Between Fraud Prevention And Digital Autonomy: Rethinking Sanchar Saathi

Introduction

On 28^th November 2025, the Department of Telecommunications (DoT) issued a directive to manufacturers and importers of mobile handsets in India, to pre-install an application termed 'Sanchar Saathi' – a mobile application that aims at enhancing cyber security at the device level and providing users with a platform to report cyber fraud, within a 90-day window. This move launched under the newly amended Telecommunications (Telecom Cyber Security) Rules, 2024 (Rules), was allegedly aimed at strengthening protections against telecom related cyber misuse and fraud. The Rules comprise the legal backbone for India's telecom cyber security regime and confer broad powers on the Central Government, enabling it to issue directions and standards to mitigate misuse of telecommunication identifiers.

India's rapid digital transformation has been accompanied by a significant escalation and cybercrime incidents, particularly those including mobile connectivity and telecommunications. A Press Information Bureau (PIB) publication dated 08.10.2025 noted a rise in cybersecurity incidents from 10.29 lakh in 2022 to 22.68 lakh in 2024. The National Cyber Crime Reporting Portal (NCRP) also recorded cyber frauds amounting to INR 36.45 lakh, as of 28.02.2025.

In response, the government launched the Sanchar Saathi ('application / portal'.

The rollout of Sanchar Saathi

Sanchar Saathi empowers mobile users with tools to verify device authenticity, detect misuse of telecom identifiers, and report fraudulent activity. At its core, Sanchar Saathi consolidates multiple fraud prevention tools into a single interface. A central component is the Central Equipment Identity Register, which enables users to verify their device's International Mobile Equipment Identity (IMEI) and block lost or stolen handsets. It also provides a reporting mechanism through which users can flag suspicious calls, fraudulent messages, or unauthorized SIMs issued in their name. Additionally, users can review and disconnect mobile numbers registered against their identity. By enabling users to verify IMEI numbers, report fraud calls or messages, and flag lost or stolen phones, Sanchar Saathi is portrayed as a consumer centric cyber defence tool.

The Application's rollout and the November 28 directive are direct products of the Rules. It is evident that the Government relies on these rules to justify its mandate to handset manufacturers. Additionally, the Rules were amended in late 2025 to further strengthen cyber security, which was a clear legislative context for Sanchar Saathi. The Government's press statements and the reports also uniformly tie the app's genesis to fraud prevention and telecom security enhancement.

Importantly, the November 28 directive did not merely recommend availability of the app through app stores; it required the application to be pre-loaded on devices, thereby embedding it at the device level, rather than leaving installation as a choice to the user.

This marked a significant regulatory shift. Traditionally, telecom cybersecurity obligations were imposed on service providers and network operators. By extending these obligations to device manufacturers, the DoT effectively moved cybersecurity governance upstream, treating mobile devices themselves as critical control points in preventing fraud and misuse. The pre-installation requirement, therefore, became the most debated aspect of Sanchar Saathi, not because of its fraud-prevention objective, but because it raised broader questions about user autonomy, consent, and the limits of state-mandated digital interventions.

Criticisms

The directive for pre-instalment required on devices faced significant pushback. Major technology firms, including Apple and Google¹expressed serious concerns because they have internal policies against pre-loading apps on devices and argued that complying with the order could force them to modify their operating systems. They also cited security vulnerabilities that could follow such a pre-loading.

Alongside industry resistance, privacy advocates highlighted concerns on user autonomy and consent. Critics warned that pre-installation without clear safeguards might lead to broader data-access issues where the application's scope could expand over time.

Revocation of the mandate

In response to the backlash, the Government decided to withdraw the mandate. This shift moved the policy from what appeared to be a compulsory digital directive toward a model that emphasised user choice. It was clarified that while Sanchar Saathi is intended to help users protect themselves against fraud and cyber misuse, users will have the choice to activate or delete the application at any time.

The application however, saw substantial public engagement after its launch. According to a PIB publication dated 09.08.2025, the application crossed 50 lakh downloads within six months of its release. It highlighted that over 1 crore unauthorised mobile connections were disconnected, and 5.35 lakh lost or stolen handsets were recovered. Overall, visits to the Sanchar Saathi portal reached over 16.7 crore, reflecting growing user engagement. As the Government revoked the mandatory pre-installation requirement, it pointed to a surge in voluntary adoption as justification.

Constitutionality and the right to privacy in the context of the Puttaswamy judgment

A constitutional evaluation of Sanchar Saathi, must begin with the nine-judge bench decision of the Hon'ble Supreme Court in Justice K.S. Puttaswamy v. Union of India. In that decision, the Court unequivocally held that the right to privacy is a fundamental right protected under Articles 14, 19, and 21 of the Constitution².

The Court conceptualised privacy not merely as bodily or spatial autonomy, but as informational self-determination, the individual's ability to control dissemination, and use, of their personal data. The idea that privacy is a shield to retain control over personal information and that it is indeed a fundamental right guaranteed by the Constitution was affirmed by the Supreme Court.

Notably, Justice Chandrachud went on to discuss the idea of aggregation - that data mining, along with knowledge discovery, can lead to creation of facts about individuals³

All nine judges in the Puttaswamy case, aligned on one principle - informed consent is essential to informational self-determination. The crux of the discussion was that the State must ensure that information is not used without the consent of users, and that it is used for the purpose and extent that was disclosed.

Another central idea discussed in the judgment was the holding in District Registrar and Collector, Hyderabad v Canara Bank, 2005 (Canara Bank)⁴, that persons retain the right to privacy over information, even when handed over voluntarily to third parties, i.e., limiting the use of such information to the purpose for which it was collected.

A combined reading of the principles of informed consent and the Supreme Court's holding in Canara Bank has shaped the interpretation of "consent" under the Digital Personal Data Protection Act, 2023 (DPDPA), making it clear that consent must be specific and extend to each distinct use of personal information.

The Proportionality Framework

The Puttaswamy judgment laid down a proportionality framework, for any State action that limits privacy. A restriction must:

1. Be sanctioned by law (legality);
2. Pursue a legitimate State aim;
3. Be necessary and proportionate; and
4. Contain procedural safeguards against abuse.

When applied to Sanchar Saathi, the first question concerns legality. Unlike Aadhaar, which was backed by statute, Sanchar Saathi operates through executive directions issued by the DoT under the telecom licensing framework. While telecom regulation falls within executive competence, Puttaswamy indicates that any program involving systematic collection, aggregation, or processing of personal data must have a legislative basis. The legal foundation of the executive discretion and ability to force installation of Sanchar Saathi is questionable. Furthermore, the Data Protection Board (DPB) under the DPDPA lacks the independence to check executive overreach, leaving individuals with no option but to approach the High Court by invoking Article 226 of the Constitution.

While legitimate aim is comparatively easier for the State to justify by citing telecom fraud, preventing cyber-enabled financial crimes, and enabling recovery of stolen devices, the State cannot, as easily, justify necessity and proportionality. Sanchar Saathi aggregates subscriber data, IMEI numbers, and network information across telecom service providers.

The constitutional question is whether centralized and cross-network visibility is the least restrictive means to achieve the purported objectives? The lack of a legislative backing also results in a lack of clear limits on data retention, oversight, and remedies. The issue is not whether the application protects citizens from fraud, but whether it does so without normalizing pervasive State visibility into communication networks.

An interesting constitutional view on Sanchar Saathi emerges when one reads the technical design choices alongside the proportionality doctrine. The debate has largely focused on "mandatory installation" and user consent. But the deeper issue is architectural power. The directive reportedly required manufacturers to ensure the app was visible by default and not disabled. This goes beyond policy and executive discretion and instead, constitutes structural intervention into the operating system layer of private devices. Privacy, after Puttaswamy, is not confined to secrecy, it includes decisional autonomy and control over an individual's digital environment.

The debate then shifts from data collection to infrastructural control. Even if the system's current function is limited to IMEI verification, its underlying architecture may allow for potential future repurposing through updates implemented on the government sideUnder Puttaswamy, proportionality is assessed not only by present harm but by the scope of potential future misuse.

This is especially critical when less harmful methods exist. IMEI verification could be done through the web portal, SMS-based Know Your Mobile services, etc. This directly deviates from the Necessity Prong: if equally effective but less restrictive means are available, the State must prefer them.

Sanchar Saathi and consent under the DPDPA

The press release dated 02.12.2025, highlighted that Sachar Saathi is designed to be aligned with the "Digital Personal Data Protection Act 2023 (DPDP Act), which emphasizes individual control, transparency, and accountability". It asserted that the platform collects minimal personal information required only for legitimate purposes along with clear consent mechanisms. Barring the revocation of the mandate, even if a mandatory direction to manufacturers to install Sanchar Saathi is considered permissible within the constitutional framework (which it cannot as it violates an individual's privacy of choice to choose which apps are present on her phone), any usage of collected data must be disclosed and informed consent collected for each any every subsequent usage.

The DPDPA establishes the first comprehensive data protection framework in India, but it has blanket exemptions for the state which call for some critical analysis. Section 17 of the DPDPA provides the Central Government with overwhelming authority to exempt any government agency from the provisions of the Act based on purposes including national security, public order, and the prevention of offenses. The provision leans the balance in favour of state surveillance powers and undermines the privacy of an individual, which raises significant issues over the constitutional right to privacy available under Article 21.

Another major issue that arises is a scenario where surveillance will extend beyond its purpose. For instance, Adhaar was originally created for welfare distribution but today, it is functioning as part of banking, taxation and law enforcement in the absence of sufficient privacy safeguards. The exemptions in the Act allows for the expansion of use of data without defining any boundaries for collecting and using the data.

These risks also have economic impacts. Over-collection of personal data leads to security vulnerabilities, which could cause privacy breach in cases where stealing/manipulation of data occurs beyond unauthorized surveillance. The uncertainty about the Government data access rules in India also creates a high-risk environment for businesses to fear that authorities may arbitrarily seize, access or surveillance of the data stored and collected. This lack of clarity and protection from arbitrary surveillance may make businesses hesitant to use India for data storage as it may hamper their trust and security.

To bring India's surveillance regime into alignment with its constitutional safeguards and democratic norms, the law needs reforms. Firstly, exemptions under Section 17 of the Act should be amended with necessity and proportionality tests. The government must show surveillance is the least intrusive way to achieve a legitimate aim. Moreover, terms like "national security" must be clearly defined in the Act so governments cannot unreasonably use such terms in surveillance requests. Recently, various provisions of the DPDPA including Section 17 were challenged before the Delhi High Court over concerns of excessive executive control⁵.

Secondly, transparency mechanisms should provide annual reports containing details of size, scope and purpose of the data collected that can be published publicly anda parliamentary committee would need to approve such disclosures before publication.

The DPB must be strengthened and have discretionary powers to take steps to investigate government agencies. Data Principals must have easy and accessible avenues to appeal surveillance that is unlawful or unreasonable, and further, must be compensated in instances where there is misuse. Lastly, surveillance powers should be subject to periodic legislative renewal to prevent permanent overreach.

Global comparison

Comparison of India's surveillance framework with that of western draws strong contrasts. Western democracies such as those within the European Union (EU) or in the United States have surveillance on account of national security as long as such surveillance is subject to the checks of an independent judiciary, transparency and proportionality. The GDPR's 'purpose limitation' principle requires that the interference with privacy must be necessary, proportionate, and accountable for independent examination. The U.S. system has the Foreign Intelligence Surveillance Act that provides for public approval and oversight by courts of the surveillance act, including with adversarial processes to minimize unlawful conduct. In contrast, India's Data Privacy Act, gives the government the same power to survey without any of these important checks. This puts India in a closer position to authoritarian approaches to state-based surveillance in the absence of any accountability and transparency.

Conclusion

As India seeks to advance as a digital global leader, any surveillance regime must remain consistent with the constitutional rights and principles of democracy. The current provisions pose a risk, creating a dangerous imbalance where state overreach could destroy the democratic freedoms and right to privacy of individuals.

The legality, necessity, and proportionality test must be applied not only to statutory text but to software design, update mechanisms, privilege levels, and deletion controls. The future of Indian privacy jurisprudence may therefore depend less on what policies say and more on how applications are engineered.55

Footnotes

1 https://www.reuters.com/sustainability/boards-policy-regulation/india-orders-mobile-phones-preloaded-with-government-app-ensure-cyber-safety-2025-12-01/

2 Justice K.S. Puttaswamy v. Union of India, Para 77, Page No.43, WP (Civil) No.494/2012

3 Justice K.S. Puttaswamy v. Union of India, Para 174, Page No.250, WP (Civil) No.494/2012,

4 District Registrar and Collector, Hyderabad v Canara Bank, (2005) 1 SCC 496

5 Chandresh Jain v. Union of India, WP. (Crl.) No. 3274/2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.