When Good Intentions Turn Pervasive

I bet not many of you have yet heard about India’s expanding Sanchar Saathi initiative. TLDR: It’s a “citizen-centric” telecom security platform or app that’s meant to help the Indian government block stolen phones, verify device authenticity, track SIM connections, and report fraudulent communication.

Sanchar Saathi presents a textbook case of the Surveillance State dressed in the language of public safety. On paper, it seems quite reasonable. Helping people to recover stolen phones, cracking down on fraud, bringing order to a chaotic secondhand market. But in practice, it’s building infrastructure for something far more invasive.

Let’s start with what works. India has a genuine problem with device theft and telecom fraud. The numbers back this up: 4.2 million blocked devices, 2.6 million traced, 700,000 recovered through the app. Those aren’t trivial figures. People lose phones, criminals exploit IMEI cloning and the informal secondhand market creates genuine vulnerabilities. A centralised system that helps victims recover their property has obvious merit.

But here’s where intent diverges from execution. The Indian government isn’t just offering a service. It’s mandating participation. Requiring manufacturers to preinstall Sanchar Saathi on every device, pushing it to existing phones via updates, and now creating an API to feed secondhand transaction data directly into government databases crosses a line from service to surveillance infrastructure.

The telecom minister says it’s “completely voluntary” and users can delete the app. That’s technically true in the same way your taxes are voluntary. You can choose to not pay them but good luck with the consequences. When an app is preinstalled, prominently placed and its “functionalities are not disabled or restricted,” the framing isn’t neutral. It’s coercive by design. Most users won’t know they can remove it. Many who do will worry about whether deleting a government app flags them somehow.

This matters because we’re not talking about a small pilot program. India has roughly 700 million smartphones in circulation. Creating a centralised database linking devices to identities at that scale isn’t just an administrative measure. It’s building the architecture for mass surveillance. And the government has been conspicuously silent on critical questions: Who accesses this data? How long is it retained? What safeguards exist against misuse? What prevents function creep, where a system built for one purpose quietly expands to others?

History is not encouraging here. Governments consistently expand surveillance tools beyond their stated intent. A database built to track stolen phones today becomes a tool to monitor dissidents tomorrow. The infrastructure doesn’t care about intent. It cares about capability. Once you’ve built a system that knows where every phone is, who owns it, and how it changes hands, you’ve also built something that can be weaponised.

The planned API for ecommerce platforms compounds the problem. Private companies become de facto data collectors for the state, uploading customer identities and device details directly to government servers. This shifts liability onto businesses while giving authorities unprecedented visibility into the secondhand market which, notably, serves India’s less affluent consumers who can’t afford new devices. You’re essentially creating a registry of economic activity for people with the least power to push back.

Digital rights advocates are right to sound alarms. Concerns about “databasing” every device capture the core issue. They are creating permanent records of ownership and transaction history that outlive the devices themselves. When the government mandates a single solution and controls the data pipeline, private sector alternatives can’t compete. You lose the diversity and resilience that comes from multiple approaches.

None of this means India shouldn’t address device theft or telecom fraud. But proportionality matters. You don’t need a national registry of every phone and its owner to help people recover stolen devices. You don’t need mandatory preinstallation to offer a useful service. You don’t need an API feeding transaction data to government servers to bring transparency to the secondhand market.

What you need are targeted solutions with built-in constraints: voluntary opt-in systems, transparent data governance, independent oversight, sunset clauses that force periodic review, and consequences for misuse. 

India’s approach has none of these safeguards. It’s building the infrastructure first and promising to think about privacy later. A classic case of bolting the stable doors after the horse has bolted. 

The uncomfortable truth is that authoritarian tools don’t announce themselves as such. They arrive wrapped in legitimate concerns about crime, security, and public welfare. The test isn’t whether the stated goal is reasonable as it usually is. The test is whether the means are proportionate and whether adequate safeguards exist to prevent abuse.