INDIA’S DEPARTMENT OF TELECOMMUNICATIONS (‘DoT’) recently quietly ordered all smartphone makers to pre-install its new “Sanchar Saathi” cybersecurity app on every phone sold in India.
The directive, under the Telecom Cyber Security Rules, instructed manufacturers to push the app to new devices. Once this came to light, opposition leaders, privacy advocates and tech companies immediately raised alarms. Sanchar Saathi, analysts alleged, was a potential snooping app - a Big Brother tool whereby the state could peer into citizens’ phones. But, after public discontent, the government has backed off. On December 4, days after the original directive, the government announced that the pre-installation of Sanchar Saathi would not be mandatory and that the app remains voluntary and privacy-protective.
CERT-In, India’s cyber emergency response team, reported a sharp rise in cyber incidents (from about 15.9 lakh cases in 2023 to over 20.4 lakh in 2024), and the National Cyber Crime Reporting Portal saw over 1.23 lakh related cybercrime cases reported in 2024. Crime statistics are no longer confined to rare news articles – in the Lok Sabha, the Home Ministry noted over 2.05 lakh police-registered cybercrime cases between 2021 and 2023. The government argues that Sanchar Saathi would give ordinary users tools to fight this scourge at the grassroots: blocking stolen phones by IMEI, flagging duplicate SIMs, reporting spam or spoof calls and more.
But as this clash over the app’s rollout shows, any intrusion into India’s vast mobile network also raises deep questions about legal authority, consent and who controls our data.
Sanchar Saathi’s design
Sanchar Saathi was launched as a citizen-centric extension of existing telecom security portals. First, the DoT rolled out a web portal and helpline in 2023, and then, in January 2025, it introduced the mobile app on Android and iOS. According to official descriptions, it bundles together many anti-fraud services. Users can block lost or stolen handsets anywhere in India by their IMEI number; check how many SIM cards are active under their name (to catch cloned or duplicate SIM fraud); verify a device’s genuineness; report suspect international calls (disguised as domestic +91 numbers); and even see details of their internet service provider. The app’s achievements are touted in a government release: by December 2025, it claimed over 1.4 crore downloads, 42 lakh stolen phones blocked, 26 lakh traced (7.2 lakh recovered), and disconnection of 1.43 crore fraudulent connections.
Legally, Sanchar Saathi has been positioned under India’s Telecom Cybersecurity Rules. The DoT specifically invoked these Rules to require manufacturers to preload Sanchar Saathi on devices and push it via updates. The directive also instructed that the app must be “readily visible” to users on first setup and that its functionalities not be disabled.
DoT’s official materials consistently emphasise that Sanchar Saathi was designed as user-driven. The press release declares it a “democratic, fully voluntary, user-driven platform and privacy-first app”. Key features, the DoT says, only activate after the user explicitly registers. The app “works only with users’ consent” - citizens are free to activate, deactivate or delete it anytime, it noted.
The DoT even claims that the app’s data practices comply with India’s Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (‘DPDP Act’): it “collects only the minimum personal information necessary,” shares no data for commercial profiling, and limits disclosures to law enforcement when “legally required”. The pitch is that Sanchar Saathi empowers citizens (a “Jan Bhagidari” approach) rather than imposing anything on them.
The Sanchaar Saathi directive contradicted the Puttuswamy test
The Sanchar Saathi saga forces us to revisit core constitutional values in the digital age. India’s Supreme Court in K.S. Puttaswamy (Retd.) v. Union of India (2017) held that privacy (including informational privacy) is a fundamental right protected by Article 21. Any state action affecting personal data must satisfy a stringent test of legality, necessity and proportionality. That means the law authorising the action must be clear (with parliamentary sanction), the intrusion must serve a pressing social need, and it must be the least restrictive option to achieve that need.
With Sanchar Saathi, these criteria are in tension. The app was mandated by an executive rule rather than a debated statute. The stated goal of curbing telecom fraud is valid. But is preloading an app the least privacy-intrusive way to do it? And is this step proportionate to the claimed harm?
The mandatory install rule failed the Puttaswamy test. The order would have treated every handset as a potential “state tap” by baking an app into its system. Users would lose the effective choice to say “no”; deactivation would be technically constrained, and deletion might require rooting the phone. In effect, the government planned to rely on the app’s design (including possible carrier-level privileges) to enforce compliance. This stands in uneasy tension with the DPDP Act, which emphasises individual control and consent over personal data.
Even if the DoT insists data is minimal, the previous sweeping rule that every phone must host the app suggested a broad inference of data collection: for instance, mandatory phone number registration and access to SMS/call logs means linking user identities to the device. The DPDP Act permits exceptions for national security (Section 17), but requires oversight - here, none was visible.
Puttaswamy specifically warns against blanket measures that treat citizens as suspects en masse. Tools like the Central Monitoring System (‘CMS’) and National Intelligence Grid (‘NATGRID’) have faced similar critiques: they gave the state sweeping powers to monitor communications or combine data without individualised warrants, often relying on executive orders rather than statute. Sanchar Saathi can be seen as another strand in this evolving surveillance ecosystem. It aggregates data at scale (IMEIs, call reports, fraud complaints) under one roof. If ever misused, it could facilitate profiling or tracking of innocent users under broad definitions of “fraud prevention.” The jurisprudence requires any such aggregation to meet strict proportionality.
Will collecting device IMEIs and call logs from millions of users survive such scrutiny? The DPDP Act suggests stricter consent, but its carve-outs for national security (Section 17) mean the ultimate check lies in judicial review, not in self-certification by a ministry.
Sanchar Saathi’s slogans speak of citizen “empowerment” and “transparency”. But a large part of the population struggles with digital literacy and consent. If government schemes overpromise protection while under-communicating risks, trust frays. One might ask, if this tool is really for me, why must it be pushed by default? The answer may lie in the persistent problem of fraud vectors that do not involve phones at all - phishing, banking network breaches, SIM swaps enabled by lax telecom KYC. Yet in the heat of the moment, dissenting voices risk being dismissed as technophobia. A balanced debate needs clarity: which flaws can only be fixed by a broad platform, and which can be addressed by conventional policing and regulation?
Sanchar Saathi’s tale
The Sanchar Saathi controversy should ultimately strengthen India’s approach to digital governance rather than entrench polarisation. One avenue is to clarify the legal foundation. If surveillance or cybersecurity tools are necessary, Parliament, not just a rule-making body, ought to debate their scope.
Transparency is key. The government should reassure citizens - by publishing a detailed Privacy Impact Assessment for Sanchar Saathi and clarifying exactly what data the app collects, how long it is stored, who can access it, and under what legal standards. Open-sourcing the app code, or at least submitting it to trusted third-party audits, would bolster confidence that “user consent” is meaningful and not merely nominal. Stronger grievance redressal mechanisms are also needed: any citizen should be able to complain if the app behaves improperly or if their data is misused.
Another lesson is that cybersecurity policy must be evidence-driven and non-arbitrary. The application of blanket mandates is dangerous; the government should continually assess what works. The initial surge in downloads shows citizen interest. If Sanchar Saathi has indeed significantly helped victims, this success should be documented and celebrated. If not, the policy should adapt: more resources could go to user awareness, bank security, or stronger KYC enforcement on SIMs.
Sanchar Saathi’s ongoing tale is a reminder that liberties and security are not binary opposites. Effective anti-fraud measures are vital in a digital society; at the same time, democratic values demand that such measures be transparent, accountable and reversible. The key is designing safeguards into new technologies. For instance, future versions of Sanchar Saathi could embed privacy by design: default data deletion policies, strict data minimisation, and perhaps even decentralised architectures that keep user data on-device unless absolutely needed.
The government’s final stance on Sanchar Saathi seems conciliatory. It has framed the app as a benign service after a tempest of criticism. If it is truly meant to help citizens, to be a citizen centric initiative, then the government must take priority steps to strengthen citizen trust. This means ironing out the contradictions between “voluntary” and “mandated,” and ensuring the app’s operation remains within the rule of law.
India’s model should be exemplary of strategic restraint - that is to say, wielding digital tools for security but always under the gaze of constitutional safeguards. The Sanchar Saathi experiment can still teach us how to build a safer mobile ecosystem without sacrificing the liberties that lie at the heart of our democracy.