The government’s confidential order of November 28 to phonemakers has sparked concerns around privacy and potential surveillance, with stakeholders ranging from Opposition lawmakers to the civil society criticising the order in public, and some smartphone companies pushing back against it in private, and planning to formally flag their concerns with the government.
“Digital security for every citizen is our topmost priority. Sanchar Saathi is voluntary, transparent, and designed solely to protect India’s mobile consumers while advancing the nation’s cybersecurity. Users have complete freedom to activate, or delete the app at any time, ensuring safety without compromising privacy,” Scindia said.
The government’s November 28 order, however, required smartphone companies to ensure that the app’s functions are not “disabled” or “restricted”. Scindia did not comment on, or clarify, how the app could be deleted if its functions cannot be disabled or restricted. Queries sent to the Department of Telecommunications (DoT) did not elicit a response until publication.
A senior government official said that the clause preventing disabling the app’s functions in the DoT directive means that “manufacturers must not hide, cripple or pre‑install a non-functional version of the app and later claim compliance”. “Nowhere it has been mentioned in the clause that the Sanchar Saathi App cannot be deleted by the end user,” the official said.
The Sanchar Saathi application is currently available to be downloaded from both Apple’s and Google’s app stores, but users, as of now, have a choice whether to install it on their devices. The government official said the app saw more than 6 lakh downloads on December 2. If the smartphone companies were to stick to the government’s directive, the app would come pre-installed in a new device, or be made available with a software update on all devices sold earlier and in use now.
Concerns persist
The government has clarified that registering with Sanchar Saathi app is voluntary and users can delete it, but concerns persist since the government’s November 28 order directing phone makers to pre-install the app has not been withdrawn.
“…this converts every smartphone sold in India into a vessel for state mandated software that the user cannot meaningfully refuse, control, or remove. For this to work in practice, the app will almost certainly need system level or root level access, similar to carrier or OEM system apps, so that it cannot be disabled,” said Internet Freedom Foundation, a Delhi-based digital rights group, in a statement.
Story continues below this ad
The Sanchar Saathi app allows tracking and blocking lost or stolen phones anywhere in India, based on the IMEI of the phones. The International Mobile Equipment Identity (IMEI) is a unique 15-digit code and can be used for identifying, verifying, tracking and blocking phones. The app, according to the government, can also assist police authorities in tracing stolen or lost devices, and potentially prevent counterfeit phones from entering the black market. The app also allows users to report suspected fraud communications via calls, SMS, or platforms like WhatsApp.
A senior government official said the DoT had held preliminary discussions with the industry in February and June, when the idea of distributing the Sanchar Saathi app was floated. Some companies including Apple were not present in those deliberations, the official said.
To operationalise the move, the DoT is drawing powers from the Telecommunication Cybersecurity Amendment Rules, 2025, which were notified in October. Specifically, the order has cited Section 8 (3) of the rules, which mandates that no person should intentionally remove, obliterate, change, or alter the unique telecommunication equipment identification number. Since the Sanchar Saathi app enables users to report stolen phones based on their IMEI, the government is using this particular provision as the legal backing for its order.
On the Sanchar Saathi app, registration with a phone number is mandatory to access its features. As per FAQs in the Sanchar Saathi app, it can detect the active mobile number in an Android phone and send an automatic message for registration to the DoT. However, on iOS devices, users have to press send on the registration message; it does not get sent automatically.
Story continues below this ad
On Android, the app seeks permissions to access users’ calls and SMS logs, their photo gallery, access the camera app (to scan IMEI codes), and to make and manage phone calls, to detect mobile numbers on the phone.
An analysis of Sanchar Saathi’s Android application (.apk file) on the open source application testing service Mobile Security Framework (MobSF) found that several codes allow the app to undertake multiple tasks related to user data.
It can take pictures and videos with the camera, read call logs, read data from external storage (like memory cards), and access phone features which can “determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on”. According to MobSF’s analysis, all these permissions fall under the “dangerous” category.
The platform’s short privacy policy states that the application does not automatically capture any personal information without prior notification. If personal information is requested, the user will be informed of the purposes, and “adequate security measures will be taken” to protect that data, it states. It prohibits sharing personally identifiable information (PII) with third parties (public/private), except when required by law enforcement.
Story continues below this ad
However, the app’s privacy policy lacks some elements that are considered the industry standard for privacy protection. For instance, it has no explicit statement about users’ rights, does not allow users to request a correction or, more importantly, deletion of their data from the app, and has no opt-out mechanism. Based on the privacy policy, it is unclear how long it stores the data it has access to.
Last week, the DoT issued a directive to companies like WhatsApp, Signal, and Telegram, under which users will no longer be able to access the applications without the SIM card with which they registered for the services on their phones. The directive will also mean that the companion web services, such as WhatsApp Web, will not be available uninterrupted to users, as they will be automatically logged out every six hours.
Right now, services like WhatsApp verify a user’s identity by sending a one-time password (OTP) to their mobile number. But, to follow the DoT’s directive, they will have to start accessing the IMSI of their SIM cards. IMSI stands for International Mobile Subscriber Identity, and is a unique number that identifies every mobile subscriber globally. It is stored on the SIM card.
.