INTRODUCTION
The recent directive of the Department of Telecommunications (DoT) to mandate pre-installation of the Sanchar Saathi application on all smartphones sold in India has generated intense debate within constitutional and technology law circles. Sanchar Saathi is projected as a cyber safety tool by the DoT’s official Sanchar Saathi portal, but its compulsory integration into personal devices raises serious concerns under the fundamental right to privacy, the developing data protection framework[1], and the doctrine of proportionality laid down by the Supreme Court. This blog critically analyses the legality of the directive, the architecture of the app and its implications for device autonomy.
SANCHAR SAATHI AND THE PRE-INSTALLATION MANDATE
Sanchar Saathi, part of a wider DoT portal, includes tools for blocking stolen devices and identifying multiple SIMs per user. It lets users view connections, report fraudulent SIMs, and block stolen phones, measures aimed at tackling cyber fraud and IMEI-based crime[2]. In November 2025, the DoT’s Artificial Intelligence and Digital Intelligence Unit issued directions under the Telecommunications (Telecom Cyber Security) Rules, 2024[3], requiring all manufacturers and importers to pre-install the Sanchar Saathi app on mobile handsets intended for sale in India.
CONSTITUTIONAL RIGHT TO PRIVACY AND PROPORTIONALITY
In Justice K.S. Puttaswamy (Retd.) v. Union of India, a nine-judge bench recognised privacy as a fundamental right under Article 21 of the Constitution of India, 1950[4], and articulated a test of legality, legitimate aim, and proportionality for State action that limits this right. The test requires that an intrusion must be backed by a valid law, pursue a legitimate State purpose, and be proportionate in using the least right-infringing means with adequate safety measures.
The app and its data flows are not authorised by a specific primary statute. Instead, the directive relies on delegated powers under the Telecommunications Act 2023,[5] read with the Telecommunications (Telecom Cyber Security) Rules, 2024, which are very general in nature. Such a framework leaves the extent of what the app can do largely to executive discretion and technical design. Preventing telecom fraud and device theft is a legitimate aim, but proportionality requires the State to use the least rights-infringing means. Mandating a government app on every device is intrusive, especially when less restrictive alternatives like voluntary apps or web portals could suffice.
SURVEILLANCE INFRASTRUCTURE AND FUNCTION CREEP
Sanchar Saathi’s rollout echoes doubts raised by earlier digital infrastructures like Aadhaar. In K.S. Puttaswamy (Aadhaar) v Union of India[6], the Court struck down mandatory Aadhaar linking as disproportionate. Similar concerns now arise about a pre-installed app with broad permissions.
Digital rights organisations such as the Internet Freedom Foundation argue that pre-installation can effectively convert every smartphone into a potential source of State monitoring. Experts warn that any app embedded at a system level can be updated over time to access more data or perform more intrusive tasks, often without informed consent from users and without any scrutiny.
STATUTORY FRAMEWORK
The DoT has cited the Telecommunications (Telecom Cyber Security) Rules, 2024, as the primary foundation for the Sanchar Saathi directive[7]. These rules are intended to secure telecom networks against cyber threats like the misuse of devices for fraud and terrorism. However, critics note that the rules use broad language about acts that endanger telecom cybersecurity, without specifying clear limits on what kinds of software mandates, or data collection are permissible, thereby creating multiple interpretations.
The Digital Personal Data Protection Act, 2023[8], recognises purpose limitation and data minimisation but exempts State actions for national security or public order. Apps with broad access, lacking clear legislative limits, raise concerns.
DIGITAL RIGHTS JURISPRUDENCE BEYOND THE PUTTASWAMY JUDGEMENT
Other than the Puttaswamy judgement, subsequent judgments of the Supreme Court have evolved a more detailed digital rights jurisprudence. In Anuradha Bhasin v. Union of India[9], the Court held that restrictions on internet access must be proportionate and subject to periodic review, and emphasised transparency in the implementation of such measures. Applying the logic of Anuradha Bhasin to Sanchar Saathi suggests that long-term and potentially irreversible changes to device structure are presumably suspicious unless accompanied by rigorous safeguards.
Similarly, in Shreya Singhal v. Union of India[10], the Court struck down Section 66A of the Information Technology Act, 2000[11] for vagueness, stressing that vague statutory language in the digital context invites arbitrary enforcement and suppresses rights. The Sanchar Saathi framework, grounded in broad and vague notions of telecom cybersecurity, risks reproducing the same problems.
CONSENT, DEVICE AUTONOMY, AND COERCIVE DESIGN
One of the distinctive features of the Sanchar Saathi directive is the way it sidesteps individual consent[12]. In public statements and PIB clarifications, the government has emphasised that users remain free to delete the app, and that the directive is addressed to manufacturers rather than directly to citizens. However, from a privacy and autonomy perspective, the crucial question is not only whether deletion is technically possible but whether citizens are confronted with a truly informed choice. Recent events also point out the fact that older devices have started to receive official SMS communications to download the app on pretexts such as checking if one’s mobile is genuine or not. Pre-installation makes the app opt out by default. Many users may not understand the app’s presence or implications and may download it in response to an official SMS. This creates structural coercion, undermining autonomy as protected by Article 21 and Puttaswamy.
REGULATORY OVERREACH AND ARBITRARINESS
From a legal angle, there is a strong argument that the Sanchar Saathi directive constitutes regulatory overreach and is liable to be challenged as arbitrary under Article 14 of the Constitution of India, 1950[13]. The broad statutory delegation provided was intended to ensure network security, not necessarily to create a uniform, government-controlled software layer on all user devices. The extension of these powers to mandate an app with wide permissions on personal phones can be seen as going beyond the purposes for which the delegation was granted.
The Supreme Court has previously not hesitated to strike down subordinate legislation and executive action that uses a valid delegation for purposes outside its scope or in a manifestly disproportionate manner, as seen in cases like Navtej Singh Johar v. Union of India[14]. The combination of a weak statutory basis and intrusive technical design makes Sanchar Saathi a strong candidate for judicial scrutiny on grounds of arbitrariness, proportionality and questionable exercise of power[15].
RIGHT RESPECTING TELECOM SECURITY FRAMEWORK
A rights-respecting approach to telecom cyber security would proceed very differently[16]. First, any application that touches sensitive communication-related data should be strictly voluntary in its installation and use, with clear disclosures, permission controls, and the possibility of complete removal without regulatory penalty. Second, the functional scope of such an app should be defined in primary legislation rather than in a shifting cover-up of executive orders. Third, independent audits, transparency reports, and judicial and parliamentary oversight should be embedded into the governance framework of any mass-scale digital tool of the State, especially when linked to critical infrastructure such as telecom networks[17]. Finally, courts should insist that whenever the State relies on cybersecurity to justify intrusive technical measures, it must demonstrate why less rights-infringing alternatives would not achieve the same purpose[18].
CONCLUSION
Sanchar Saathi is more than just a cyber safety application; it is a concrete manifestation of how the Indian State increasingly seeks to project regulatory power directly into the core of personal devices. While the goals of preventing fraud and securing telecom infrastructure are legitimate as per DoT’s stated objectives, the pre-installation mandates, backed by broad delegated powers, and accompanied by opaque data practices, sit uneasily with the constitutional commitment to privacy, autonomy, and limited government articulated in judicial precedents. This controversy underscores the need for vigilant judicial review of executive actions in the digital domain, where technical choices can embed surveillance-like structures into everyday life without adequate legislative or constitutional anchors. As more and more challenges pile up in courts, the resolution of Sanchar Saathi will set critical precedents on the balance between State security imperatives and individual rights in India’s evolving digital landscape, potentially reshaping doctrines of proportionality, delegated legislation, and device autonomy.
Author’s Name: Paarth Dev Maheshwari (Symbiosis Law School, Pune)
[1] Digital Personal Data Protection Act 2023
[2] Ministry of Communications, Sanchar Saathi App Privacy Policy, Sanchar Saathi (3 Dec. 2025), https://sancharsaathi.gov.in/Home/app-privacy-policy.jsp.
[3] Ministry of Communications, Department of Telecommunications’ Amendment to Telecommunication Cyber Security (TCS) Rules, 2025 – A Step Towards Strengthening Cyber Resilience, Enhancing Telecom Identifier Security, and Safeguarding Digital Ecosystems, Press Information Bureau (3 Dec. 2025), https://www.pib.gov.in/PressReleasePage.aspx?PRID=2195208®=3&lang=1
[4] Constitution of India 1950, art 21
[5] Telecommunications Act 2023
[6] Justice K S Puttaswamy v Union of India (2019) 1 SCC 1
[7] Dep’t of Telecom., Directions for Pre-Installation of Sanchar Saathi App (Nov. 28, 2025), https://www.sancharsaathi.gov.in/SancharSaathiDocuments/ImportantDocuments/DoT%20issues%20directions%20for%20pre-installation%20of%20Sanchar%20Saathi%20App%20in%20mobile%20handsets%20to%20verify%20the%20genuineness%20of%20mobile%20handsets%20%2828.11.2025%29.pdf
[8] Digital Personal Data Protection Act 2023
[9] Anuradha Bhasin v Union of India (2020) 3 SCC 637
[10] Shreya Singhal v Union of India (2015) 5 SCC 1.
[11] Information Technology Act 2000, s 66A
[12] Indian Express, Where Sanchar Saathi Stands on User Consent, Constitutional Test on Privacy, https://indianexpress.com/article/explained/explained-law/where-sanchar-saathi-stands-on-user-consent-constitutional-test-on-pri… (Dec. 2, 2025)
[13] Constitution of India 1950, art 14
[14] Navtej Singh Johar v Union of India (2018) 10 SCC 1
[15] Cybermagazine, India’s Sanchar Saathi: Security v. Privacy v. Integrity, https://cybermagazine.com/news/indias-sanchar-saathi-security-v-privacy-v-integrity (last visited Dec. 3, 2025)
[16] Sanchar Saathi Rollback: Cybersecurity, Privacy & Mandatory Apps, Drug Law India (Dec. 2, 2025), https://druglawindia.com/law/when-cybersecurity-meets-constitutionalism-the-rise-and-retreat-of-indias-mandatory-app-state/
[17] Special Rapporteur on the Right to Privacy, OHCHR, https://www.ohchr.org/en/special-procedures/sr-privacy.
[18] SC’s Proportionality Doctrine: From Puttaswamy to Administrative Law, Prime Legal Blog (Sept. 27, 2025), https://blog.primelegal.in/constitutional-law-evolution-supreme-courts-proportionality-doctrine-from-puttaswamy-to-administrativ
