ETSI Releases ‘First Comprehensive Global Standard for Securing Smartphones’

Last week the European Telecommunications Standards Institute (ETSI) published what it describes as ‘a world class standard’ that provides security and privacy protection for user data held on smartphones. The standard is called the Consumer Mobile Device Protection Profile and it has the reference code ETSI TS 103 732. ETSI Cybersecurity Chair Alex Leadbeater described the standard as…

…a complete solution to secure smart phones and tablets, minimizing privacy risks and maximizing user confidence that their smart devices protect their data.

Examples of the user data covered by the standard include photographs, videos, the user’s location, emails, SMS messages, call histories, passwords for web services, and fitness related data. The ETSI standard addresses a broad range of features including cryptographic support, data protection, user identification and authentication, resistance to physical attack, the secure boot of operating systems, and trusted communication channels.

It is intended that device manufacturers will follow the standard in order to demonstrate their products are secure. The standard includes a common methodology for evaluators tasked with assessing the security of networked consumer devices. This standard is the first in a series that ETSI will create to cover various aspects of consumer cybersecurity. The plan is for this series to be delivered across the next 18 months.

ETSI has positioned their standard for use in certifying compliance with the European Cybersecurity Act. This law reflects fundamental differences in how the European Union and the USA seeks to protect the privacy of people when using networked devices or communications services. The USA is unable to deviate from a philosophy that allows each of its 50 states to pass their own separate and often inconsistent laws relating to data, privacy, and all the modern digital activities that would be made to work anywhere if lawyers and governments did not find reasons to obstruct them. In contrast, the EU has emphasized the need for a common approach so that all businesses everywhere know what is required to sell goods and provide services to EU citizens. This is why it is not boastful for ETSI to claim theirs is a ‘global’ standard.

The question of who will be the digital rule-makers and who will be digital rule-takers keeps growing in importance each year. Cold War 2 will complicate progress but even the most xenophobic countries want to deliver increasingly advanced comms services that work seamlessly across borders. US dominance during the early years of personal computing turned into an unassailable lead in the semi-privatized governance of the internet, as well as ensuring the USA is home to the world’s biggest internet platforms, apart from those which benefited from barriers to entry into China’s unique market. In contrast to the USA and China, the EU struggles to create any new digital businesses of scale, but harmonization of forceful regulations means the EU has been able to punish many transgressions by US businesses whilst legions of US state attorneys could only watch impotently from the sidelines.

China has successfully agitated to place its people at the top of global institutions like the International Telecommunication Union, though China’s ambitions will continue to be battered by relentless opposition from the US government. However, the US remembering how to oppose China is not the same as the US rediscovering the knack of international leadership. Europeans have a strong track record in the field of mobile communications; there were good reasons why the Groupe Spécial Mobile saw its GSM standards adopted across the planet whilst US consumers found their CDMA handsets were useless outside of their home country (and often useless outside of their home state). The EU places a high priority on protecting consumers from unwanted inspection of their data, the US places a high priority on protecting consumers from unwanted calls, and the Chinese want to do as much business as they can without curtailing strategic objectives that require systematic surveillance of ordinary people. Despite the weakness in EU manufacturing and software development, I would not be surprised if the people behind ETSI find themselves obtaining a level of worldwide support that their American and Chinese rivals will envy.

Version 1.1.1 of ETSI TS 103 732 can be downloaded, without the need for registration, from here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.