Posted on October 18, 2020
Authored by Manika Dayal*
Recently, the Government of India imposed a ban on 59 Chinese apps, including applications such as TikTok, WeChat, and UC Browser, as reported earlier here. This action was taken under section 69A of the Information Technology Act, 2000, citing reasons of continued threat on the sovereignty and integrity of India. The Government of India made this decision in light of growing tensions at the Ladakh’s Galwan Valley , primarily to avoid misuse of data of India citizens by the Chinese authorities. This was an active attempt by the Government to efficiently secure the citizens data and avoid misappropriation of sensitive information. However, since 2019, there have been visible concerns regarding unwarranted storage of people’s smartphone data in a relatively subtle manner. Recently, a public interest litigation (“PIL”) was filed before the Hon’ble Supreme Court of India in October, adequately addressing and seeking protection of these privacy concerns. This article seeks to analyse the privacy concerns and security risks with “bloatware” on Android devices in light of the issues raised in the PIL.
Privacy Concerns in the PIL
On 11th October 2020, Advocate Wajeeh Shafiq moved a PIL before the Supreme Court of India, seeking to secure and extend the right to privacy in consonance with Article 21 of the Constitution to pre-installed applications or “apps” present in android smartphones. The PIL primarily seeks imposition of certain set of guidelines by the Government upon smartphone manufacturers, specifically mandating disclosure of all pre-installed apps in the phone on the outer packaging itself. The disclosure, in all major regional languages, is to be included in the shrink-wrap agreement on the packaging of the smartphone and is meant to serve as a condition precedent. Further, the PIL seeks disclosure of storage and usage of the data collected by the smartphone manufacturers in order to assure that the data is not being consequently misused by the industry giants. The plea, with regard to privacy concerns, highlighted the gravity of the situation in light of the recent tensions between India-China, especially since most of the smartphone companies are Chinese. The PIL further included another perspective of the present issue, i.e. consumer rights. The process of storing data by pre-installed apps and the fact that those apps cannot be deleted by the smartphone user, directly goes against various rights of the consumer which are guaranteed to them under Consumer Protection Act, 2019. The rights in the plea included rights such as the right to be protected against the marketing of goods which are hazardous to life and property of consumer; right to be informed; and right to consumer education and awareness etc., amongst others.
The plea mentions a key term that is central to the subject matter which is ‘bloatware’. Bloatware essentially refers to the pre-installed apps in a smartphone that cannot uninstalled by the user. The primary concern with bloatware is the lack of consent and knowledge of the user with regard to the collection, storage and usage of their data. The first and foremost question that arises with the issue of bloatware is what data are these apps collecting from a user’s phone?
A 2019 study ventures into the same territory. The study on “Pre-installed Android Software” done by researchers at the IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University, was conducted on pre-installed apps on Android devices from 2,748 users, spanning over 1,742 devices from 214 vendors across 130 countries. The study predominantly focused on the grave lack of regulation and transparency pertaining to pre-installed apps found on new devices. According to the study, these apps are responsible for stockpiling the user’s geographical locations, emails, contacts, and metadata. Further, apart from harvesting user data, bloatware apps also tend to monitor other apps’ activity that are installed by the user. This process has often led to user data being siphoned to advertising agencies who are responsible for advertising the same products on different apps that the users have mentioned or “looked up” on their phones.
An ancillary question that arises is – how is the bloatware authorised to perform such tasks? Bloatware communicates the information using custom permissions. In other words, they essentially let the developer define access points that can be assigned to users. In this case, custom permission is granted by the smartphone vendor or mobile network operator (instead of the user) which enables the bloatware to perform actions that regular apps would ordinarily be unable to. Another alarming aspect of bloatware singled out by the above study is the presence of malware in them – such as Loki (spyware and adware) and Slocker (ransomware). Presence of malware alone can provide complete access to the user’s device and personal information.
Generally, in a smartphone, the user periodically receives ‘update’ notifications pertaining to the regular apps in the phone. These updates essentially refer to software updates that are issued by the developers. In contrast to regular apps, bloatware, on the other hand, is automatically updated – prima facie, the automation just seems like a way to save time and effort. However, it can prove to be rather dangerous as the automatic update allows the app to evolve on its own without any implied or express consent by the user. These automatically updated and evolving bloatware apps become fit to receive and carry out any function that is put in their code in consonance with a “green light” granted by the manufacturers and the developers. Again, this “green light” being granted by the mobile developers and not the users themselves. This evidently works towards the users’ detriment as there is no guarantee that there might come a time where the apps could harvest personal messages, photos and/or record conversations without the users’ knowledge.
Another aspect of this use is – how do these apps make their way to our phones in the first place? Various software companies, like Google, often enter into contractual obligations with third-parties for the purpose of packaging and pre-installing apps that are compatible with their versions of Android (such as ‘Google Play Store’, ‘Google Maps’, ‘Google Calendar’ etc). Further, there is an entire documentation procedure that is mandatory where digital certificates are filed for the purpose of proving legitimacy of the apps. However, more often than not, most developers create their own self-attested digital certificates – essentially providing their own guarantee and reference for their apps. Lastly, there is a probability of these third-party apps themselves entailing alarming security and privacy issues through which custom permissions are transferred to the users’ device.
The PIL was filed by Advocate Wajeeh at the Hon’ble Supreme Court of India based on the above mentioned discussion, which – in the author’s opinion – had been a long time coming. It is pertinent to note that while the research on this specific issue had been conducted in mid 2019, yet India was not at the forefront of this discussion – at least up until this PIL. It is evident that any user data is far from secure at this juncture. Therefore, it becomes exceedingly important for the Government to take affirmative steps towards investigating these lesser known threats as imposing ban on mobile apps simply isn’t “secure” enough anymore.
Manika Dayal, Senior Editor and Board Member at IntellecTech Law, graduated with B.A LL.B (Hons) from Jindal Global Law School with a specialization in Intellectual Property, Data Privacy and Media laws.