HOME NEWS BUSINESS MOVIES CRICKET SPORTS GET AHEAD REDIFF-TV
Follow Rediff on:      
Home  » News » 'Government Is The Source Of Our Data Leakages'

'Government Is The Source Of Our Data Leakages'

By PRASANNA D ZORE
14 Minutes Read Listen to Article
Share:

December 04, 2025 09:09 IST

x

'Instead of the government and telecom operators solving the mess of their own creation, they're telling us we need to give access to our phones perpetually.'

Kindly note that this image has only been posted for representational purposes. Photograph: ANI Photo
 

Nikhil Pahwa, founder of MediaNama (external link) and a prominent digital rights advocate, has emerged as one of the most vocal critics of the government's controversial directives on SIM-binding and the mandatory Sanchar Saathi app on smartphones.

In this candid interview with Prasanna D Zore/Rediff, Pahwa dismantles the government's rationale for these measures, arguing they stem from "executive ignorance" rather than genuine security concerns.

He warns that the pre-installed app creates a dangerous single point of failure, questions why citizens must bear inconvenience for government-created data leaks, and challenges the fundamental difference between choosing private apps versus having government surveillance forced upon devices.

Though this interview was conducted a few hours before the government withdrawing the mandatory pre-installation of Sanchar Saathi app, the concerns and objections raised in this interview by Nikhil and multitude of Indian citizens on social media and mainstream media only proves why Indian citizens need to be alert about impingement on their privacy and protection of their personal data.

You've called Sanchar Saathi a government tracker, but Apple's Find My Phone and Samsung's Knox already perform similar functions at a system level, often without option to uninstall these apps. Why is government control more dangerous than similar private apps?

We need to realise that Sanchar Saathi is not just a phone tracking app. It also has access to your messages, calls, and media on your device. It is just not a location tracker. The scale and scope of this tracking is substantially larger than Apple's Find My Phone, which is only activated when you actually need to find your device.

First, there's the question of technical competence. We see government web sites and apps with vulnerabilities, badly developed apps, not stress tested because they're not open sourced. If they're on your device, this creates a single point of failure -- a billion handsets will have the same app. In which case, someone who wants to infiltrate our devices has to hack just one app.

Secondly, and I don't think I am the only one; I have an active distrust of any government because they've forced data collection upon us. They're forcing us to link our Aadhaar everywhere, do facial recognition at airports, constantly trying to force us to disclose more information.

When the government is in such rapid data collection mode, why would I trust it?

With Apple and Google, I have choices in a competitive environment. If I don't like Apple, I'll go to Android or Graphene OS. Where will I go from the Government of India?

The Government of India has statutory power over us as citizens. They can jail people, access an Opposition politician's health records and use that to compromise them. Someone's buying land and that information can be taken and used against them.

Unfortunately, our government -- with the way it's behaved on data protection and privacy, and let's not forget they argued that privacy isn't a fundamental right -- their behaviour has led us to distrust them. They have created an environment of distrust.

I'm choosing to buy an Apple phone or Google Android phone. This (the Sanchar Saathi app) was being forced onto my device. It's not a choice.

While the (Communications) minister (Jyotiraditya Scindia) came out and said you can uninstall it, that's not what the document they issued actually said.

In paragraph 7(b), they stated the functionality cannot be restricted. They've given a different interpretation given the backlash, but that's not what they communicated to companies when they sent this notification.

Let me emphasise that I distrust all governments, not just this government. I don't just distrust the Indian government, I distrust the US government and the Chinese government too, because they are all powerful.

Would you, in the same breath, also say that you distrust the Samsung Knox and Apple's Find My Phone security app? Because, on the surface, they'll tell you that these features only activate when your phone is lost but who really knows what happens in the background.

I'll tell you who knows. There are developers and cybersecurity researchers whose job is to stress-test these devices and examine the practices behind these services.

For example, people may not trust Facebook, but they trust WhatsApp because it uses the OpenSignal protocol for end-to-end encryption. That protocol is publicly available -- people can study it, test it, even try to break it -- and that's why it's trusted.

The government, on the other hand, says 'trust me' without allowing anyone to check.

But you argue that embedding Sanchar Saathi opens the OS to state surveillance, yet the app's core function as mandated is lost device recovery -- a security tool, not a content monitoring one.
Are you conflating potential misuse with intentional abuse?

I'm not conflating anything. I choose my words very carefully -- I said this remains a risk, and that's exactly what I meant.

I've said there's a probability this could happen. I have not said this is happening. When an app is on your device and it has access to your content and messaging, it can take that data.

I choose my words very carefully -- I said this remains a risk. I have not said it (the government) is doing this. Do not put words into my mouth.

The fact is, when an app has these permissions, the capability exists. And with government apps, we don't have the same accountability mechanisms we have with private companies.

On SIM-binding, you've said it's restrictive and intrusive. Yet the same SIM-binding logic is used in banking and UPI apps to prevent impersonation and fraud.
Why should messaging platforms -- which are frequently used in cyber scams -- be exempt from a safeguard that's already standard in other sectors?

What's the proportionate usage here? With UPI, there's SIM identification, but as I understand, it isn't necessarily perpetual SIM binding. Messaging is more than payments and banking -- it's used in different mechanisms.

I have two phones -- one for working hours, another for private time. I want the same WhatsApp on both devices. Today I can do it. With SIM-binding, that use case will be gone. Millions of users use WhatsApp on their laptops while working, especially in tech companies. Entire company coordination happens on that. The government is saying Whatsapp will have to sign everyone out every six hours -- that's extremely inconvenient.

There are people who go abroad and change their SIM to get a local one with cheaper data plans. Students who study abroad buy a local SIM but keep the WhatsApp that has all their chats and groups with friends. The moment they remove the SIM with SIM-binding, the app stops functioning. They'll have to register a new WhatsApp account and start all over again.

And what does SIM-binding solve? How many people are actually conducting scams over WhatsApp today? A large part is spam, and we should hold WhatsApp accountable for that, not enforce SIM-binding.

The only scam attempts I've been subjected to have been phone calls. Where's the data to show that scams on WhatsApp (or Telegram or other messaging apps) are substantially bigger than on telephone calls?

What's also happened is all of this is being done without public consultation. There's no feedback, no understanding of how users get impacted. The Department of Telecommunications got a recommendation from the Cellular Operators Association of India and just implemented it blindly without talking to external stakeholders, civil society, or users.

Can you give a specific example of how businesses will be affected?

WhatsApp for Business is API-based -- it runs on the cloud. The APIs connect to CRM software. D2C brands, small brands use WhatsApp for customer engagement. When you buy something, they send a confirmation on WhatsApp. You get OTPs on WhatsApp. When you buy a flight ticket, MakeMyTrip sends you the PDF directly on WhatsApp.

All of these use cases will be disallowed because this is happening through server-side integration onto client software, and that client device doesn't have a SIM card inserted. All of this will get shut down.

DoT is ignorant about how people use the Internet and doesn't deserve to regulate it.

This criticism of lack of consultation is fair. But the same opacity exists when big tech platforms change their terms of service or data flows. Should we be equally vocal about the unilateralism of private actors, not just the State?

We are! Who's not? Haven't companies been forced to roll back policies recently?

WeTransfer saw massive exodus of users and widespread criticism when it changed its terms to say it would use data for AI training.

When Google Tez (now Google Pay) was launched in India, there was criticism that its terms said it would share payments data with third parties, and it changed its terms.

To say tech companies aren't subject to criticism on the same grounds is actually ignorant. We are critical of big tech companies as well, but these tech companies (unlike any government) don't have statutory power over us.

We need to be more critical of government, hold them more to account because under the Constitution, the government is of the people, by the people, and for the people. They need to be more accountable to us.

For them (the government) to compare themselves to big tech and say 'you don't talk to them' -- this is a classic deflection tactic instead of trying to be more accountable.

The government says they are doing this for tracing the source of scams. But whoever is making scam calls is using somebody else's details to get that SIM card. So even if they trace it, it goes to someone who isn't the perpetrator.
Isn't then Sanchar Saathi a futile exercise?

We don't even know if it was actually filched because there are mule accounts. People are allowed to buy eight SIM cards per person. Someone was telling me these scamsters buy SIM cards by the rucksack, by the bora.

The telecom companies need to be accountable about their selling practices. If someone's buying a large number of SIM cards at a particular location at such scale, why aren't they looking into how their SIM card sellers are operating? Where's their accountability?

The SIM cards are being sold by the telecom operators. Instead of solving their own issue, they're saying the apps need to do SIM-binding.

Instead of the government and telecom operators solving the mess of their own creation, they're telling us we need to give access to our phones perpetually.

SIM binding does not solve the problem of someone taking a SIM card, going to another country and let's say buying a roaming pack or just keeping the SIM in the device and connecting to Wi-Fi and running a scam.

They have full SIM farms running with multiple SIM cards. They are far more sophisticated, and this (SIM-binding) only inconveniences people and restricts our usage.

If Communications Minister Jyotiraditya Scindia says we can delete the Sanchar Saathi app then shouldn't we be asking why make it mandatory? And what are the chances that once installed and later deleted, it would have already infiltrated or compromised your phone?

IMAGE: Communications Minister Jyotiraditya Scindia. Photograph: Kind courtesy @JM_Scindia/X

While the minister has come out and said you can uninstall it, that's not what the document they issued actually said. In Paragraph 7(b), they stated the functionality cannot be restricted. They gave a different interpretation now given the backlash, but that's not what they communicated to companies when they sent this notification.

And once that door opens (for Sanchar Saathi), anyone can misuse it. Today it's DoT saying cybersecurity is important. Tomorrow the ministry of health will say smoking is a problem and push an anti-smoking app.

Then Nitin Gadkari will say you should have your driving license on your phone, so they'll force Digilocker as mandatory. If a cop stops you at a traffic signal and asks for Digilocker, what will you say? You'll be forced to use it.

Why do you think was there no public consultation or privacy impact assessment before mandating Sanchar Saathi or SIM-binding? Aren't such unilateral directives symptomatic of executive overreach?

I think this kind of direction is symptomatic of executive ignorance. It's an indication of executive ignorance of how technology works, and I can understand that. They (the government) are not supposed to have all the solutions to our problems. They don't have all the answers, all the alternatives -- which is why there's a need for public consultation.

Then again, is this the path of least resistance? Is this the most proportionate solution to this problem? What are the other alternatives the government has considered for both these rules? Have they got options? Have they put it up in public consultation saying, 'Here are 10 methods we're considering to resolve this issue. Tell us why one works and another doesn't'? It's not like that.

When seen alongside Digiyatra, Aadhaar-linked payments and facial recognition networks, doesn't Sanchar Saathi signal a pattern -- the State embedding itself deeper into citizens' digital lives without independent oversight?
Where does security infrastructure end and surveillance architecture start?

The problem we have right now is that the State is so drunk on its power to use executive authority to impose tools and services upon citizens.

With the Supreme Court not doing enough to protect citizens' rights by the looks of it -- look at the fact that the Supreme Court hasn't heard the Pegasus case for two years. In 2016, it took over 700 days before the Supreme Court constituted a nine-judge bench on a matter as critical as the fundamental right to privacy.

The State now takes barely any time to create rules. They're able to pass laws through Parliament without any debate, without proper consultation. They are drunk on their power. They feel whatever they do is the right approach. They see everything from an adversarial perspective, not a collaborative perspective.

They don't believe public consultation will help make things better or give them more ideas. Instead, they usually hold only industry consultations -- and sometimes not even those. Then they go ahead and make laws and regulations on their own.

To be honest, many in the industry are quite unaware of how these policies actually affect users. Their main concern is to ensure that the government doesn't target them. So, in the end, they simply go along with whatever the government wants.

The government is the source of data leakages itself, isn't it? The government itself is responsible for the frauds happening in this country because it has leaked more data than anyone else.

Rachna Khera's story in The Telegraph (newspaper) in 2017 showed people were selling Aadhaar database access for Rs 500.

Before that, a CIS report indicated personal details of more than 128 million Indians had been leaked by government departments who published names, mobile numbers, addresses, dates of birth, parents' names in Excel spreadsheets directly on government web sites.

The government is the source of our data leakages. That's what has caused the frauds. Now they expect us to go through all the inconvenience to solve their own mess.

Where are scams happening from? Some of them have moved out of the country. But for the longest time many were happening from villages in Madhya Pradesh, in Himachal, where thousands of people were employed in scams.

How can such large operations run without even the local administration knowing? There's political patronage that makes this possible.

Instead of holding itself to account, the government is imposing more restrictions on us.

Would you install Sanchar Saathi if the government were to open-source it, allow independent audits, and legally guarantee it can't collect or transmit user data?

Personally, I still wouldn't. Sanchar Saathi has no utility for me, so I wouldn't do it.

PRASANNA D ZORE / Rediff.com
Share:

RELATED STORIES

How I Almost Lost My WhatsApp To A Scam
How I Almost Lost My WhatsApp To A Scam
Mandatory pre-installation of Sanchar Saathi app removed
Mandatory pre-installation of Sanchar Saathi app removed
Spot the Scam Before It Spots You!
Spot the Scam Before It Spots You!
'Digital Arrests Are The Most Challenging'
'Digital Arrests Are The Most Challenging'
Digital Arrest Scams: What You Must Know
Digital Arrest Scams: What You Must Know

WEB STORIES

webstory image 1

Strawberry Honey Dessert: 5-Min Recipe

webstory image 2

Recipe: Chicken With Olives And Lemon

webstory image 3

India Works Way Too Hard: 8 Overworked Countries

VIDEOS

Prez Murmu and PM Modi warmly welcome Putin at Rashtrapati Bhavan3:32

Prez Murmu and PM Modi warmly welcome Putin at...

Watch how Putin paid tribute to 'Father of India'5:25

Watch how Putin paid tribute to 'Father of India'

Putin in India: The Defining Moments Captured on Video0:42

Putin in India: The Defining Moments Captured on Video

rediff on the net © 2025 Rediff.com - Investor Information - Advertise with us - Disclaimer - Privacy Policy - Sitemap - Feedback - About us - Terms of use - Grievances

NEWS

BUSINESS

MOVIES

CRICKET

SPORTS

GET AHEAD

REDIFF MONEY

REDIFF-TV

REDIFF ASTRO