India revokes order for smartphone makers to install government security app amid uproar over privacy

New Delhi — India's government revoked an order on Wednesday that had directed smartphone makers such as Apple and Samsung to install a state-developed and owned security app on all new devices. The move came after two days of criticism from opposition politicians and privacy organizations that the "Sanchar Saathi" app was an effort to snoop on citizens through their phones.
"Government has decided not to make the pre-installation mandatory for mobile manufacturers," India's Ministry of Communications said in a statement Wednesday afternoon.
The initial order, issued privately to phone makers by the ministry late last month, was leaked to Indian media outlets on Monday. It directed all phone makers to preinstall the Sanchar Saathi (which means Communication Partner in Hindi) app on new phones within 90 days, and also on older phones through software updates.
The order, reported from Monday by numerous Indian media outlets and later acknowledged by the government, had asked manufacturers to ensure that the functions of the app could not be "disabled or restricted."
There was an immediate backlash on Monday, with opposition political parties quickly labelling the government software a "snooping app" and drawing parallels to Pegasus, the hacking spyware developed, marketed and licensed to governments around the world by the Israeli company NSO Group.
On Tuesday, India's national Minister of Communications Jyotiraditya Scindia insisted to journalists outside the parliament that the Sanchar Sathi app was non-compulsory and in line with democratic principles. He said smartphone owners could activate the app at their convenience to access its benefits, and they could also delete it from devices at any time.
He did not, however, say anything on Tuesday to deny or change the order to phone makers to ensure the app was pre-installed.
On Wednesday, Scindia insisted that "neither is snooping possible, nor it will be done" with the app.
While the order for it to be installed universally was revoked, the government continued defending the app on Wednesday, saying the intent had been to "provide access to cybersecurity to all citizens," and insisting that it was "secure and purely meant to help citizens."
Opposition politicians say "it is a snooping app"
The government's U-turn came after sharp criticism from opposition political parties and digital rights advocates.
"It is a snooping app. It's ridiculous. Citizens have the right to privacy. Everyone must have the right to privacy to send messages to family, friends, without the government looking at everything," Priyanka Gandhi, leader of the opposition Congress party, told reporters outside India's parliament on Tuesday.
"They brought in Pegasus and have been unable to keep it under control. MPs and MLAs all say that their phones are being tapped. For the last 11 years, basic rights of the Indians have been taken away... This is the real violation of National Security," said Renuka Chowdhury, another Congress member.
Digital privacy advocates also raised concerns about the government order, saying it would breach citizens' right to privacy in a country with more than 1.2 billion cell phone users.
"No government will ever be expected to acknowledge that a government app is a snooping tool, even in China and Russia, where such apps have been mandated," Indian technology analyst Prasanto K. Roy told CBS News on Wednesday. "A government statement alone is not adequate to inspire confidence in this."
Roy said the government should restrict the default permissions settings that enable the app to access data on smartphones to the absolute minimum, and explain why those permissions were deemed necessary. He added that the code for the app should be open-source and published online, to enable independent security professionals to scrutinise it.
"In plain terms, this converts every smartphone sold in India into a vessel for state-mandated software that the user cannot meaningfully refuse, control, or remove," the Internet for Freedom organization said in a statement Tuesday, before the government revoked its order. "For this to work in practice, the app will almost certainly need system level or root level access … so that it cannot be disabled. That design choice erodes the protections that normally prevent one app from peering into the data of others, and turns Sanchar Saathi into a permanent, non-consensual point of access sitting inside the operating system of every Indian smartphone user."
Technology analyst Roy told CBS News the real issue was "not about faith in the government's benevolence," but rather "concerns about potential access to a wide range of data by many junior or mid-level officials in government or law enforcement," as there was no clarity about what data could be accessed via the app, or who would have access to it.
Major phone makers did not publicly react to the government order, but the Reuters news agency reported that Apple had planned to refuse to comply.
Indian government says it's just trying to help
The government argues that the app allows users to track, block and recover lost or stolen smartphones using the device's International Mobile Equipment Identity (IMEI), a unique code assigned to all handsets sold around the world.
It also enables users to check how many unique mobile data connections are registered under their name, which it says will help people identify and disable fraudulent numbers and accounts opened by scammers.
Other features include tools to report suspected fraudulent calls and to verify the authenticity of devices being used to make purchases, according to officials.
The government said in its multiple statements that the app had already been downloaded 14 million times, and used to help trace 2.6 million lost or stolen phones. It said Sanchar Sathi had helped in the disconnection of over 4 million fraudulent connections, based on citizen reports.