Why in the News
- Recently, government’s directive mandating preloading of ‘Sanchar Saathi’ app on every new smartphone was withdrawn following overwhelming backlash from civil society, political leaders, and digital rights activists.
- This mandate, which positioned itself as a measure against cyberfraud and identity theft, sparked significant debate regarding state access to personal data and potential for surveillance.
Background and Context
The Mandate and Its Dual Implications
The now-withdrawn government directive stood at the intersection of two critical modern challenges: the growth of cyberfraud and identity theft, and the expansion of state access to personal data.
- Official Justification: The app was presented as a practical response to scams exploiting spoofed devices and anonymous accounts.
- Surveillance Concern: Granting the same app privileged access on hundreds of millions of devices was argued to structurally alter the state’s capacity for surveillance.
Mandate Provisions and Access
Manufacturers had been instructed to ship the app in a manner that:
- The app was visible upon a user’s first use of a device.
- Users couldn’t disable the app.
- Reports indicated the app would possess broad access to device functions such as phone, SMS, and location.
- Updates would be pushed over the air.
Constitutional and Cybersecurity Concerns
The directive faced scrutiny on constitutional grounds and raised serious cybersecurity risks, echoing past controversies.
Test of Proportionality (K.S. Puttaswamy Judgment)
The directive would potentially fail the test of proportionality articulated by the Supreme Court in K.S. Puttaswamy (2017) because:
- Alternative Measures Exist: The same ends could be met by existing portals, USSD codes, and SMS-based checks.
- Necessity Test: The app may also fail the test of necessity from the same judgment (legality being the third test).
It was noted that although global online financial fraud is sophisticated (Interpol estimated over $1 trillion worldwide in 2023), constitutional terms deem “this is a serious problem” insufficient justification. State must demonstrate no equally effective, less intrusive ways to address the issue.
Existing Regulatory Mechanisms and Past Lessons
India already possesses a telecom spam and fraud reporting system built around:
- The Sanchar Saathi and CEIR portals.
- The TRAI ‘DND’ app.
- The 1909 short code.
The TRAI ‘DND’ app was cited as a cautionary tale:
- The original design required comprehensive access to call and SMS logs for spam reporting.
- Apple refused the version for years, citing violation of its privacy policies.
- A compromise was reached, leading to system-level tools for spam reporting and a narrower version of the app being approved.
The new blanket mandates were criticized for recalling this pattern, but on a greater scale.
Systemic Security Vulnerabilities
A privileged app sitting on almost every smartphone was deemed an attractive target for multiple threats:
- Overreach by state agencies.
- Criminal actors compromising the app itself.
Cybersecurity research repeatedly indicates that attackers who gain a foothold in a widely deployed system component can move laterally at scale. This issue is exacerbated because existing technologies can check device authenticity in narrower ways, accessed only on demand, and without persisting in the background.
Digital Literacy as a Superior Intervention
Blanket mandates are characterized as cynical because digital scamsters succeed by creating fear and a sense of false authority in user minds. Changing user behaviour is argued to be more desirable than compromising the digital integrity and rights of individuals.
Lessons from Behavioural Research (Kenya Study)
Research studying phone-based scams in Kenya found:
- Generic advice based on common tips did not improve users’ ability to distinguish scams from genuine messages.
- The key lesson is that behaviour change requires interventions to be continuous, culturally sensitive, tailored to local user behaviours, and compatible with communication methods used by telecom providers and state agencies.
Existing Initiatives in India
India already has the building blocks for a sustained public education mission:
- Reserve Bank of India (RBI): Runs e-BAAT sessions and outreach programmes on safe digital banking, warning users against sharing PINs, passwords, and OTPs. The ‘RBI Kehta Hai’ campaign promotes responsible banking and fraud prevention via mass media.
- State-Level Initiatives:
- Chhattisgarh: A cybersecurity awareness van, backed by State government and a public sector bank, tours districts using street plays and promotes the national 1930 helpline.
- Telangana: The new ‘Fraud Ka Full Stop’ campaign, combining bank customer programmes and district events, reported an 8% decline in cybercrime.
- Tamil Nadu (Tiruchi): Banks and local police use mobile kiosks and public sessions to turn branches into informal cybersafety workshops.
Long-Term Advantages of Digital Literacy
These approaches offer two significant long-term benefits:
- An individual who learns to distrust unsolicited links and callers and use official helplines becomes more digitally literate and less vulnerable to digital scams.
- They reduce the need for repeated state intervention in the application layer and allow regulators to focus on systemic measures, such as improving the traceability of large-value flows.
Three Pillars for Digital Safety
The state’s focus should shift from a “what’s there to hide?” mentality to a combination of “what’s there to see?” and a mission to improve digital literacy. Such a mission should rest on three foundational pillars:
- Obligations on Telecom and Financial Firms
- Detect and disrupt fraud patterns at a systemic level.
- Functional User Reporting and Redress Mechanisms
- Provide accessible, responsive channels for cyber incident reporting.
- Sustained Public Education Programmes
- Promote digital literacy, responsible usage, and risk awareness without treating citizens as passive subjects.
Way Forward
- Shift Focus to Digital Literacy over Blanket App Mandates
- Prioritize continuous education, awareness campaigns, and user empowerment.
- Reduce reliance on mandatory preloaded apps, mitigating privacy and cybersecurity risks.
- Leverage Existing Infrastructure
- Strengthen Sanchar Saathi, CEIR, TRAI DND app, 1909 short code to provide on-demand verification.
- Encourage telecom and banking stakeholders to implement user-friendly fraud detection tools.
- Promote Behavioural Change
- Design interventions that are culturally sensitive, localized, and compatible with existing communication channels.
- Focus on developing critical thinking skills, enabling users to distinguish scams from legitimate communications.
- Enhance Systemic Measures
- Free regulators to focus on large-scale cybersecurity, fraud traceability, and enforcement measures.
- Ensure that technology solutions are modular, non-intrusive, and privacy-preserving.
- Integrated Multi-stakeholder Approach
- Combine efforts of state agencies, banks, telecom providers, civil society, and media.
- Promote public-private collaboration for fraud prevention and cyber awareness.
- Sustained Public Engagement
- Expand campaigns like RBI Kehta Hai, Chhattisgarh awareness van, Telangana Fraud Ka Full Stop to nationwide scale.
- Monitor effectiveness through metrics like decline in cybercrime incidents and user reporting rates.
Conclusion
- The withdrawal of Sanchar Saathi mandate underscores that blanket technological interventions cannot replace digital literacy and citizen empowerment.
- A focus on education, awareness, and responsible digital behaviour ensures that individuals are digitally resilient, regulators can focus on systemic cybersecurity measures, and the rights and privacy of citizens are preserved.
- A three-pillar strategy, combining corporate obligations, user redress, and sustained public education, provides a holistic framework for combating cybercrime in India.
