Sanchar Saathi App and Privacy Concerns

Context

The Department of Telecommunications directed smartphone companies to pre-install the Sanchar Saathi application on all devices, creating concerns about privacy, surveillance, data security, and lack of user choice. Although Telecom Minister Jyotiraditya Scindia later stated that installation is optional, the written directive still requires the application to remain visible and not restrictable, leading to confusion.

What is Sanchar Saathi?

1. Sanchar Saathi is a telecom cybersecurity and anti-fraud application developed by the Government of India. It allows users to:
   1. Report fraudulent calls and SMS
   2. Report and block stolen mobile phones
   3. Verify device identity using IMEI scanning
   4. Track misuse of mobile numbers
2. The app aims to reduce cyber fraud, SIM misuse, and counterfeit device circulation.

What is the Recent DoT Directive?

1. The DoT, under Telecommunication Cybersecurity Amendment Rules, 2025, has directed smartphone companies to:
   1. Pre-install Sanchar Saathi on all new devices.
   2. Push a software update to install the app on existing devices already sold.
2. Clause 7(b) of the directive instructs manufacturers to ensure that:
   1. The app is readily visible.
   2. Its functionalities are not disabled or restricted.
3. Initially, companies were told the app cannot be deleted or disabled by users.
4. Compliance is required within 90 days, making this the first time a mandatory state application is being pushed at scale to phones in India.
5. Later, Telecom Minister Scindia stated that:
   1. The app is not mandatory.
   2. Users can choose not to register and can delete the app.
   3. The government’s intention is to make the app available widely to protect citizens from fraud.

This contradiction between the written directive and the verbal clarification creates uncertainty about actual user choice and consent.

How Sanchar Saathi Works and What Data It Can Access?

Sanchar Saathi works by helping users report fraud, block stolen phones, and verify IMEI numbers.

To do this, it needs certain permissions and access on the phone.

What Data Sanchar Saathi Can Access?

1. On Android phones:
   1. Phone number and call management: It reads the phone number on the device to register the user and verify identity.
   2. Send SMS: It can send an automatic message to DoT during registration.
   3. Call and SMS logs: It can read call and SMS history so that users can report fraud correctly.
   4. Photos and files: It uses them if users want to upload images or screenshots related to fraud or stolen phones.
   5. Camera: It uses the camera to scan the IMEI barcode to check whether a phone is genuine.
   6. Device information: It may access the device’s serial number and information about active calls.
2. On iPhones (iOS)
   1. It cannot automatically make calls or send SMS.
   2. It can only access:
      1. Camera
      2. Photos and files

Why Do These Permissions Raise Concerns?

1. The app can work without asking explicit permission in some cases (especially on Android).
2. It has wide access to sensitive data like call logs and device identity.
3. The privacy policy does not clearly say:
   1. How long data will be stored,
   2. Whether users can delete their data,
   3. What rights users have.
4. App store declarations stated “no data collected”, but the app does collect data like phone numbers and logs.
5. Exemptions Under Data Protection Law
   1. Under India’s Digital Personal Data Protection (DPDP) Act, the state and its agencies enjoy broad exemptions in the name of national security and public order.
   2. This means that statutory safeguards against misuse are weaker when the government itself is the data collector.
   3. Mandating a government-backed app with high-risk permissions therefore raises concerns of mass surveillance and profiling.

Constitutional Perspective: Article 21 and the Puttaswamy Test

The right to privacy is a part of the right to life and personal liberty under Article 21 of the Constitution.

In KS Puttaswamy (2017), a nine-judge Bench of the Supreme Court held that any state action affecting privacy must satisfy a three-part test:

1. Legality – There must be a valid law backing the action.
2. Necessity / Legitimate Aim – The action must pursue a legitimate state aim, such as security.
3. Proportionality – The measure must be proportionate and least restrictive, with a rational connection between the aim and the means.

Experts argue that:

1. There is no clear statutory law passed by Parliament specifically authorising compulsory installation of such an app on all phones.
2. The power is derived from rules and executive notifications, which is a form of delegated legislation, not primary law.
3. Less intrusive alternatives already exist, such as:
   1. Web portals for IMEI verification.
   2. SMS-based services.
   3. Voluntary apps that users can choose to download.

Therefore, there are serious doubts about whether this mandate satisfies the legality and proportionality requirements under Article 21 and the Puttaswamy judgment.

Some legal experts compare this situation to Aadhaar, where the government eventually had to bring a specific Act after legal challenges.

Surveillance, Function Creep, and Cybersecurity Risks

1. A centrally installed, government-controlled app on most smartphones can become a single point of failure and a high-value target for hackers.
2. Even if the present stated purpose is limited (fraud prevention, IMEI verification), there is a fear of “function creep”:
   1. Data collected for one purpose is later used for other purposes.
   2. Over time, the backend could be expanded to enable mass tracking, profiling, and surveillance.
3. Experts note that the government already has less intrusive means to achieve its goals, so a mandatory app is not clearly justified as the least invasive option.

Implications

1. Trust in digital governance may decline if people believe their phones are becoming “state-controlled devices”.
2. The move may be seen as undermining the spirit of the DPDP Act, which is supposed to protect user consent and autonomy.
3. It leads to possible increase in cyber vulnerability due to a single access point for hackers
4. It sets a precedent for potential future mandatory digital tools without adequate legal and constitutional safeguards.
5. Internationally, it could raise concerns about digital rights and rule-of-law standards in India.
6. It may lead to potential conflict between national security objectives and constitutional rights

Challenges and Way Forward

Conclusion

Sanchar Saathi aims to reduce digital fraud and strengthen cybersecurity, but concerns about privacy, user consent, excessive permissions, and constitutional legality must be addressed. A transparent, rights-based governance approach and strong digital safeguards are essential for ensuring trust and balancing security with privacy.