India orders a tracking app for all smartphones

NEW DELHI — India’s government sent a notice to private companies last week giving them 90 days to ensure that a government app was “preinstalled on all mobile handsets manufactured or imported for use in India.”

The order said the requirement was meant “to identify and report acts that may endanger telecom cybersecurity.” On Tuesday, the government explained that the app, Sanchar Saathi, was intended to prevent crime, including the theft and smuggling of phones and the call center fraud that wreaks havoc within India and abroad.

Reuters had reported the order’s existence on Monday night, and copies were circulated online. Many people in India were in an uproar, as were the political parties opposed to the tech-focused and strong-armed government of Prime Minister Narendra Modi.

“Sanchar Saathi is a snooping app,” Priyanka Gandhi, a scion of the Congress Party and its general secretary, wrote on social media. “There’s a very fine line between reporting fraud and seeing what every citizen of India is doing on their phone.”

The app can track phone locations, and Gandhi and other critics of Modi regard it as a tool of mass surveillance.

By Tuesday afternoon, the government appeared to be backpedaling. Jyotiraditya Scindia, the minister of communications, said that while “this app exists to protect them from fraud and theft,” it was also “completely optional.”

“If you don’t wish to register, you shouldn’t register and can remove it at any time,” he told reporters outside the parliament building.

But Nikhil Pahwa, a digital policy analyst in New Delhi, said he was taking the government at its original word. The order said that phone manufacturers, including Apple, Samsung, and Xiaomi, would be responsible for ensuring that the app’s “functionalities are not disabled.”

There are more than 1 billion phones active in India, and cybercrime is proliferating. The government counted 2.3 million “cybersecurity incidents” last year, more than double the number two years before. Fraud, committed on a mass scale and often from superclusters in rural areas, is the biggest part of the problem. In 2024, a government portal tracked $2.6 billion in losses.

Pahwa noted that the Sanchar Saathi app, installed at the operating system layer of a phone, can, in principle, do much more than track locations. “There’s nothing to suggest this app cannot be used to pull out data,” including messages, sound, and images, he said. Since the government exempted itself from India’s Digital Personal Data Protection Act in 2023, there is no clear legal basis to prevent it from gathering individuals’ information.

“When the government forces a special app, with special powers, onto every new phone, it is effectively putting its own lock inside your house,” said Apar Gupta, a lawyer and a founder of the Internet Freedom Foundation.

“You lock your front door because you are entitled to safety and privacy,” he added. “The same logic applies to digital life. Asking for safeguards and limits is about making sure state power is accountable.”

Russia recently started preloading a state-owned messaging app onto its citizens’ phones. The Russian government called it a measure to combat fraud, as India has done with Sanchar Saathi.

Apple and other phone manufacturers may resist pressure to ship their products with the app preinstalled. Apple has tangled with Modi’s government over privacy issues before, such as when the company sent an alert to some iPhone users in the opposition that their phones may have been subjected to “state-sponsored” surveillance.

Those alerts were prompted when several governments, including India’s, bought access to Pegasus, a spyware program developed by NSO, an Israeli cyberintelligence company, to monitor private citizens through their phones.

A list of hundreds of Pegasus targets within India was leaked to a nonprofit in 2021. It included politicians in Congress, journalists, Tibetans, human rights activists, and ministers from Modi’s own party. The government denied having used it, but a committee formed by India’s Supreme Court to investigate the matter was forced to disband in 2022, because “the government of India has not cooperated,” said N.V. Ramana, the chief justice at the time.

Pahwa noted that “apps for cybersecurity can also become apps for cybervulnerability.” Connecting every Indian’s data to a single app “creates a single point of failure, from a hacking standpoint,” he said.

For years, “the government of India has been collecting and linking datasets together without creating silos between them,” Pahwa said, which has paved the way for forms of fraud that exploit a victim’s personal information to gain confidence.

This article originally appeared in The New York Times.