In this blog, James Moran, Head of Security, GSMA, takes a closer look at key findings from recent research on the sharp increase of data security and privacy as a global purchase driver for smartphones. He explains why this is so important to smartphone manufacturers and shows how the GSMA is working with ETSI and the industry to respond to this growing trend.
Nine in ten global consumers are concerned over smartphone data security and privacy, according to recent research.
GSMA Intelligence’s Consumers in Focus survey has found that over 60% of consumers (64%) put security as “very important” in their purchase criteria for smartphones. While a further 26% say it is ‘somewhat important’, placing it in their top three most important considerations when buying smartphones.
Interestingly, YouGov’s recent research on consumer electronics corroborates GSMA Intelligence’s findings, indicating that ‘70% are ‘concerned’, with almost a third, ‘very concerned’ about smartphone data security and privacy.”
According to YouGov “privacy and security moves from eighth (out of 10 priorities) for previous purchases, to fourth for future purchases”, suggesting that “consumers are increasingly receptive to privacy when considering new electronics purchases, and may be more receptive, and attracted to the changes that device manufacturers are making to be safer.”
Therefore, it is evident that the need for user-focused security and privacy protection has increased but there is currently no standard way to describe, verify and certify the security capabilities of smartphones.
How can smartphone manufacturers help consumers with their purchasing decisions in the context of security/data?
When it comes to aspects like performance e.g., processor speed and battery life, there are objective benchmarks that exist today, making it easy for consumers to compare these smartphone characteristics. However, for data security and privacy there is no globally agreed set of characteristics that policy makers, comparison sites, news outlets, and mobile users can consult and evaluate.
While there are some enterprise-focused and IoT security certification initiatives, there are no independent security certification programmes focused on the security needs of smartphone users.
In 2021, ETSI, the European Standards Development Organization (ESO) making world class standards for ICT, released the Consumer Mobile Device Protection Profile (CMD PP) specification, the first comprehensive global standard for securing smartphones. The CMD PP is the first of a series of consumer cybersecurity standards from ETSI, derived from ETSI EN 303 645 on cybersecurity for consumer Internet of Things.
What is the GSMA doing to help?
During 2022, the GSMA formed a working party to further evolve and leverage this new standard with a view to developing a smartphone security certification programme around it. Our goal is to provide a single reference point where all interested stakeholders can see which smartphones have undergone security evaluation and certification against the ETSI standard.
Moreover, the working party is seeking to define and develop a consistent way to present the evaluation and certification results to interested stakeholders, helping them to understand how individual smartphone models protect users and their data and for how long they will be supported.
A new smartphone security certification scheme
A scheme under consideration will provide objective and consistent security benchmarks, enabling greater transparency for the benefit of security-conscious users. The security requirements, against which smartphones will be evaluated and certified, will cover aspects like encryption, security updates, biometrics, networking, trusted hardware and more.
“ETSI is excited to work with the GSMA in helping to bring more security to smartphones,” says Adrian Scrase, ETSI CTO. “Our groundbreaking work on IoT cybersecurity has helped us derive this Protection Profile standard in advance of industry needs.”
Raising the security bar
A certification scheme dedicated to smartphones will ultimately raise the security bar across all smartphone manufacturers and will appeal to global and national policymakers who are interested in setting security baselines and promoting better transparency as well as awareness. By building a smartphone security certification scheme that aligns with existing and future regulatory requirements, the GSMA hopes to help avoid security requirement fragmentation and promote harmonisation, rooted in a globally supported security baseline.
Working together with the entire ecosystem
The GSMA is evaluating the necessary enablers for a smartphone security certification scheme by convening a working party of leading OS developers, smartphone manufacturers, network operators and policymakers to deliver a groundbreaking programme that is robust, agile and will continue to evolve to meet the current and future needs of mobile users. If you are interested in finding out more about GSMA Services, please contact our team.
James Moran
Head of Security, GSMA