Opinion Mandatory preloading of Sanchar Saathi will weaken privacy, not strengthen cyber security

The order, issued on November 28, gave companies like Apple, Samsung, Vivo, Oppo, and Xiaomi 90 days to comply with it on new handsets. This mandate also requires that the app cannot be deleted or disabled by users, making it a permanent feature on every new phone. For devices already in supply chains, manufacturers must deliver the app via over-the-air updates, ensuring universal adoption across India’s 1.2 billion subscribers.

Notably, the order was shared privately with companies and not made publicly available. This lack of transparency raises serious concerns about accountability and public scrutiny. Coupled with existing government exemptions under the Digital Personal Data Protection Act (DPDPA), which shield state-run applications from stringent privacy regulations, this mandate becomes even more suspect. The centralised tracking and extensive data collection enabled by the app, without clear public oversight or clarity on data use, creates the foundation for misuse and mass surveillance.

The opacity surrounding the app’s operation, since its source code is not open, and the absence of a public, consultative process, amplify fears of unchecked government access to device data. Such a secretive approach undermines user trust while increasing the risk that the mandate could be exploited beyond its stated security purposes, eroding fundamental privacy rights.

The Sanchar Saathi app was launched earlier in 2025 and government data claims it has helped recover over 600,000 lost or stolen phones. It also enables authorities to terminate fraudulent SIM connections, having disabled over 29 lakh so far. The app verifies IMEI numbers, reports suspicious calls, and helps users block stolen devices through a centralised system, with the aim of curbing scams associated with duplicate or spoofed mobile identifiers. It is like the Find My Phone feature already offered by most operating systems like iOS or Android, except that it is accessible by the government.

Similar to other recent amendments being made to various telecom rules, authorities claim this move to be necessary to combating cyber frauds. The main argument is that preloading the app will boost adoption and enhance traceability and fraud prevention without relying on voluntary installs. It is also argued that it strengthens telecom security baselines.

The directive is also likely to have several market impacts. First, smartphone manufacturers will face increased costs related to software integration, testing, and deployment, possibly leading to delays in device launches or higher prices. Second, the mandatory preloading requirement has heightened tensions with Apple, known for its strict app ecosystem policies that prohibit pre-installation of third-party or government apps without user consent. This could lead to legal confrontations or disruptions in Apple’s market presence. Furthermore, the inability to delete the app has sparked privacy concerns among consumer advocacy groups, who fear increased surveillance and government overreach.

This mandate is unlikely to deter professional cybercriminals, who can easily bypass restrictions by using phones without the tracking software, rooting devices to override it, or masking IMEI numbers with spoofing tools.

Existing laws like the IT Act (Sections 43, 66, 66C-D penalising cyber fraud), TRAI’s CEIR (centralised IMEI blacklisting where users report stolen phones and operators enforce blocks), KYC mandates for SIM issuance, and BNS Sections 111(3) (organised cybercrime), 316/317/318 (theft, fraud, and possession of stolen devices), and 336 (electronic forgery) already provide legal tools — yet cyber fraud persists due to enforcement shortfalls, low awareness causing underreporting, jurisdictional silos (crimes reported locally but committed remotely), and capacity gaps in forensics.

Mandatory preloading of Sanchar Saathi adds little incremental value while risking surveillance backlash. Both iOS and Android have features to track or disable lost or stolen phones. In addition, service providers are also able to assist law enforcement in locating stolen devices. Bypassing these intermediaries and empowering the state with such powers could be a slippery slope.

Investing in specialised cyber forensic labs, training the police and prosecutors on tackling cyber crimes, and creating interstate cyber units with cross-jurisdictional powers may be better-suited. Additionally, launching multilingual awareness campaigns on cyber crimes and streamlined portals for grievance redressal can empower enforcement over mandates, curbing fraud sustainably.

The writer researches AI governance, data protection, and open source technologies, and manages the tech policy programme at the Takshashila Institution