Mint Explainer | Is Sanchar Saathi India’s anti-fraud shield or a surveillance overreach?

Why does the Centre want to make Sanchar Sathi app mandatory?

Launched in May 2023, Sanchar Saathi, developed and maintained by DoT, is a platform that allows users to voluntarily report loss or theft of mobile phones and duplication of SIM cards.

In March last year, the ministry of communications expanded its usage through ‘Chakshu’, a platform to report fraud and spam callers, with law enforcement and telcos using it to blacklist callers and devices.

On 28 November, the DoT issued notifications to phone brands, asking them to mandatorily pre-install Sanchar Saathi as an app on smartphones within 90 days. The DoT said that “mobile handsets bearing duplicate or spoofed IMEI pose serious endangerment to telecom cyber security”. IMEI or international mobile equipment identity is a unique 15-digit number that identifies each mobile device.

The Centre claimed that Sanchar Saathi does not collect personal data, despite the application requesting permission to access user call logs and read SMS messages.

Union telecom minister Jyotiraditya Scindia told reporters on Tuesday that the Centre is responsible for making citizens aware of the app, and that it is “designed to protect them from digital frauds and theft.”

Did DoT soften its stance after widespread backlash?

The original notification, a copy of which Mint has seen, said that phone brands must ensure that Sanchar Saathi’s functionalities “are not disabled or restricted.” This created concerns around government-backed surveillance.

However, on Tuesday, the DoT took a softer tone. Scindia, speaking with reporters after a Parliament session, said, “The app is completely optional. If you want to delete it, you can. If you don’t wish to register, you shouldn’t and can remove it anytime.” A senior official added that the mandate to not disable the app was “directed only for brands, not users.”

What happens next?

The Centre has not clarified if it will hold consultations on the matter. For now, brands fall under a 90-day mandate to preinstall Sanchar Saathi on all new phones, as well as almost 800 million existing ones through software updates.

On Monday, people close to Apple, Google and Samsung told Mint they were evaluating ways to push back against the diktat, citing both compliance concerns, as well as a potential breach of user privacy and the right to choose.

Can Sanchar Saathi really block out scammers?

Sanchar Saathi is a voluntary reporting platform where users can register complaints if they receive fraud calls. Privacy experts believe Sanchar Saathi is not a cyber security tool, and thus cannot really block cyber criminals.

Sumeysh Srivastava, partner at policy consultant The Quantum Hub (TQH), said that the app “can’t automatically scan IMEIs without user inputs, and even if it could, anyone looking to commit fraud could simply use older devices or root their phones to remove the app.”

Phone brands, hence, raised concerns that the app isn’t truly useful for what it was claimed to be, thus raising state-backed surveillance concerns.

Are such surveillance claims justified?

Experts called the move “intrusive” at the least. TQH’s Srivastava, said the app accesses call logs, SMS messages and camera—each of which involve personal data.

N.S. Nappinai, senior counsel at the Supreme Court, said, “The government’s hasty action violating constitutional fundamentals and its attempts now at digressing from its own directions with respect to disabling or restricting the functionalities of the app are both most unfortunate.”

A second senior cyber security lawyer, requesting anonymity, added that mandatorily installing the app is “quite the opposite of what the new privacy law promised, irrespective of Sanchar Saathi surveilling citizens or not.”

DoT, late on Tuesday, claimed on X that Sanchar Saathi “collects no personal data and tracks nothing.” The lawyer cited above countered that it would be “technically impossible to crack down on calls without collecting and tracking personal data.”

Nappinai further said that the Sanchar Saathi debacle “will definitely be seen to dilute the Centre’s own stand on data minimisation and its seriousness with respect to State complying with data protection laws.”

“Seeking an individual’s permission before installing an app, and telling them they have the liberty to uninstall—do not stand on the same footing. One follows consent frameworks, whereas the other first violates and then claims to give an opt-out. For instance, if I cannot update software before permitting the app to be downloaded on my phone, my right to consent is already violated. The question of first forcing me to download an app and to then ask me to delete it is obviously specious and untenable,” she added.