NEW DELHI: India’s plan to require smartphone makers to pre-install a state-owned cybersecurity app on new devices has sparked alarm, with main opposition and industry experts warning of potential breaches of information privacy.
The ministry of communications issued a directive over the weekend, according to which the Sanchar Saathi app must be visible and fully functional at first setup, with “no disabling or restriction of its features.”
The pre-installation of the app — which is part of a government initiative to help mobile users track, block, and secure lost or stolen mobile devices — aims to safeguard Indian citizens from buying tampered devices and enable “easy reporting of suspected misuse of telecom resources,” the ministry said in a statement on Monday, giving manufacturers 90 days to comply.
It also ordered them to “push the app to phones through software updates” to devices that are already in the market.
The announcement drew a backlash, with Congress, the main opposition party, demanding the rollback of the policy as unconstitutional.
“The right to privacy is an intrinsic part of the fundamental right to life and liberty, enshrined in Article 21 of the Constitution. A pre-loaded government app that cannot be uninstalled is a dystopian tool to monitor every Indian,” one of the party’s leaders, K.C. Venugopal, said on X.
While the government said the app was needed to address “serious endangerment to telecom cyber security” from “duplicate or spoofed IMEI (international mobile equipment identity)” numbers, the Internet Freedom Foundation, a non-profit organization dedicated to defending digital rights in India, warned that it can convert every smartphone into a “vessel for state mandated software that the user cannot meaningfully refuse, control, or remove.”
The IFF said the app would need access similar to system apps, so that it cannot be disabled and “that design choice erodes the protections that normally prevent one app from peering into the data of others, and turns Sanchar Saathi into a permanent, non-consensual point of access sitting inside the operating system of every Indian smartphone user.”
The directive therefore poses legal issues due to the “unclear nature” of its functions and objectives, Tanmay Singh, lawyer who specializes in digital rights, told Arab News.
“It is difficult to see how forcing the installation, and prohibiting the uninstallation, of an app under this notification will be in accordance with the Supreme Court’s guidelines in K.S. Puttaswamy (2017), which recognized the constitutional and fundamental right to privacy of all Indians.”
In the 2017 K.S. Puttaswamy v. Union of India judgment, the Supreme Court of India held that the right to privacy is a constitutionally protected fundamental right and said that it includes informational privacy — the right to control one’s personal data, information, communications, as well as protection against arbitrary surveillance or data collection by others.
“The one thing that people haven’t considered regarding the Sanchar Saathi app is that it can also be used to implant files in people’s phones. This won’t happen for everyone, but it can be used for political opponents and activists,” said Nikhil Pahwa, digital rights activist and founder of MediaNama, a mobile and digital news portal.
After a wave of criticism, Communications Minister Jyotiraditya Scindia told reporters in New Delhi on Tuesday that it was possible to remove the app.
“If you want to delete it, delete it,” he said. “The way your phone has many pre-installed apps like Google Maps — you can delete Google Maps if you don’t want it, so you can delete this also.”
But no new directive has been issued since.
“I don’t think the minister’s clarification is sufficient, because they need to either rescind this particular order or modify it,” Pahwa said.
“The minister’s clarification only makes sense if the directive that has been sent is withdrawn, because the directive very clearly says that the app should not be disabled or restricted in any way, which means that, effectively, it cannot be deleted.”
