Critics argue that the Centre could not even secure Aadhaar, and is now demanding access to everyone’s phone without consent for installation.
Published Dec 02, 2025 | 2:30 PM ⚊ Updated Dec 02, 2025 | 2:44 PM
DoT has mandated that every smartphone sold in India from March 2026 must come with Sanchar Saathi pre-installed and non-removable.. Credit: sancharsaathi.gov.in/, x.com/BJPLive
Synopsis: As India mandates Sanchar Saathi app on every new smartphone from 2026, a decade of catastrophic data leaks – Aadhaar (815 million records), CoWIN, Aarogya Setu, DigiYatra, and even Army pension portals – has resurfaced. With the Centre repeatedly failing to safeguard biometric, health, and financial data, critics question whether citizens can trust it with root-level access to nearly 950 million smartphone users in India.
As the Modi government at the Centre prepares to make the Sanchar Saathi app mandatory on every new smartphone sold in India from early 2026, a long and disturbing history of data leaks across flagship digital programmes has resurfaced, casting serious doubt on whether citizens can trust the Union Government with yet another trove of personal data.
From the world’s largest biometric database to COVID vaccination records and facial-recognition travel systems, almost every major “Digital India” initiative has suffered embarrassing, and often massive, breaches in the past many years.
The Department of Telecommunications (@DoT_India) has mandated all mobile manufacturers and importers to pre-install the Sanchar Saathi app on devices sold in India, strengthening #cybersecurity and curbing IMEI misuse.#SancharSaathi #Telecom #CyberSecurity #India pic.twitter.com/SadIGnmjTP
— DD India (@DDIndialive) December 1, 2025
Let’s do a deep dive into previous major data breaches in India via Government of India-initiated apps.
India’s 1.4 billion-strong Aadhaar programme has been plagued by leaks since 2018. Scribes and privacy advocates repeatedly found Aadhaar numbers, photographs, addresses and even partial fingerprints openly accessible on hundreds of government websites.
In one infamous case, anyone with ₹500 and a WhatsApp contact could buy unrestricted access to the database through WhatsApp groups.
The darkest chapter came in October 2023 when cybersecurity firm Resecurity discovered 815 million Indian records, including Aadhaar cards, passports, and voter IDs, being sold on the dark web, making it the largest known civilian data breach in history!
In 2022–23, a simple Telegram bot began spitting out the vaccination status, Aadhaar, PAN, and passport details of any Indian citizen if someone entered their registered mobile number.
The bot was powered by the same backend used by the official CoWIN portal. The Health Ministry officials initially dismissed the reports as “mischievous” before quietly patching the flaw and making arrests in Bihar.
The COVID contact-tracing app, once mandatory for travel and office entry, drew sharp reactions when French ethical hacker Baptiste Robert demonstrated that anyone within Bluetooth range could track the movements of high-profile users, including the prime minister.
Privacy experts also flagged that the app’s static device IDs and centralised storage architecture made mass surveillance technically trivial.
However, in its defence, the Union government denied any breach.
The “paperless” airport entry system, proudly marketed as a convenience feature, suffered a major breach in 2023–24 when its primary vendor — DataEvolve — was found to have exposed the facial biometrics, Aadhaar and travel documents of over 3.3 million passengers.
The breach was so severe that the app briefly changed colour on users’ phones to signal compromise, forcing authorities to terminate the vendor contract, reported The Hindu.
Defence pension portal SPARSH, Odisha’s MoChhatua ration app, the Swachh Bharat Mission feedback portal, and even the government’s own S3WaaS cloud hosting platform have all fallen victim to hacks, ransomware, or simple misconfigurations that dumped millions of records onto hacker forums.
The AIIMS ransomware attack in 2022 paralysed India’s premier hospital for weeks and encrypted 1.3 terabytes of patient data, underscoring how even critical national infrastructure remains vulnerable.
Against this backdrop, the Department of Telecommunications (DoT) has mandated that every smartphone sold in India from March 2026 must come with Sanchar Saathi pre-installed with directives to manufacturers to ensure its functionalities are not disabled to restricted.
The app, linked to the Central Equipment Identity Register (CEIR), will have deep access to IMEI numbers, call logs, SMS, camera, location and network data — all in the name of curbing mobile theft and cyber fraud.
Meanwhile, critics argue that the same government that could not secure Aadhaar, CoWIN, or DigiYatra is now demanding permanent, root-level access to every citizen’s smartphone without an opt-out.
“We The People of India are Ruled by MOSAD now? Sanchar Saathi’s CHAKSHU doesn’t guarantee you will not be defrauded, just like having a good Constitution in our hands didn’t guarantee our slip into communalism and fascism”, said veteran journalist Raju Parulekar while flagging the ‘intrusive’ nature of the app.
🆘We The People of India are Ruled by MOSAD now ?🚨
🚨Sanchaar Saathi’s CHAKSHU doesn’t guarantee you will not be defrauded, just like having a good Constitution in our hands didn’t guarantee our slip into Communalism and Fascism.
▪️If you are defrauded, you will have to go… pic.twitter.com/CpVzX73w3k
— Raju Parulekar (@rajuparulekar) December 2, 2025
“Convenience has always been the Trojan horse for surveillance in India,” said Mishi Choudhary, founder of the Software Freedom Law Centre.
“When every previous promise of ‘your data is safe with us’ has been broken, why should citizens be forced to install yet another all-seeing app?”
With the Digital Personal Data Protection Act still struggling to find its teeth and breach disclosure remaining largely voluntary, millions of Indians are left asking a simple, straightforward but urgent question: If the Modi government has repeatedly failed to protect our Aadhaar data, health records, faces, pension details of Army veterans — can it really be trusted with root-level, unrestricted, and non-removable access to the world’s second largest smartphone population?
