India’s brief experiment with forcing a state-run cybersecurity app ~ the Sanchar Sathi App ~ onto every new smartphone has revealed a deeper tension at the heart of our digital governance: a widening gap between the intent to secure citizens and the methods used to achieve it. The swift withdrawal of the directive, after intense public pushback, shows that Indians understand the stakes of digital rights ~ and that the government underestimated both the sensitivity of the issue and the sophistication of its critics. The app in question, designed to help users report fraud, block stolen devices and verify handset authenticity, is not inherently problematic.
In a country with more than a billion mobile connections and a flourishing market for cloned or illegally resold phones, tools that strengthen device verification and curb cyber fraud can be genuinely useful. Millions have downloaded the platform voluntarily, and the government highlights significant successes: millions of fraudulent connections terminated and stolen devices traced. But the controversy was never about the utility of the app. It was about the mandate. The order to preinstall the programme on all new devices, make it visible on first use, and render its core functions “not disabled or restricted” raised immediate alarm among digital-rights groups, cybersecurity experts, and global manufacturers. When a tool, however benign its current version, becomes a permanent, non-removable fixture at the system level, concerns about “function creep” are not paranoia but prudence. India’s own privacy jurisprudence, anchored in the 2017 Supreme Court judgment, demands that any intrusion into personal devices meet strict tests of necessity and proportionality. The order failed both.
The government’s subsequent claim that the app was always voluntary only added confusion. The language of the directive contradicted the ministerial assurances. And in matters of digital privacy, ambiguity is as dangerous as overreach. Citizens cannot be expected to trust verbal clarifications when the written mandate suggests compulsion. What this episode exposes is a persistent procedural flaw: major decisions on digital policy are often taken without adequate consultation. India’s data ecosystem is now too large, too complex, and too contested for unilateral directives. Stakeholders ~ from civil society to handset makers to technical experts ~ must be part of the process before any shift in the device ecosystem is contemplated.
The withdrawal of the order is welcome, but it cannot be treated as closure. Users need clarity on what data the app collects, what permissions it requires, how it integrates with national databases, and what independent audits will ensure it remains a tool of protection rather than surveillance. Cybersecurity is essential. But so is trust. And in a democracy, trust cannot be legislated into existence; it must be earned through transparency, consultation and restraint. India should secure its digital borders, yes, but it must do so without crossing the constitutional boundaries that safeguard its citizens.