The Central government’s directive to preload the Sanchar Saathi app on all new smartphones, later withdrawn after widespread public backlash, offers a revealing window into the country’s evolving approach to surveillance, digital regulation and governance.

Yet, the withdrawal does not resolve the deeper legal questions it has exposed. This saga displayed how the State’s expanding powers over personal devices collide with constitutional privacy, rule-of-law standards and a digital society increasingly governed by pre-Internet laws.

Parallel to this, the ongoing SIM-binding requirements for messaging platforms, effective March 1, 2026, further demonstrate the Department of Telecommunications (DoT) push to extend regulatory control over internet-based services. These twin episodes reveal a pattern: the State increasingly asserts visibility and authority over citizens' personal devices and communications - often justified by the real threat of cyber fraud - while offering limited transparency or accountability in return.

Sanchar Saathi itself was not a novel invention. It began as a web portal in 2023 and evolved into a mobile application in January 2025. It consolidates multiple functions: blocking stolen devices through IMEI integration with the Central Equipment Identity Register (CEIR), identifying duplicate SIMs under a user’s name, reporting suspected fraud, checking device genuineness and offering a financial fraud risk indicator. These features, useful in isolation, became controversial when the DoT issued a directive requiring manufacturers to pre-install the app and, critically, to ensure that its “functionalities are not disabled or restricted.” 

Clause 7(b) of the directive sits at the heart of the legal dispute. Though later politically softened, it remains emblematic of a governance posture that presumes citizens must be fully visible to the State, while the State remains opaque to the citizen. This inversion of constitutional accountability warrants careful scrutiny.

Clause 7(b) required manufacturers to ensure that the pre-installed Sanchar Saathi app was “readily visible and accessible at first use or device setup” and that its “functionalities are not disabled or restricted.” Though seemingly procedural, these phrases transform the app from a voluntary tool into a quasi-system component with elevated privileges.

Requiring visibility at device setup converts the app into part of the onboarding process. Requiring that no core functionality be disabled precludes meaningful user choice, even if deletion is later claimed to be possible. Compounding the confusion, manufacturers were given 90 days to comply and 120 days to submit compliance reports.

Amid mounting backlash, the Ministry reversed its position, justifying the withdrawal by pointing to the app’s “increasing acceptance”, including nearly 6 lakh registrations in a single day. These shifting justifications, moving from mandate to voluntary uptake, underscore deeper concerns around legality, transparency and procedural fairness in rights-impacting regulation.

Further, for devices already manufactured or in the market, handset makers were required to push the app to users through “software updates”. Combined with the directive’s requirement that functionalities must not be disabled, this expanded the scope of intrusion significantly. The app also sought extensive permissions, including access to calls, messages, files and the camera, raising concerns that if deployed as a system-level application, it could access more user data than necessary for its stated purpose. In such a setting, a pre-installed and potentially non-removable application with access to core device functions raises serious concerns of overreach and creates an Orwellian surveillance backdoor on personal devices.

The Supreme Court’s judgment in KS Puttaswamy v. Union of India (2017) recognises the right to privacy as a fundamental right under Article 21, subject to a three-part test: legality, necessity and proportionality.

• Legality requires a clear statutory basis. A device-level mandate affecting privacy, autonomy and control over device configuration cannot rest on an undated administrative direction. Such measures require explicit legislative backing and oversight. Clause 7(b) fails this threshold.

• Necessity requires a legitimate aim and a rational connection between the measure and that aim. While cyber fraud is a serious concern, the State must show that mandatory pre-installation with non-disablement is required. Here, core functions such as IMEI blocking, SIM verification and fraud reporting already exist through the CEIR portal and SMS-based services. A persistent device-level intervention is, therefore, not shown to be necessary.

• Proportionality requires the least intrusive means. Clause 7(b) is overbroad, imposing obligations on all users while less intrusive alternatives such as targeted enforcement, telecom-level safeguards and voluntary adoption remain available. It also increases systemic risk by expanding the attack surface through a privileged application.

While Puttaswamy provides the constitutional framework for assessing privacy intrusions, India’s operational surveillance architecture continues to rely on the much older framework laid down in PUCL v. Union of India (1996).

The landmark PUCL case was decided in a pre-smartphone world. It created procedural safeguards for telephone tapping: written authorisation, necessity assessment and a review committee. These rules were designed for targeted landline interception, not modern digital ecosystems that enable mass data extraction, behavioural profiling or privileged app-level access.

Yet today, tools like CMS (Central Monitoring System) and NATGRID operate within this outdated legal scaffolding. The Sanchar Saathi directive attempts to expand device-level visibility without updating the statutory architecture and landscape. This mismatch of expanding surveillance capacity without modernised safeguards violates the core spirit of PUCL, which emphasised procedural rigour and narrow tailoring.

The public’s fears are informed by past episodes such as the Pegasus spyware allegations and even the UIDAI helpline incident, where a helpline number mysteriously appeared in users’ contact lists. These events illustrate why device-level mandates feel like steps toward a structurally expanded surveillance state, justified through cybersecurity rhetoric rather than statutory reform.

Comparable international precedents, such as Russia’s mandatory pre-installation of the Max app, which integrates with state services and explicitly permits data sharing, illustrate how device-level mandates can rapidly evolve into systemic surveillance tools. This expansion of control at the device level is not occurring in isolation. It is mirrored by parallel efforts to extend regulatory authority over communication infrastructure itself.

A parallel directive issued on November 28, 2025, with a 90-day compliance timeline, requiring messaging platforms to implement SIM-binding, rests on a contested interpretation of DoT’s jurisdiction. The Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (amending the 2024 Rules) introduced Telecommunication Identifier User Entities (TIUEs), subjecting app-based platforms using phone numbers or other telecom identifiers to mandatory number validation under telecom cybersecurity oversight. Combined with the expansive definition of “telecommunication services” under Section 2(t) of the Telecommunications Act, 2023, the DoT has used TIUEs to justify regulating internet-based communication platforms. The SIM-binding exceeds DoT’s jurisdiction and encroaches on MeitY’s domain. The long-running push for “same service, same rules” for telecom and OTT remains legally unsettled.

Such ambiguity is dangerous. It allows executive agencies to expand authority through interpretation rather than legislation, a direct violation of the legality requirement under Puttaswamy. Beyond legality and jurisdiction, the SIM-binding mandate also carries significant practical burdens. Travellers abroad who switch SIMs or rely on secondary devices may face disruptions in accessing messaging services, tablet and web usage become cumbersome due to mandatory six-hour relinking. Users who lose their SIM cards or devices could be locked out of essential communication. These disruptions particularly affect multi-device users, students, remote workers and international travellers. By tightly coupling telecom and messaging identities, the directive disproportionately impacts ordinary users while offering little deterrence to sophisticated fraud networks that routinely bypass SIM-based verification.

The compliance deadline of February 28, 2026 was not extended, bringing the requirements into force on March 1, 2026. Messaging apps (WhatsApp, Telegram, Signal) now require continuous linkage to an active SIM present in the device, causing web/desktop sessions of such apps to automatically log out every six hours, requiring fresh QR-code re-authentication via the primary phone.

Beyond concerns of legality and jurisdiction, these measures also introduce significant technical risks. A vulnerability in the app or update channel could compromise millions of devices. Over-the-air updates can also introduce new capabilities without fresh consent, creating opportunities for mission creep. Parallel proposals mandating always-on GPS, extending VPN data retention under the CERT-In Directions (2022) and integrating fraud indicators into third-party platforms reinforce concerns that Sanchar Saathi may be the first step in a longer arc of device-level interventions.

The defining feature of the Sanchar Saathi episode is not surveillance itself, but asymmetry. Citizens are expected to be transparent to the State; however, the State offers little transparency in return. The public receives undated orders, ambiguous mandates and verbal assurances in place of formal revocation. Meanwhile, citizens face device-level obligations, SIM-binding requirements and expanded data visibility.

This is the essence of an inverted republic: a governance posture where accountability flows downward and discretion flows upward. It is precisely the imbalance that Puttaswamy and PUCL before it sought to prevent.

Such mandates also risk normalising State-backed digital ecosystems, especially after earlier attempts to promote alternatives like Koo, raising concerns that future commercial platforms could similarly be nudged into users’ devices by default.

The government’s decision to retract the mandatory pre-installation of Sanchar Saathi on December 3, 2025 averted immediate backlash but failed to address the deeper structural flaws exposed by Clause 7(b) and the ongoing SIM-binding regime. Cybersecurity in a constitutional democracy cannot be advanced through opacity, ambiguous executive orders, or overreach. It must be grounded in statutory clarity, transparency, proportionate measures and respect for privacy rights.

Until such reforms occur, even well-intentioned device-level mandates risk deepening the inverted republic, where citizens are rendered fully visible to the State, yet the State remains opaque. The Sanchar Saathi episode highlights India’s nascent data rights culture, where convenience often trumps caution and many users lack the tools or awareness to exercise meaningful privacy choices. In this context, post-hoc assurances of “voluntariness” ring hollow, underscoring the State’s heightened duty to prioritise transparency and informed consent.

The SIM-binding mandate, now in force as of March 1, 2026, exemplifies the same pattern: expansive claims of authority without adequate safeguards. This moment demands a fundamental shift, from coercive technical interventions toward empowering citizens through digital literacy. A truly rights-respecting digital ecosystem depends not on pre-installed tools or forced linkages, but on informed, autonomous users.

Shivam Jadaun is a Delhi-based lawyer and tech consultant specialising in technology law, AI and tech policy.