbreaking.

Concerns about process and legal basis

IFF’s statement notes that, despite the public availability of the draft document, the proposals have not been subject to an open public consultation. Instead, their development appears to have taken place through discussions between government bodies and smartphone manufacturers. The organisation argues that such an approach limits broader scrutiny by civil society, technical experts, and users who would be affected by the rules.

From a legal perspective, IFF refers to the Supreme Court of India’s 2017 judgment in Justice K.S. Puttaswamy v. Union of India, which recognised informational privacy as a fundamental right. Under this framework, any state action that interferes with privacy must meet tests of legality, necessity, and proportionality. The statement questions whether the proposed requirements satisfy these standards.

Technical and security implications

The draft ITSARs reportedly require manufacturers to provide proprietary operating system source code for government review. IFF argues that centralising access to such code could create security risks by turning it into a high-value target for cyberattacks. If compromised, vulnerabilities could potentially affect large numbers of devices using the same operating systems.

The proposed 12-month retention of logs related to login attempts and app installations is also highlighted as a concern. IFF states that such data could reveal detailed information about users’ habits, associations, and interests, raising questions about data minimisation and purpose limitation.

Another provision that has drawn attention is the requirement for prior notification or approval before releasing major software updates or security patches. IFF notes that security updates are often time-sensitive, and delays could leave devices exposed to known vulnerabilities.

User control and device ownership

IFF’s statement also addresses provisions related to rooting, jailbreaking, and anti-rollback protections. These measures, the organisation argues, could limit users’ ability to customise their devices, repair older hardware, or extend the lifespan of smartphones they own. From this perspective, the proposals raise broader questions about user autonomy and the balance between security controls and individual rights.

Call for consultation

In response to the draft proposals, the Internet Freedom Foundation has called on the Union Government to pause any move toward formal notification of the ITSARs and to initiate transparent, open consultations involving civil society organisations and technical experts. IFF has indicated that it will formally write to the Department of Telecommunications and the Ministry of Electronics and Information Technology to seek greater clarity and transparency around the process.

The debate around the ITSARs highlights ongoing tensions between national security objectives, cybersecurity practices, and the protection of privacy and user control in an increasingly digital society.