It was a déjà vu moment to read the Department of Telecommunications (DoT) Direction issued under the Telecommunications (Telecom Cyber Security) Rules, 2024 (Rules) calling upon mobile handset manufacturers to pre – install its Sanchaar Saathi App  and to push it onto existing users through software updates (Direction). The Direction not just mandates mandatory installation but requires “that its functionalities are not disabled or restricted. The Union Ministry clarifications advert to safeguarding citizens from purchasing non – genuine handsets but with the underlying purpose focussing on cyber – frauds and this move purportedly being to curb the menace.

Scroll back to 1993 and the Clipper Chip encryption technology with built in backdoors that USA’s National Security Agency could access at will, comes to mind. The arguments remain the same i.e., of national security protecting against crimes. We often note that Government attempts at curbing individual rights, are being justified on grounds of safety or security. That protection is spilling over to protectionism and stifling rights appears to have been glossed over. The lessons from the Puttaswamy judgment reiteration of the need for proportionality and legitimate state aim whilst formulating laws or regulations, appear to be waning again.

This Direction comes in the wake of citizens already being spooked due to the burgeoning cyber fraud milieu and consequently makes one lose perspective. Purportedly, the direction is aimed at manufacturers and importers of mobile handsets but it directly impacts the rights of individual users. That such mandatory imposition would tantamount to surveillance, which as a round the clock activity, against citizens cannot be permitted is trite and that such activity certainly does not and cannot have parliamentary imprimatur, be it under the parent Telecommunications Act, 2023 or Rules, is apparent. The Rules require manufacturers to provide assistance qua tampered telecommunication equipment and not for monitoring of all mobile devices. 

Interestingly, in response to the backlash there is a clarification that users are permitted to remove the app, as against the specific requirement that functionalities cannot be disabled or restricted. This clarification is specious and untenable, in as much as, it attempts to circumvent consent frameworks and follows in the footsteps of corporate surveillance, which has consistently sought forgiveness instead of permissions. That mere removal of the app does not result in deletion of data points collected, stored and retained by the Government and corporates is a reality apart from opacity on the exact quantum of data that would be collected or the digital footprint that would remain in the device. To make such an installation a mandatory part of a software update is an aggravated form of intrusion that takes away user rights without an opt out. In effect what the Government appears to be postulating then is that a user will be forced to download the app through a software update, install it and then have it deleted. This merely buttresses concerns over the remnant digital footprint in the device. 

Governments seeking backdoors did not stop with the Clipper Chip experiment but have expanded to using laws or regulations for the same such as India’s attempts through early regulatory mandates for submission of private encryption keys, apart from their request to Blackberry for access, which were thankfully not enforced. Clipper chip was considered a serious security risk in 1993, as was its request for Apple to bypass its own safety features post the San Bernardino incident, and this applies pari passu for a Sanchaar Saathi or any app for that matter to be mandatorily installed in a mobile device. The Wooley v. Maynard (1977) majority decision, striking down the Statute, which mandated use of private property as a ‘mobile billboard’ to carry State’s ideological message or suffer penalties, is evocative. The present instance compels users to surrender their rights over their personal property based on a placebo assurance of safety, that fails to cure the inherent ailment. That India has the Russian Law on Pre-installation of Russian Software, 2021, as a precedent does not lend assurance. Compelling manufacturers to install a third party software without clarity on functionality, legality, impact on proprietary software, amongst other issues, is a topic requiring a critical deep dive

India has resorted to law and regulations to provide access including to encrypted data including through its Information Technology Act, 2000 (as amended) (“IT Act”) such as Sections 69, 69A and 69B IT Act and regulations framed thereunder. It also has stringent provisions under the Telecommunications Act restricting tampering with, spoofing and modifying telecom resources, device identifiers etc., To seek a backdoor through an app in each mobile device, without explaining the trade-off on privacy and data protection and without an opt-out for a user is apparently excessive. That such requirement is forcibly mandated through third parties with no prior consent or control for user demonstrates its unsustainability. That there is no assurance on the security features, responsibility for breaches or misuse of app vulnerabilities further dilutes the Government’s position.

That the intent of Government is genuine or that the issue that it intends to combat is misuse of stolen devices including for commission of crimes or frauds does not permit for circumvention of individual rights. That the telecom department requires to plug holes in implementation of its protective measures, resulting in rampant misuse of, for instance SIM cards, resulting in facilitating cyber frauds and crimes is a real threat. But using intrusive technology under the guise of combatting crimes is not the answer. India’s data protection law still remains to be implemented, though the much delayed rules are now notified, as an effective eighteen month window is provided therein for implementation. With State being as responsible, for protecting individual personal data rights, as corporates, recalling this intrusive and violative direction and providing a more balanced alternative to protect against misuse of stolen mobile devices would be a wise move.   

********

The Writer is a Senior Advocate practicing at the Supreme Court of India & Founder of Cyber Saathi. This Article was penned on December 2, 2025 in the wake of the issuance of the above impugned Directions. On December 3, 2025, the Government withdrew this Direction of making installation mandatory