The controversy around the Sanchar Saathi app marks a defining moment for India’s digital governance framework. A directive issued by the Department of Telecommunications on 28 November required every smartphone sold in India to come pre-installed with a government-owned cybersecurity app. If implemented, the mandate would have reached over 730 million active smartphones, effectively granting the State a presence inside the most intimate device of every citizen.
The stated purpose was benign: curb duplicate SIMs, verify IMEI authenticity, and reduce stolen-device fraud, a problem repeatedly flagged by law-enforcement agencies and noted by TRAI in its consumer-protection reports. Yet the absence of parliamentary debate, public consultation, technical disclosures or privacy safeguards meant that a narrow anti-fraud initiative quickly became a constitutional question about autonomy and surveillance.
READ | India-Russia ties need an MSME-led economic strategy
From cyber hygiene to concerns of intrusion
Sanchar Saathi already operates as a voluntary tool to check device validity, block stolen phones, and report suspicious connections. The DoT justified its expansion by citing the size of India’s second-hand device market and the rising resale of blacklisted handsets. These are legitimate concerns in a country where nearly 25% of smartphone purchases involve refurbished devices.
But making the app a persistent system application transformed a limited verification function into potential state intrusion. Privacy groups argued that pre-installation would require system-level privileges akin to OEM or carrier apps that cannot be deleted, raising doubts about genuine user control. The fear was not about the app as designed today, but the architecture it created: once embedded, such an application could evolve, update, or expand its permissions in ways that reshape state power over personal devices.
Industry resistance and constitutional unease
Opposition emerged swiftly. Smartphone manufacturers, including Apple, indicated they would not comply, citing global policies that prohibit pre-installed government software due to privacy and security risks. Civil rights groups argued that the mandate violated the proportionality test recognised by the Supreme Court in Justice KS Puttaswamy vs Union of India, which requires that state action infringing privacy be necessary, narrowly tailored, and supported by procedural safeguards.
No such safeguards existed. There was no public impact assessment, transparency on data flows, or audit requirements. There was no legislative scrutiny, despite the Supreme Court’s emphasis on legality as the first test for privacy-infringing measures. The silence of institutional checks amplified public anxiety: when state access enters private hardware, the boundary between protection and control can become indistinguishable.
Sanchar Saathi app: Withdrawal and the limits of executive decree
Under sustained public and industry pressure, the government clarified that the app was voluntary and deletable, and withdrew the pre-installation order by 3 December. Sanchar Saathi remains available on app stores, fulfilling its intended verification role without compromising user autonomy.
The speed of the withdrawal, however, reveals the fragility of governing digital spaces through executive decree. Global experience shows similar mandates—ranging from default state messaging apps to embedded security software—have encountered legal and commercial resistance. In a globalised hardware ecosystem, where security protocols, firmware control and data-protection standards are synchronised across jurisdictions, unilateral state-driven bloatware is rarely feasible.
Digital sovereignty is not equivalent to state possession
The episode raises a broader philosophical concern. As smartphones become extensions of civic identity—used for banking, welfare enrolment, vaccination records, payments and public authentication—the temptation for the State to view them as instruments of governance increases. Yet digital sovereignty cannot be achieved by asserting possession over citizens’ devices. A constitutional democracy must recognise that sovereignty lies with the citizen, and the State’s authority is legitimate only when bounded by consent, transparency and law.
The principles articulated in global privacy frameworks—such as the EU’s GDPR, and India’s own Digital Personal Data Protection Act, 2023—stress minimalism, purpose limitation and user control. Embedding a government app at device level violates these principles unless justified by overwhelming public interest and governed by robust safeguards. None were visible in this case.
A cautionary moment for India’s digital future
The Sanchar Saathi episode is not an isolated misstep. It fits within a pattern where digital regulation is increasingly driven by executive notifications rather than legislative design. The absence of institutional guardrails weakens public trust and fuels suspicion that protective tools can morph into supervisory instruments.
If India seeks to build a citizen-centric digital ecosystem—one aligned with its ambitions for global leadership in technology and data governance—the path lies through democratic transparency, independent audits, and statutory oversight, not through forced installs or technological shortcuts. Privacy must be treated not as an inconvenience but as an essential condition of democratic legitimacy.
The withdrawal of the Sanchar Saathi mandate is welcome. But the deeper question remains unresolved: how should a democratic state wield technological power? The answer lies in reaffirming constitutional discipline. Any tool that places the State inside the personal hardware of citizens must meet the highest threshold of necessity, legality and public justification. Until such standards become routine, India’s digital architecture will remain vulnerable to avoidable controversies that erode trust in the very institutions entrusted with safeguarding its citizens.