The Indian government has mandated that all new smartphones sold in the country must come pre-loaded with the state-run Sanchar Saathi cybersecurity app. This directive, issued last week and made public on Monday, requires smartphone manufacturers to ensure that all new devices are equipped with the app within the next 90 days. The move has ignited a debate over privacy, data security, and governmental overreach in the rapidly expanding digital landscape of India.
Government Rationale
According to the Department of Telecommunications, the Sanchar Saathi app is essential for citizens to verify the authenticity of their mobile handsets and to report any suspected misuse of telecom resources. The government has emphasized that mobile devices with duplicate or spoofed IMEI (International Mobile Equipment Identity) numbers pose a significant threat to telecom cybersecurity. With India's burgeoning second-hand mobile market, the government aims to curb the resale of stolen or blacklisted devices, protecting consumers from becoming unwitting accomplices in criminal activities.
Features of Sanchar Saathi App
Launched in January, the Sanchar Saathi app provides users with several key functionalities:
- IMEI Verification: Allows users to check the authenticity of their device's IMEI number.
- Lost/Stolen Phone Reporting: Enables users to report lost or stolen phones, aiding in their recovery.
- Fraudulent Communication Flagging: Helps users identify and report suspected fraudulent communications.
The government asserts that the app has been instrumental in recovering over 700,000 lost phones, including 50,000 in October alone, underscoring its potential benefits in combating mobile device-related crimes.
Privacy Concerns and Expert Criticism
Despite the government's justification, cybersecurity experts and privacy advocates have voiced serious concerns about the implications of pre-installing a non-removable government app on every new smartphone. The primary concern revolves around the potential for increased surveillance and data collection.
The Internet Freedom Foundation, an advocacy group, stated that this mandate effectively transforms every smartphone sold in India into a vessel for state-mandated software that users cannot refuse, control, or remove. The group argues that the app's design, which prevents users from disabling it, weakens the safeguards that typically prevent one app from accessing another's data. This could potentially turn the app into a permanent, non-consensual point of access within the operating system of every Indian smartphone user.
Technology analyst Prasanto K Roy highlighted the potential for the app to gain extensive permissions on the handset. While the app claims not to collect or share user data on Google's Play Store, its request for a wide range of permissions, including access to the flashlight and camera, raises concerns about potential misuse.
Compliance Challenges for Smartphone Makers
The new regulations stipulate that the pre-installed app must be readily visible and accessible to users during device setup, and its functionalities cannot be disabled or restricted. Smartphone makers are also required to make efforts to provide the app through software updates for devices that are out of factories but not yet sold. Compliance reports are due within 120 days.
This mandate poses significant challenges for smartphone manufacturers, particularly those with strict policies against pre-installing third-party apps. Apple, which powers an estimated 4.5% of the 735 million smartphones in India, has historically resisted such requests from governments. According to Reuters, Apple does not intend to comply with the order and plans to convey its concerns to Delhi.
Global Context
India is not alone in tightening rules on device verification. In August, Russia mandated the pre-installation of the state-backed MAX messenger app on all phones and tablets sold in the country, sparking similar privacy and surveillance concerns. These instances highlight a growing global trend of governments seeking greater control over mobile devices and user data, often justified under the banner of national security or cybersecurity.
The Indian government's move to mandate the Sanchar Saathi app has opened a Pandora's Box of questions surrounding privacy, security, and the balance between governmental control and individual liberties in the digital age.
