Data Privacy
,
Data Security
Private Directive Mandating Security App Raises Accountability Questions
India’s telecom ministry privately ordered smartphone manufacturers to preload its state-owned cybersecurity app Sanchar Saathi on all new devices, according to a government directive seen by Reuters.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
The confidential order issued Nov. 28 gives tech giants, including Apple, Samsung, Vivo, Oppo and Xiaomi 90 days to ship devices with the app already installed. Reuters reports that users will not be allowed to disable or remove it.
Sanchar Saathi launched in January by India’s Department of Telecommunications, or DoT, is an initiative to empower mobile subscribers, strengthen their security and increase awareness about citizen-centric initiatives.
The government has also instructed handset makers to push the app via software updates to devices already in the supply chain. Sanchar Saathi has helped trace or block more than 700,000 lost or stolen phones, including around 50,000 in October alone.
Officials say the mandate is needed to curb rising fraud involving spoofed or cloned IMEI numbers, a long-standing challenge for India’s 1.2-billion-user mobile network.
This is not the first time India’s IT ministry issued directives in how smartphones handle preloaded software. In 2023, Reuters reported the government planned new security rules requiring smartphone manufacturers to allow users to remove pre-installed apps and submit major operating system updates for security screening.
At the time, officials argued that preloaded software could be a “weak security point” and may expose users to surveillance risks, especially from foreign manufacturers, concerns that were largely directed at Chinese smartphone makers.
The proposed rules were intended to give users control over bloatware – a pre-installed software that takes up space and can slow devices down. The Bureau of Indian Standards was tasked with enforcing compliance and manufacturers were to be given a year to adapt.
“When a security mandate is pushed through a private circular, it dilutes the very constitutional discipline that should govern digital regulation,” cyber law specialist Prashant Mali said, raising concern over the lack of transparency behind the mandate.
Mali warns that non-public directives pose three risks:
- Lack of due process: Citizens cannot challenge the legal basis of a rule they cannot see.
- Regulatory overreach: Ministries may begin making quasi-laws without parliamentary scrutiny.
- Erosion of trust: Secrecy around mandated apps can shift public perception from safety to surveillance.
“A democracy cannot secure its cyberspace through invisible ink,” Mali said.
Reuters reported that the recent directive may face resistance from Apple, which generally forbids pre-installation of third-party or government apps. Apple’s internal policies generally prohibit the pre-installation of any government or third-party apps on iPhones before sale.
Smart phone manufacturers have not publicly responded.
“National security and citizen privacy are not opposing forces; they are Siamese twins. A well-designed safety app can serve both, but only if the architecture is transparent, technically restrained and legally accountable,” Mali said.
