Recent reports suggesting that the Indian government is exploring rules requiring smartphone manufacturers to disclose their source code to third-party testing agencies have sparked intense debate. The report, first carried by Reuters, also claimed that companies may be asked to notify the government before pushing major software updates to users. While the Union government has publicly played down these claims and denied any final decision, the episode has reopened fundamental questions about cybersecurity, regulation, and state oversight in the digital age.
What Is Source Code and Why It Matters
Source code is the foundational set of instructions that determines how software functions. It includes the logic, architecture, and digital assets that make devices and applications work. In smartphones, parts of the operating system — particularly those based on Android — are open source. However, manufacturers heavily modify this base code to add proprietary features, optimise performance, and differentiate their products. These modifications are closely guarded as intellectual property. Beyond commercial value, secrecy around source code is also a security practice. Exposing the complete internal workings of a system can make it easier for malicious actors to identify vulnerabilities, increasing the risk of cyberattacks, data breaches, and system compromise.
Why the Idea of Disclosure Is Controversial
Mandatory disclosure of source code to external agencies is highly unusual outside niche areas such as defence, and even there it is limited to select jurisdictions. Major global technology companies resist such demands. For instance, has not shared its source code with the Chinese government, despite making country-specific adjustments to data storage and compliance mechanisms. The controversy is sharpened by recent domestic context. Only weeks earlier, the (DoT) faced strong backlash over an order asking smartphone makers to pre-install the Sanchar Saathi spam-reporting app. Critics warned of potential surveillance risks and third-party security vulnerabilities. Compared to that episode, source code disclosure would represent a far deeper intrusion into device architecture.
Security Risks of Source Code Exposure
Cyberattacks typically exploit externally visible flaws in software. Granting internal visibility — especially if it includes detailed documentation — could significantly increase the attack surface. Even systems built on open-source platforms do not expose every layer of their implementation for precisely this reason. From a cybersecurity perspective, broad access to source code may paradoxically weaken, rather than strengthen, system security if safeguards around access, storage, and use are inadequate.
The Regulatory Trail: ITSAR and MTCTE
The debate is rooted in earlier regulatory efforts. In 2023, the National Centre for Communication Security (NCSS), under the DoT, finalised an Indian Telecom Security Assurance Requirement (ITSAR) for “consumer equipment”. ITSARs form part of the Mandatory Testing and Certification of Telecommunication Equipment (MTCTE) framework, which stems from the Indian Telegraph (Amendment) Rules, 2017. However, after the Telecommunications Act, 2023 came into force, the DoT and the (MeitY) decided to remove smartphones from the MTCTE regime. Smartphones already undergo certification through the , making overlapping oversight unnecessary.
Is the Government Asking for Public Disclosure?
The government has denied that it seeks to make source code public. According to MeitY, discussions are ongoing and no final regulations have been framed. Officials have stated that the ministry is keeping an “open mind” to balance national security and consumer interests. Industry bodies such as the (ICEA) have also sought to downplay the seriousness of the proposal, suggesting that consultations are still exploratory.
Concerns Over Transparency and Consultation
Civil society groups remain unconvinced. The (IFF) has argued that government denials conflict with publicly available ITSAR documents. It has called for transparency, release of meeting minutes, and open public consultation rather than closed-door discussions limited to large technology firms. The group has emphasised that if no final rules exist, draft proposals should be placed in the public domain to allow informed debate on their implications for privacy, security, and innovation.
The Larger Policy Question
At its core, the issue reflects a broader tension between national security concerns and the principles of digital trust, innovation, and global interoperability. While governments have legitimate interests in securing digital infrastructure, intrusive regulatory approaches risk deterring investment, weakening cybersecurity, and fragmenting global technology ecosystems.
What to note for Prelims?
- Meaning and importance of source code
- Role of DoT, MeitY, NCSS, and BIS in telecom regulation
- MTCTE framework and ITSAR standards
- Cybersecurity risks linked to source code exposure
What to note for Mains?
- Balancing national security with digital innovation and privacy
- Regulatory challenges in governing global technology firms
- Transparency and stakeholder consultation in tech policymaking
- Implications of intrusive regulation for India’s digital economy