security

Why check source codes, check apps too. But create a system for it first – The Financial Express


Sharing would mean that Apple would have to tell the government the code of iOS devices, which the government would hand over to a third party to verify.Sharing would mean that Apple would have to tell the government the code of iOS devices, which the government would hand over to a third party to verify. (Representative image)

One of the little-known blunders of the Clinton administration was the introduction of a clipper chip to track phone communication. With technology becoming more pervasive, and National Security Agency unable to keep track, in 1993, it suggested telecom companies install a device which would help trace calls or other communication. The clipper chip or Clippy was supposed to have an encryption standard, using which the government could encrypt and decrypt messages. However, researchers soon discovered that instead of encrypting communication, Clippy worked otherwise. By 1996, the debate over Clippy had fizzled out.

In 2015, researchers who were the part of the 1997 study which sank the clipper idea wrote another paper on the problems of government asking for exceptional access mechanisms in the name of security and safety. The paper stated that if governments were to replicate the clipper idea, the effect would be many times worse as technology has changed a lot over the last two decades.

However, governments do not seem to have learnt their lesson. Earlier this year, the telecom minister had talked about messaging platforms sharing encryption keys so that the government could determine the source of the message. This, the minister claimed, would help track fake news and curb misinformation. While the idea was novel, it would have also meant a compromise on security.

But the telecom ministry seems to be suggesting more such mechanism. In lieu of security threat on devices, it has indicated that manufacturers reveal their source code. Although this is not part of the draft rules on Indian Telecom Security Assurance Requirements, a Business Standard report indicated that the government was mulling this as an option.

Sharing would mean that Apple would have to tell the government the code of iOS devices, which the government would hand over to a third party to verify. Meanwhile, one of the largest phone companies in the world would wait for 12-16 weeks to launch its phone in India. Moreover, it will have to do this every time it releases an update. Imagine, the government asking this of all app makers. Given the quantum of apps on iOS and Android, approvals may take years—this also is too ambitious—to come. Patents in India sometimes take a decade to be awarded. By the time companies recieve them, it is time for reapplication.

Even China only asks for 10-30% of source code while granting patent certificates, India need not be worse.

A better idea, as this paper discussed a few days ago, would be to rather test devices during beta-testing and suggest changes. The government can go ahead and test them again at a final stage. Whether it conducts a third-party assessment or does it in the house is its prerogative. But doing this for phones and UIs is possible, there are two stock softwares and not more than a dozen UIs. But if the government is concerned about security it needs to expand the ambit. After all, it is the apps that create more problems than phone’s source codes.

This is where academia collaboration can help. But this cannot be an initiative of one University or one government. Tech companies, governments and universities all need to come together to create a fund where the system can be checked. Say, India will cover apps 100-200, while the US will see 200-300. And., all would contribute to the fund so that there is money to support academia.

Not only would this boost profile of universities it may also spurt innovation trickle down from academia to the corporates or vice versa. In either case, as funds dry up such collaborations are necessary.

India can start with creating professionals and ensuring there is a certification, rest can follow. Asking for backend keys and access will only lead to more vulnerabilities. The US learned this the hard way, India can do it easily.

 

Get live Stock Prices from BSE, NSE, US Market and latest NAV, portfolio of Mutual Funds, calculate your tax by Income Tax Calculator, know market’s Top Gainers, Top Losers & Best Equity Funds. Like us on Facebook and follow us on Twitter.

Financial Express is now on Telegram. Click here to join our channel and stay updated with the latest Biz news and updates.





READ SOURCE

Leave a Reply