India Oversteps and (Partially) Backtracks on Plans to Intrude into Mobile Devices

Prateek Waghre is a fellow at Tech Policy Press.

Citing cybersecurity and fraud concerns, over the past week, India’s Department of Telecommunications (DoT) under the Ministry of Communications has issued new directives that significantly extend the government’s reach into citizens’ personal devices and private lives. These include a November 28 order mandating the installation of the Sanchar Saathi (which roughly translates to ‘communication companion’) app on all mobile devices. Another set of directions, also dated November 28, mandate SIM binding for ‘app based communication services,’ a practice that links a user’s identity to a specific SIM card in a device. A third order, about which little is known at this stage, directs social media and messaging apps to integrate DoT’s Financial Fraud Risk Indicator and a blocklist of suspended mobile numbers, according to The Hindu.

While some of the challenges with fraudulent activity and cybercrime require well-considered responses, the government’s confusing directions set worrying precedents and have troubling implications both in terms of the specifics they prescribe and the direction they indicate for regulatory interventions in the medium-to-long term.

The unwelcome companion

First, let’s consider the directions about Sanchar Saathi. The app itself was launched in January 2025. It includes features to let users report suspected fraudulent communication, check if their names have been used to register additional mobile connections, block lost or stolen devices, and validate a device’s International Mobile Equipment Identity (IMEI) number, among others. Reuters reported that the telecommunications ministry had privately asked device manufacturers including Apple, Samsung, Vivo, Oppo Xiaomi, and others to preload new devices with the app, and install it on existing ones with software updates. Device manufactures had 90 days to comply, and 120 days to submit compliance reports. While the order was not public, a press release was issued after Reuters published its story, and an undated version of the order has been shared on social media. Additional reportage on these orders noted that they required device manufacturers to ensure that its “functionalities” could not be “disabled or restricted.” Civil society voices and groups have flagged surveillance risks, and asked for the order’s withdrawal.

In addition, there are also concerns that the application requests permissions that seem to exceed its utility. On December 2, the Telecommunications Minister verbally clarified that using the app is optional, and that it can be deleted. The DoT then published a statement in which it referred to the app as being “completely democratic,” and cited statistics where it helped identify fraudulent connections, block IMEI numbers, trace lost/stolen mobile phones, and so on. Many of these points were echoed in a press briefing by the BJP on Tuesday evening. Meanwhile, reports in the press suggested that Apple is likely to push back against these requirements and Samsung may attempt to discuss them further with the government.

Predictably, some of the discourse supporting the DoT’s moves also resulted in whataboutism regarding the privacy threat posed by apps and devices from China, assertions of a false equivalence between the government’s acquisition of data and that of American platform companies, and uncritical amplification of official explanations. On the other hand, many opposition political leaders have criticized it, drawing parallels with the Pegasus revelations in India, and Big Brother.

On December 3, an additional press release from the Ministry of Communications announced that the government had “decided not to make the pre-installation mandatory for mobile manufacturers,” and cited the app’s “increasing acceptance,” since 600,000 registrations were added in a day, as the reason for doing so.

Much of the confusion stemmed from the language in Clause 7(b) of the undated order and the second bullet point in the press release, which asks device manufacturers and importers to:

Ensure that the pre-installed Sanchar Saathi application is readily visible and accessible to the end users at the time of first use or device setup and that its functionalities are not disabled or restricted.

Read along with additional instructions for over-the-air updates and timelines for implementation and compliance reports, a reasonable interpretation of these rules is that the pre-installation was intended to be an irreversible process, with the ability to make changes limited. This would have constituted complete disregard for the consent of people who own devices. With the permissions requested being incongruous with the functioning and purpose of the app, it would also have posed an egregious privacy risk. And, finally, a precedent that the state can dictate what applications are on a personal device would have paved the way for more intrusive applications being mandated.

Indeed, as Srinivas Kodali describes in The Wire, for the system to detect theft and misuse as advertised, the app must be on the device to send information to the Central Equipment Identity Register (CEIR), through which a stolen device can be detected. If it can be deleted, then this process is potentially circumvented. The minister’s verbal comments and the December 3 press release seem to contradict the text of the order, begging the question of what the whole exercise was for. Suggestions that the order may not be formally revoked nor modified since a press release will suffice are worrisome as there is now ambiguity over which parts of the order should be considered as being in force. Are software updates on existing devices still required or not? The ambiguity leaves room for discretion which may be exploited at some point in the future.

The government’s preferred approach of being non-transparent about its intentions and trying to push things through certainly did not help the matter. It is also unclear if the clarification and reversal are in response to the backlash, or if this was just a consequence of imprecise drafting. And if increased registrations was an acceptable outcome, then couldn’t an awareness campaign have achieved similar results? In any case, it raises serious questions about the ministry’s competence.

Ministry of (mis)communication

While the Sanchar Saathi app has been the focus of most of the public conversation around DoT’s directions over the last few days, the orders forcing SIM binding on communication apps that use mobile phone numbers as identifiers are also extremely problematic, both in terms of the specifics of the orders, and their long term implications over regulation of services on the internet.

Citing cyber frauds and misuse, the department ordered WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, Jiochat and Signal to ensure that their apps are linked to a SIM card in the device, which cannot be used unless it is active. It also said that sessions on their web versions should be logged out every six hours, forcing people to re-link. Like the Sanchar Saathi order, DoT wants implementation in 90 days and compliance reports in 120 days.

In essence, these directions treat everyone as a potential fraudster or ‘mule account’ and work backwards from there. DoT also displays a lack of regard for citizens by unilaterally rolling out changes that will significantly impact them with little public conversation and feedback. Writing for The Economic Times, Nikhil Pahwa lists several possible adverse impacts of these orders ranging from affecting how businesses communicate with their customers, inability for people to use communication apps when travelling abroad (unless they buy expensive roaming plans from their Indian telcos), making tablet/web-usage extremely cumbersome, creating significant risks in cases of lost or stolen devices, and inextricably linking messaging and telecom identities.

Pertinently, many observers also note that SIM binding may not even affect sophisticated large-scale scam operations; instead, they impact the average user.

Notably, industry associations representing cellular operators in India have been lobbying for these changes and welcomed them, while the Broadband India Forum, which includes large technology firms as members, has opposed it.

These directions also surface a jurisdictional issue over whether DoT can regulate internet-based communication services or not. As Medianama highlights, this became possible after DoT amended the Telecommunications (Telecom Cyber Security) Rules, 2024 to bring telecommunication identifier user entity (TIUE) under its purview. TIUE is defined as an entity that relies on telecommunications identifiers (e.g. phone numbers) to identify users or deliver services to them. This has its genesis in the over broad definition of “telecommunication service(s)” in India’s Telecommunications Act. During the consultation, and parliamentary discussion phases, a range of voices from civil society, industry and various stakeholders had flagged concerns that definition

While the definition did change between consultation and enactment, it did not settle the ambiguity. In December 2023, the former telecommunications minister, Ashwini Vaishnaw, told the media that “OTT” was not covered under the telecom act. However, formal changes to the text of the act were never made, and in May 2024, a DoT bureaucrat suggested that this was still an open question (contrary to the minister’s attempted clarification). When the incumbent Minister of Communications, Jyotiraditya Scindia was appointed, the Internet Freedom Foundation formally wrote to the minister asking for this ambiguity to be addressed (I was the signatory on the letter). This ambiguity, whether through malice or incompetence, has enabled DoT’s overreach into attempting to regulate internet-based services. A gambit that has been attempted multiple times over the years under the refrain of “same service, same rules.”

Troubling long term dynamics

Though the ministry appears to have backtracked on demands for mandatory pre-installation of the Sanchar Saathi app, the fallout of the definitional ambiguity and lack of formal correction with the telecom act highlights why the DoT order about Sanchar Saathi needs to be formally revoked and withdrawn, since verbal clarifications and documents such as press releases do not have binding force. A report that different ministries in the Indian government are reviewing a telecom industry-backed proposal to ensure that location services are always enabled (without an option for users to disable them) suggest other intrusive proposals could materialize in the future.

So far, there appears to be no intent to reconsider the SIM binding directions. The additional order referenced earlier and historical context suggesting that seeking to regulate the internet is a line of intervention that the DoT will continue to advance unless jurisdictional issues are formally and irrevocably settled.

Questions also need to be asked about how we got here, and why the state chose an approach that regards every person in the country as a potential offender. The episode bears the hallmarks of a phenomenon I describe as the “inverted republic,” where burdens, obligations, and scrutiny of actions is disproportionately directed at people, while tremendous leeway is accorded to the state, which offers limited, if any, reciprocity by way of offering evidence, reason, operating with transparency, and abiding by due-process.

This piece was updated to include reference to Reuters report that indicated India's government is reviewing an industry proposal to force smartphone makers to enable satellite location tracking that is always activated.