IFF's Statement against DoT's Direction for the mandatory installation of "Sanchar Saathi". We will fight for its rollback.

5 min read Original article ↗

The DoT's directions to manufacturers and importers of mobile handsets to pre-install the Sanchar Saathi App is disproportionate for attending to cyber crime, legally fragile, and structurally hostile to user privacy and autonomy.

Internet Freedom Foundation

02 December, 2025
4 min read

IFF's Statement on the Sanchar Saathi App Pre-Installation Directive

The Department of Telecommunications (DoT), specifically its AI & Digital Intelligence Unit (AI & DIU) on 01 December 2025, has under the Telecommunications (Telecom Cyber Security) Rules, 2024 (as amended) issued a sweeping Direction mandating the pre-installation of the Sanchar Saathi mobile application on all mobile handsets manufactured or imported for use in India. As a preliminary matter the DoT has yet to by itself disclose the full text of the direction. Initial reports by Reuters revealed it's existence and subsequently it's full text was disclosed by Medianama which form the basis of our statement, which will be followed up by RTI, analysis as well as steps, if required to support a challenge to it in a court of law.

Sourced from Arvind Gunasekar (link)

The direction by requiring manufacturers and importers of mobile handsets to pre-install the Sanchar Saathi App represents a sharp and deeply worrying expansion of executive control over personal digital devices. The stated objective of curbing IMEI fraud and improving telecom security is, on its face, a legitimate state aim. But the means chosen are disproportionate, legally fragile, and structurally hostile to user privacy and autonomy. Clause 7(b) is the clearest expression of this. It requires that the pre-installed Sanchar Saathi application be “readily visible” and that, “its functionalities are not disabled or restricted.” In plain terms, this converts every smartphone sold in India into a vessel for state mandated software that the user cannot meaningfully refuse, control, or remove. For this to work in practice, the app will almost certainly need system level or root level access, similar to carrier or OEM system apps, so that it cannot be disabled. That design choice erodes the protections that normally prevent one app from peering into the data of others, and turns Sanchar Saathi into a permanent, non-consensual point of access sitting inside the operating system of every Indian smartphone user.

Viewed through the lens of the Supreme Court’s judgment in K.S. Puttaswamy (2017) that reaffirmed the fundamental right to privacy, this structure cannot pass the proportionality test. K.S. Puttaswamy requires that any intrusion into the right to privacy must meet the standards of legality, necessity, and proportionality. Even if we assume legality and necessity for the limited purpose of checking the genuineness of devices, the order clearly stumbles on proportionality. The government’s own ecosystem already offers less intrusive means to verify IMEI numbers and detect fake handsets such as the Sanchar Saathi web portal, SMS-based KYM (Know Your Mobile) services, and USSD codes all allow a user to perform this task without a permanent app baked into the firmware. There is no technical explanation in the order for why a one-time or occasional verification exercise justifies a resident, non-removable application with elevated privileges that lives on the phone for the lifetime of the device. Forcing a permanent app installation for a sporadic verification function is not a marginal overreach; it is a textbook example of disproportionate state action under the Puttaswamy standard.

The problems deepen when we look at the scope and safeguards. The order invokes “telecom cyber security” as a catch all justification, but it does not define the functional perimeter of the app. Clause 5 of the Directions refers to identifying acts that “endanger telecom cyber security,” an expression so vague that it invites function creep as a design feature, not a bug. Today, the app may be framed as a benign IMEI checker. Tomorrow, through a server side update, it could be repurposed for client side scanning for “banned” applications, flag VPN usage, correlate SIM activity, or trawl SMS logs in the name of fraud detection. Nothing in the order constrains these possibilities. In effect, the state is asking every smartphone user in India to accept an open ended, updatable surveillance capability on their primary personal device, and to do so without the basic guardrails that a constitutional democracy should insist on as a matter of course. IFF is deeply concerned with this direction that sets up a precedent to enforce client side scanning on all smartphones in India and calls for its recall.

As a first step we have filed a RTI with the Department of Telecom not only for a copy of this direction/order but also the underlying justification on how and why it was issued. We will fight this direction till it is rescinded.

References

  1. PIB, DoT issues directions for pre-installation of Sanchar Saathi App in mobile handsets to verify the genuineness of mobile handsets, 01 December 2025 [Link]
  2. Azdhan, Why the DoT Mandate on Sanchar Saathi App Pre-installation on Smartphones is a Privacy Concern?, (MediaNama, 01 December 2025) [Link]
  3. Aditya Kalra and Munsif Vengattil, India orders smartphone makers to preload state-owned cyber safety app, (Reuters, 01 December 2025) [Link]