On November 28, 2025, the Department of Telecommunications (DoT), through its AI & Digital Intelligence Unit (AI & DIU), issued a direction under the Telecommunications (Telecom Cyber Security) Rules, 2024 (as amended), mandating the pre-installation of the Sanchar Saathi mobile application on all handsets manufactured or imported for use in India. Smartphone manufacturers have 90 days to ensure all new devices carry the government’s application. Phones already sold must receive it through software updates, whose “functionalities cannot be disabled or restricted”.
The decision triggered a public and political outcry. Critics contend it is a way for the government to secure unfettered access to smartphones across the country. On the surface, the application’s functions appear simple: it is designed to safeguard phones, mobile connections, and identities to ensure devices cannot be cloned and SIMs cannot be duplicated. Users can report lost or stolen phones and flag suspected fraudulent communications. But the permissions the application seeks extend well beyond its stated ambit.
The Internet Freedom Foundation said in its statement: “Clause 5 of the Directions refers to identifying acts that ‘endanger telecom cybersecurity’, an expression so vague that it invites function creep as a design feature, not a bug. Today, the app may be framed as a benign IMEI checker. Tomorrow, through a server-side update, it could be repurposed for client-side scanning for ‘banned’ applications, flag VPN usage, correlate SIM activity, or trawl SMS logs in the name of fraud detection. Nothing in the order constrains these possibilities. In effect, the state is asking every smartphone user in India to accept an open-ended, updatable surveillance capability on their primary personal device.”
Also Read | Pegasus scandal: Modi government on the back foot
The Sanchar Saathi application requests permission to access and send SMS and MMS; read call logs; read, modify, and delete USB storage contents (which contain photos, videos, and files); capture pictures and videos with the camera; and control the flashlight and vibrations. On the Google Play Store, under the Data Safety section, it states: “App doesn’t provide a way to request data deletion.”
‘The government becomes the user
Speaking to Frontline, Venkatesh Nayak, Director of the Commonwealth Human Rights Initiative and a prominent RTI activist, said that while many applications track location and phone usage for advertising and profit, the implications differ when the state does so. “In the context of the state and its agencies, while they claim that the purpose of such monitoring software is to prevent or detect crime, it could just as easily translate into the workings of a deep state — one that keeps vigil over those it perceives as dissenters or individuals who voice their opposition to government policies, and then leverages that information to initiate legal action against them,” he said.
Nayak noted a crucial distinction between voluntary and mandatory applications. “When you download an app from the Google Play Store, it often asks for access to your contacts, photographs, videos, and so on. But there, you have the choice to install it, and you also have the option to delete or uninstall it. From what the media has reported about the Sanchar Saathi app, in the context of the government’s instructions to manufacturers and importers, it appears to function as a permanent feature that cannot be removed and is not voluntary. Although many apps come preloaded on mobile handsets, they are primarily intended for the use of the handset’s owner. Here, however, the government effectively becomes the user.”
The Sanchar Saathi application requests permission to access and send SMS and MMS; read call logs; read, modify, and delete USB storage contents (which contain photos, videos, and files); capture pictures and videos with the camera; and control the flashlight and vibrations. | Photo Credit: By Special Arrangement
Amid mounting criticism, Communications Minister Jyotiraditya Scindia clarified that mobile phone users would have the option to delete the application. “This is a completely voluntary and democratic system — users may opt to activate the app and avail themselves of its benefits, or, if they prefer not to, they can easily remove it from their phone at any time,” he stated on X. The Minister did not elaborate on how this would be possible given that the order specifies the application’s functions cannot be disabled or restricted.
Congress president Mallikarjun Kharge, in a social media post, said the government’s “unilateral directions to preload this app without taking into confidence various stakeholders and citizens is akin to dictatorship. Why does the Government want to know what citizens talk with their family and friends?” Congress general secretary and Lok Sabha MP K.C. Venugopal called the application a “dystopian tool” to monitor every Indian.
A pattern of data breaches and surveillance
Over the last few years, the BJP-led Centre has found itself embroiled in several incidents involving data breaches and mass surveillance. In June 2023, reports surfaced that a Telegram bot was exposing the personal data of millions of Indian citizens who had registered for COVID-19 vaccinations on the government’s CoWIN portal.
By entering a person’s phone number into the bot, users could reportedly retrieve a range of personal details, including full name, gender, date of birth, the government ID used for registration (Aadhaar or passport number, often the last four digits), and the details of their vaccination centre.
The Ministry of Health and Family Welfare and the Minister of State for Electronics and IT denied any direct breach of the CoWIN database, claiming the data accessed by the Telegram bot had been sourced from “previously breached or stolen data” belonging to other, unrelated databases.
In 2021, the Pegasus controversy erupted, involving allegations that the Indian government had used the Israeli-developed Pegasus spyware for targeted surveillance of journalists, opposition leaders, activists, and other citizens. The list reportedly contained around 300 verified Indian phone numbers, including those of opposition leader Rahul Gandhi, former Election Commissioner Ashok Lavasa, several Union Ministers, journalists, and activists linked to the Bhima Koregaon case.
The Indian government repeatedly denied conducting any “unauthorised surveillance”, dismissing the media reports as “highly sensational” and devoid of “factual basis”. Following multiple petitions, the Supreme Court of India in October 2021 constituted an independent technical committee to probe the allegations. The committee reported that it had detected malware on 5 of the 29 phones submitted for forensic analysis. It also observed that the government did not cooperate with the investigation.
Privacy as a fundamental right
Nayak said the application’s mandatory clause circumvents the right to privacy as a fundamental right — a protection affirmed by the Supreme Court of India in the landmark K.S. Puttaswamy v. Union of India judgment of 2017. “How can you turn somebody into a potential suspect? If that is the logic, does it mean that even the Prime Minister and the Home Minister of this country are suspects?”.
According to Nayak, the only “saving grace for them” is that they are not likely to engage in any unlawful behaviour. “But so do millions upon millions of citizens of India — they do not engage in unlawful behaviour either. So are they being subjected to this? Of course, the government will always tell you that if you don’t do anything illegal, you have nothing to worry about. But who determines what is legal and what is illegal?,” he asked. Today, participating in a public protest without police permission suddenly becomes illegal, Nayak noted. “This, in effect, amounts to the curtailment of fundamental rights guaranteed by the Constitution, particularly the right to privacy.” Nayak said he would file an RTI on the application and its intended use.
Also Read | Mechanism for political manipulation
Anjali Bhardwaj, activist and co-convenor of the National Campaign for People’s Right to Information, voiced similar concerns. “One of the provisions the government has introduced in the Data Protection Act is an amendment to the Right to Information Act, where, under the guise of protecting people’s personal data, they have altered Section 8(1)(j) of the RTI Act — a provision through which people were accessing information to hold governments accountable,” she told Frontline.
“What is very clear is that the government is increasingly seeking to avoid transparency and hiding behind the bogey of privacy and personal data protection to withhold information from citizens — information that could enable them to hold governments accountable and expose corruption.”
Bhardwaj warned the directive could also impede press freedom. “The Data Protection Act contains no exemption for journalists — there is no journalistic carve-out whatsoever.” According to him, this means that if any journalist collects, processes, or publishes personal information about an individual — their name, phone number, address — without consent, they could be penalised up to Rs.500 crore. “We are already seeing how press freedom is being diluted, and this will be yet another blow. Journalists store extensive information on their devices; they conduct confidential conversations; they protect the identities of their sources. All of this will be compromised,” said Bhardwaj. So this will be a blow to press freedom and to people’s right to free speech and expression as well. It is extremely intrusive and profoundly regressive if it goes through, he warned.
The DoT’s directions mandate that manufacturers complete the implementation within 90 days and submit their reports within 120 days. Apple, according to media reports, intends to resist this directive, arguing that it violates its user-privacy policy. The company does not comply with such mandates anywhere in the world, sources told Reuters, as they raise privacy and security concerns for its iOS ecosystem.
Featured Comment
