The Department of Telecom diktat to all phone makers to pre-install the Sanchar Saathi app on all mobiles has fuelled a furious debate about state surveillance and right to privacy even as the government has reasoned that the app can be deleted by users.
First announced by the telecom department in 2023, the Sanchar Saathi app is to be pre-installed in every new phone being sold in the country and it is also to be pushed to existing smartphones through a software update within 90 days, per a direction issued in the last week of November.
The news was first broken by Reuters on Monday, and the government clarification that the app can be deleted – should the user want – came Tuesday.
The directive initially issued by the DoT instructed phone manufacturers to make sure that the app’s functionalities are not “disabled or restricted”.
But why is the app controversial?
The professed primary function of Sanchar Saathi is simple: secure your phone, mobile connection and identity to ensure that your phone can’t be cloned or your SIM can’t be duplicated.
Another important functionality of the application is that it can be used to report lost or stolen phones and flag suspected fraud communications. It sounds innocuous, helpful. If one ignores the Google reviews of the app that claim none of the professed features actually translate to real help, why the brouhaha?
“The problems deepen when we look at the scope and safeguards,” Apar Gupta, founder director of the Internet Freedom Foundation, tells The Telegraph Online. “The order invokes 'telecom cyber security' as a catch-all justification, but it does not define the functional perimeter of the app.”
He adds: “Clause 5 of the Directions refers to identifying acts that ‘endanger telecom cyber security,’ an expression so vague that it invites function creep as a design feature, not a bug.”
Function creep is any feature or function that does more than its original intended purpose. For example, an app’s permission requests may be for access to photos to store or access spam messages or calls but if it function-creeps it can access personal photos too because it has permission to access photos.
Gupta explains that at present the app may be framed as a benign IMEI checker – that detects if the device is legal or not – but in the future, through a simple update, it could be repurposed for client-side scanning for “banned” applications, flagging VPN usage, correlating SIM activity, or trawling SMS logs in the name of fraud detection.
Nothing in the order constrains these possibilities.
The app deals with very sensitive data — IMEI numbers, device tracking details, ID-linked SIM information, and recovery logs. Each of these touches the core of a user’s digital identity. Centralising them in a single system automatically raises a big question mark on a user’s privacy. The government’s recently passed Digital Data Protection Act, critics argue, contains broad state exemptions and limited independent oversight.
Hence the risks, experts say, include the potential for mass surveillance. This is a point that opposition parties – from the Congress to the Shiv Sena (UBT) to the CPM – have sought to hammer in.
Such large amounts of data stored in a centralised system can also be misused by rogue entities.
For example, a 9 October post on a darknet crime forum offered access to 815 million records containing information on “Indian Citizen Aadhaar and Passport”. The hacker was reportedly willing to sell that data base for $80,000.
Even if one accepts the government argument that the Sanchar Saathi app is well-intentioned, the stakes — with the mobile phone carrying so much of people’s lives – are too high.
