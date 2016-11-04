By Shelley Shan / Staff reporter

The National Communications Commission (NCC) on Wednesday approved draft rules on enhancing mobile phone information security, as it encouraged handset makers and telecom carriers to have their products certified.

The move follows public concern over the safety and security of using built-in mobile phone applications.

Smartphones by Chinese brand Xiaomi, for example, were found in 2014 to be automatically sending users’ personal and sensitive data to the company’s servers in Beijing whenever they use the phones’ built-in text-messaging app.

NCC spokesman Wong Po-tsung (翁柏宗) said that so far, China is the only country that enforces an information safety certification system for built-in mobile phone applications and operating systems.

As such, the commission would seek to “encourage” telecom carriers to have their mobile phones certified, particularly bundled products sold on a long-term contract basis.

The commission will also propose that the Public Construction Commission amend regulations to ensure that mobile phones used by government workers and officials are those that have obtained information safety certification.

Hsu Kuo-ken (徐國根), deputy director of the commission’s Department of Network Infrastructure, said that the draft regulations list items that are to be covered by the tests as well as requirements for establishing a laboratory to conduct the examinations.

Hsu said that testing by laboratories would be limited to built-in applications and operating systems.

Applications that users can download themselves are to be certified by the Industrial Development Bureau, he added.

The certification system will be divided into basic, intermediate and advanced levels, the deputy director said.

Basic certification ensures that users’ personal information is protected, Hsu said.

Intermediate certification ensures that users’ information is protected when it is being used, stored or transmitted, he said.

Advanced-level certification ensures that the core network of the smartphones would not be easily changed or exploited so that malicious third parties can obtain private information, he said.

“The certification is to provide basic protection for information safety, but it does not mean that the phones are absolutely safe,” Hsu said.

“If a smartphone’s operating system is found to have new loopholes that are subject to zero-day or other forms of software attacks after it is certified, we can nullify the certification, depending on the severity of the problem,” he added.

The new certification mechanism is expected to be launched in June next year, the commission said.