The Indian government’s ill-advised, and now withdrawn, directive to preload its ‘Sanchar Saathi’ app on every new smartphone sat at the intersection of two real concerns: the clear growth of cyberfraud and identity theft and the steady expansion of state access to personal data through tools that are difficult to audit. The government presented ‘Sanchar Saathi’ as a practical response to scams that exploit spoofed devices and anonymous accounts. But when the same app is given privileged access on hundreds of millions of devices, it structurally alters the country’s capacity for surveillance.
Manufacturers were told to ship the app so that it was visible when a user first used a device and to make sure users could not disable it. Reports indicated the app would be installed with privileged status, giving it broad access to device functions such as phone, SMS, and location, with updates pushed over the air. This sat uneasily with the fact that the Indian government already operates Sanchar Saathi as a set of portals and short codes. Today, users can verify a device’s IMEI number by sending an SMS with the text “KYM” and their IMEI number to 14422 or by checking the number on the Sanchar Saathi or CEIR websites. These tools work without any omniscient apps on the phone.
In a fortuitous (U-)turn of events, the government withdrew its directive on December 3 following overwhelming backlash from civil society groups, opposition political leaders, and digital rights activists. As The Hindu reported, the government will “no longer enforce the mandatory pre-installation requirement” and that “officials emphasised that users could uninstall the app at any time”.
Test of necessity
The Hindu’s editorial on December 3 pointed out that the directive would fail the test of proportionality the Supreme Court articulated in K.S. Puttaswamy (2017) because the same ends can be met by existing portals, USSD codes, and SMS-based checks.
The ‘Sanchar Saathi’ app may also fail the test of necessity from the same judgment. (The third test is legality.) There’s no doubt that cyber scams, including “digital arrest” frauds and investment schemes, have become more sophisticated everywhere. INTERPOL estimated that online financial fraud cost victims more than a trillion dollars worldwide in 2023. But in constitutional terms, “this is a serious problem” is insufficient justification; the state must show that there are no equally effective, less intrusive ways to address that problem. And in India, the record has run the other way for many years now.
First, the country already has a telecom spam and fraud reporting system built around the TRAI ‘DND’ app and the short code 1909, which uses user complaints to disconnect and blacklist spam numbers. The Sanchar Saathi and CEIR portals also already support IMEI verification and blocking through SMS and web-based interfaces.
The ‘DND’ app also had a cautionary tale. It was designed to read call and SMS logs so that users could report spam. Apple refused for years to allow that version into its store, regarding comprehensive access to phone logs as a serious violation of its privacy policies. After a compromise, Apple added system-level tools to report spam and finally approved a narrower version of the app. The new ‘Sanchar Saathi’ mandate recalled the same pattern but on a much larger scale and with a state-made app that was both privileged and non-removable on most devices.
Against the background of unresolved questions about the use of Pegasus spyware against journalists, politicians, and activists in India, there is a clear trust deficit about any measure animated by a centralising impulse.
Cynical solution
Second, a privileged app that sits on almost every smartphone is an attractive target not only for overreach by state agencies but also for criminal actors who manage to compromise either the app itself or its update channels. Cybersecurity research has repeatedly shown that once attackers obtain a foothold within a widely deployed system component, they can move laterally at scale. The directive was objectionable because the government couldn’t reasonably demand that citizens accept this additional system risk when the core function of device authenticity checks could be delivered through more narrow channels that are accessed only on-demand and don’t persist in the background.
Third, and perhaps most importantly, the directive was an arguably cynical solution. Digital frauds lean heavily on social engineering: scamsters succeed not when they steal money or credentials but when they create fear, urgency, and a sense of false authority in a user’s mind. A recent Bank for International Settlements review of digital fraud highlighted that many incidents exploited users rather than technical flaws, and recommended customer education as much as technical measures to remedy the problem. The OECD’s work on digital financial literacy has similarly framed the safe use of digital payments as a competence that can be taught and practiced.
Changing user behaviour is more desirable than threatening to compromise the (digital) integrity of individuals and their rights. This way, individuals will acquire the skills and disposition to resist all scams rather than only those that rely on digital illiteracy and fear of authority. While this way is also more laborious and time-consuming, its gains will be more powerful and durable.
Evidence from Global South countries supports such a focus. In Kenya, researchers studying phone-based scams in 2023 developed a measure of “scam identification ability” and tested a gentle education intervention based on common tips. They found that generic advice didn’t improve users’ overall ability to distinguish scams from genuine messages and sometimes made users over-cautious, as a result of which they misclassified even legitimate communication. The lesson isn’t that behaviour change is irrelevant but that it can’t be adjusted by sloganeering. It has to be continuous, culturally sensitive, tailored to local patterns of scamming, and compatible with the ways in which telecom providers and government agencies really communicate.
Digital literacy
India already has the building blocks for such a mission. The Reserve Bank of India has long run e-BAAT sessions and other outreach programmes on safe digital banking, warning users not to share PINs, passwords, and OTPs and explaining typical fraud scripts. The ‘RBI Kehta Hai’ campaign has taken these messages to mass media and digital platforms with a focus on responsible banking and fraud prevention, leveraging the broad appeal of celebrities such as Poorvisha Ram, Umesh Yadav, and Amitabh Bachchan.
Some State-level initiatives go even further. In Chhattisgarh, a cyber-security awareness van backed by the State government and a public sector bank has been touring districts with street plays, videos, and demonstrations, and repeatedly promotes the national 1930 helpline for reporting financial cyber-crime. Telangana’s new ‘Fraud Ka Full Stop’ campaign combines school clubs, bank customer programmes, and district events and has already reported an 8% decline in cyber-crime and a 30% reduction in financial losses. Banks and local police in cities such as Tiruchirappalli in Tamil Nadu have used mobile kiosks and public sessions to turn branches into informal cyber-safety classrooms.
Comparable efforts in other countries show that regulators can respond to fraud without resorting to blanket mandates like installing privileged software on private devices. In the Philippines, the central bank has placed a digital literacy programme at the centre of its financial inclusion strategy. The programme combines cyber-security with public trust in digital finance and provides concrete guidance such as avoiding suspicious links and verifying sites and applications. In Brazil, SaferNet and Anatel run helplines and education portals to help users make safer use of telecom services. In each case, the state’s instruments of choice have been information, assistance, and incentives for providers to monitor fraud rather than invasive tools.
These approaches have two long-term advantages over technical fixes. First, they travel across channels. An individual who has learned to distrust unsolicited links, verify callers, and use official helplines is less vulnerable to SIM-based scams as well as to frauds that arrive through messaging platforms and new digital payment tools. Second, they reduce the need for repeated state intervention in the application layer. Once a routine of reporting, cross-checking, and seeking confirmation has been embedded in society, regulators can focus on systemic measures like cleaning up mule account networks and improving the traceability of large-value flows.
A privileged app, however, would have confined the response to fraud within a single design choice that must be defended and updated for years while doing nothing to improve users’ digital literacy.
Three pillars
Fundamentally, the state’s focus should shift away from “what’s there to hide?” to a combination of “what’s there to see?” and a mission to improve digital literacy. Such a mission should rest on three pillars. First, strong obligations on telecom and financial firms to detect and disrupt fraud patterns, backed by shared databases and unambiguous clear penalties for non-compliance; second, user reporting and redress mechanisms that actually work; and third, a sustained and well-funded public education programme on digital risks that treats citizens as capable partners rather than as passive subjects.
Sanchar Saathi as a set of portals and opt-in services can play an important role in this architecture. If, however, the government had stuck with the mandate or in future resorts once more to forcing people to comply with an overkill of a solution, it will only fail.
