Zero stars: On the Sanchar Saathi app Politics & News

The growing sophistication of cybercrimes, from “digital arrests” to anonymous, large-scale cross-border scams, has made tackling them both urgent and difficult. Cybercriminals have exploited a security gap wherein user accounts on instant messaging apps remain functional even after the associated SIM card has been removed, using this anonymity to conduct government impersonation fraud. The rampant use of spoofed or tampered IMEI numbers has also made tracking perpetrators nearly impossible for law enforcement. It is perhaps inevitable that the government seeks sharper tools to address these software and hardware vulnerabilities, which explains the Department of Telecommunications’ directives on November 28 and December 1. The first mandates “SIM binding” — ensuring that a user’s account is disabled if the physical SIM is removed. In the second, smartphone manufacturers must pre-install the Sanchar Saathi app to verify device authenticity in all new devices by March 2026. While the first directive is a security patch which could inconvenience WhatsApp/Internet messaging users, the second is reminiscent of the saying, the road to hell is often paved with good intentions. The solution to the problem of counterfeit handsets and spoofed IMEI numbers is a cure that could potentially be more damaging than the disease.

The explicit instruction in the directive that the app is “readily visible and accessible to the end users at the time of first use or device setup and that its functionalities are not disabled or restricted” would mean that this app will be given a higher security clearance within the phone’s operating system, allowing it more intrusive access to features such as camera, phone or SMS access. The potential for misuse of this app for state surveillance and being utilised by a malicious entity after compromise to target millions of users is very present and clear. This is no empty fear considering what the Union government has done with the use of Pegasus software to target the political opposition, journalists and activists. Notwithstanding Union Minister Jyotiraditya Scindia’s clarification that users could delete the app, the directive’s text mandating that it cannot be disabled suggests that it will function more as a Panopticon and less as a simple verification tool. As the Supreme Court’s K.S. Puttaswamy (2017) judgment established, any state intrusion into privacy must satisfy the tests of legality, necessity, and proportionality. The government already possesses less intrusive means to verify device genuineness. The Sanchar Saathi web portals, SMS-based checks, and USSD codes should suffice. By ignoring these less invasive alternatives, the directive on Sanchar Saathi fails the proportionality standard. It is little wonder that privacy-conscious manufacturers such as Apple have reportedly refused to comply with this order.