Digital Emergency: India Forces 1.2 Billion Citizens to Install Government ‘Spyware’

On November 28, 2025, India’s Department of Telecommunications issued a directive that would fundamentally alter the smartphone experience for over 1.2 billion mobile users: all new devices sold in the country must come pre-installed with a government cybersecurity app called Sanchar Saathi. 

The order, which was privately communicated to manufacturers including Apple, Samsung, Google, Xiaomi, Vivo, and Oppo, gives companies 90 days to comply or face penalties. For devices already in the supply chain, manufacturers must push the app through mandatory software updates.

According to initial reports, Sanchar Saathi will be uninstallable. Following the major political uproar over the directive’s contentious provisions, Union Minister for Communications Jyotiraditya Scindia later stated that users will have the option to remove it. However, only a few tech-savvy users change their mobile devices’ default settings, including the pre-installed apps. So there is a good chance that this app will remain active on the majority of devices. 

The Surveillance Architecture Hidden in Plain Sight

While authorities frame Sanchar Saathi as a tool to combat financial fraud, which surged from ₹7,465 crore in 2023 to ₹22,845 crore in 2024, the app’s permissions reveal extensive surveillance capabilities that pose a serious risk to the privacy of every Indian smartphone user. The official privacy policy and app permissions expose alarming data access requirements:

– Phone Call Control: Permission to “make and manage phone calls” and access complete call logs, including numbers, duration, and timestamps

– SMS Monitoring: Ability to read all SMS messages and send messages from the user’s device

– Contact Database Access: Full access to the user’s complete contact list

– Location Tracking: Continuous access to device location data

– Storage and Media: Permission to access photos, videos, files, and use the device camera

– Law Enforcement Sharing: The privacy policy explicitly states that collected data is shared “with law enforcement.”

With this app now mandated on every device, the Indian government has created infrastructure for continuous monitoring of who its citizens call, when they call, what messages they send, and where they travel, all without requiring individual warrants or judicial oversight.

The Broader Digital Control Framework

The Sanchar Saathi mandate is not isolated but part of a comprehensive telecommunications cybersecurity architecture enacted throughout 2025 that dramatically expands state surveillance powers. Under the Telecommunications (Telecom Cyber Security) Amendment Rules, notified on October 22, 2025, the government now has sweeping authority to order immediate suspension of user accounts across multiple digital services simultaneously, from WhatsApp and Telegram to payment apps like Paytm and Google Pay, and even food delivery platforms like Swiggy and Zomato. End-to-end encrypted messaging services must now maintain continuous binding to active SIM cards, with web versions requiring re-authentication every six hours, effectively creating a permanent link between anonymous communication and government-trackable phone numbers. Privacy advocates and industry experts warn that this creates a “Big Brother” system where the state can monitor, control, and shut down citizens’ entire digital lives with a single command.

Global Parallels: Russia’s Digital Gulag and China’s WeChat Model

India’s move mirrors authoritarian surveillance strategies already deployed in Russia and China, where mandatory government apps serve as tools of social control. Since August 2025, Russia has required all mobile devices to come pre-installed with MAX, a state-backed messaging app that dissenting voices describe as a “digital gulag”. MAX lacks end-to-end encryption and is explicitly designed to share metadata, calls, location data, and activity with authorities. Russian telecom operators promote MAX by not charging for the data it consumes, while the government integrates it into schools and official communications. In China, WeChat has evolved from a messaging platform into an omnipresent surveillance infrastructure integrating policing, citizen verification, and location tracking through mandatory real-name registration. These platforms operate under domestic surveillance laws requiring companies to share all communications, contacts, and location information with the government. India now joins this authoritarian model of digital governance, where convenience and security rhetoric mask the insertion of surveillance into the core of civic life.

The Death of Consent and Constitutional Rights

Sanchar Saathi represents a fundamental assault on user autonomy and constitutional privacy protections. Unlike voluntary apps that citizens can choose to download, this mandate strips Indians of consent, the foundational principle of data protection law. K.C. Venugopal, general secretary of the opposition Congress party, condemned the directive as unconstitutional: “Big Brother cannot watch us. A pre-loaded government app that cannot be uninstalled is a dystopian tool to monitor every Indian. It is a means to watch over every movement, interaction, and decision of each citizen.”

Two industry sources told Reuters that companies received no prior consultation before the order was enacted. At the same time, the Broadband India Forum, representing major tech firms, called it regulatory overreach, raising concerns around jurisdiction and legality. Technology industry executives argue that the matter falls under the Ministry of Electronics and IT, not the Department of Telecommunications, and are considering mounting legal challenges.

Apple’s Dilemma and the Global Compliance Nightmare

The mandate creates particular friction for Apple, a company that has historically resisted government-imposed software installations compromising user privacy, from FBI unlock demands to China’s censorship requirements. India represents a critical growth market where Apple now manufactures 14% of global iPhone production. The company faces a stark choice: comply with surveillance infrastructure installation or exit one of the world’s largest smartphone markets with 1.2 billion subscribers. This divergence from global privacy norms forces manufacturers to create separate India-specific builds, fragmenting their compliance strategies and potentially setting a precedent for other governments to demand similar backdoors. The mandate must be prominently visible during first device setup with no restrictions on its functionalities, and manufacturers must file compliance reports within 120 days or face penalties including imprisonment of up to three years and fines up to ₹50 lakh under the Telecommunications Act 2023.

Who Controls Your Data, and How Cybersecurity Failure Puts India at Risk

All personal information collected by the Sanchar Saathi app, including call logs, messages, contact lists, and location, is controlled by the Department of Telecommunications, Government of India. Data is stored in centralized government servers, with the privacy policy stating it will be shared with law enforcement when required, but offering no clear details on retention periods, access controls, or independent security audits.

This setup creates a massive cybersecurity failure point: by collecting multiple data points simultaneously, phone calls, SMS content, contact databases, GPS locations, photos, and device identifiers, the app creates an unprecedented concentration of sensitive information that exponentially increases exposure risk if breached. India’s track record with centralized government databases raises serious alarm bells. The Aadhaar system, containing biometric data of over 1.3 billion citizens, has suffered multiple data leaks with personal information found for sale on WhatsApp groups and through unauthorized access by thousands of operators, while the Aarogya Setu, a COVID-19 contact tracing app, faced severe criticism over privacy vulnerabilities and lack of data safeguards. With no publicly disclosed standards for encryption, penetration testing, or third-party oversight, the Sanchar Saathi database has the potential to become the most dangerous single target for hackers in Indian history, putting every citizen’s most sensitive communications at serious risk.