India’s digital governance entered a darker phase in 2025. What began as cyber safety rhetoric now resembles construction of an intrusive security state where privacy is conditional, consent is cosmetic, and surveillance is normalized. The government’s latest moves targeting smartphones show a clear trajectory. India is no longer merely regulating technology. It is seeking structural access to it.
The Modi administration’s latest proposal demands that Apple, Samsung, Google, and Xiaomi hand over their closely guarded source code the fundamental DNA of their operating systems -to government-designated labs for “security assessment.” The package includes 83 security standards that industry insiders say have no global precedent. Tech giants are pushing back hard, but the writing on the wall is clear: India is no longer satisfied with watching its citizens. It wants to control the very devices they use.
Publicly, New Delhi insists these measures protect citizens from fraud and data breaches. In practice, they mark a decisive expansion of state power into private devices used by over 1.2 billion mobile subscribers. Few democracies have attempted anything similar. Fewer still without judicial oversight.
The Sanchar Saathi Debacle: A Preview of What’s Coming
December 2025 marked a watershed moment in India’s surveillance playbook. The Department of Telecommunications issued an order mandating that all new smartphones sold in the country come pre-loaded with Sanchar Saathi, a state-run cybersecurity app. The kicker? Users couldn’t delete it. The app’s “functionalities cannot be disabled or restricted,” the order read-a phrase that sent shivers down the spine of every privacy advocate in the country.
The backlash was immediate and fierce. The Internet Freedom Foundation didn’t mince words, calling it state-mandated software that converts every smartphone into “a vessel for state mandated software that the user cannot meaningfully refuse, control, or remove.” Under the app’s privacy policy, Sanchar Saathi can make and manage phone calls, send messages, access call and message logs, photos, files, and even control the phone’s camera. That’s not a security app. That’s a surveillance Swiss Army knife.
When the controversy exploded, Communications Minister Jyotiraditya Scindia scrambled to control the damage. Speaking in Parliament, he insisted that the app was “completely voluntary and democratic” and claimed users could delete it at any time. In his words: “Snooping is neither possible nor will it happen with the Sanchar Saathi safety app.” Yet, when pressed on how users could delete an app whose functionalities “cannot be disabled or restricted,” Scindia offered no clarification. The contradiction was glaring, the trust deficit wider.
Within days, facing mounting pressure from tech companies and civil society, the government quietly withdrew the order. But the retreat was tactical, not ideological. The Sanchar Saathi episode wasn’t an aberration-it was a dress rehearsal.
Source Code Demands: Crossing the Rubicon
Now comes the main act. According to Reuters, India is proposing to force smartphone manufacturers to share their source code with the government as part of sweeping security standards drafted in 2023 but only now being considered for legal enforcement. Among 83 requirements, the most contentious involves “vulnerability analysis” and “source code review”- euphemisms for handing over the underlying programming instructions that make phones work.
These codes would be analyzed and tested at designated Indian labs, giving government agencies unprecedented access to the inner workings of devices used by India’s 750 million smartphone users. The proposal also requires companies to alert authorities before major software updates-a requirement that industry representatives say “lacks any global precedent” and risks revealing proprietary details.
In confidential discussions reviewed by Reuters, Apple, Samsung, Google, and Xiaomi have raised alarm. A December IT ministry document capturing these meetings noted: “Industry raised concerns that globally security requirement have not been mandated by any country.” The industry group MAIT, which represents these firms, was even more blunt in its response, calling the source code review requirement “not possible” due to corporate secrecy and global privacy policies.
The historical context is damning. Apple declined China’s request for source code between 2014 and 2016. US law enforcement has tried and failed to access it. Even in authoritarian
regimes, such demands are rare because they threaten the fundamental security architecture that protects users globally. If India succeeds, it won’t just be setting a dangerous precedent-it will be handing every repressive regime a playbook.
The Broader Surveillance Ecosystem
India’s hunger for digital control didn’t begin with smartphones. Over the past decade, successive governments have constructed a sprawling surveillance infrastructure that operates with minimal oversight and maximum opacity. The Central Monitoring System, rolled out in 2013, allows authorities to intercept all phone and internet communications without involving service providers. The Aadhaar biometric identification system, covering over 1.2 billion citizens, has become mandatory for everything from banking to buying SIM cards, creating a centralized database of unprecedented scale.
According to a 2025 study by UK-based research firm Comparitech, India ranks near the bottom globally in protecting citizens’ privacy rights-just above China and Russia. A Washington Post editorial from January 2026 described India as “one of the world’s most aggressive testing grounds for state digital surveillance systems.” The evidence is overwhelming. Internet shutdowns have become routine, particularly in Kashmir, which endured a 552-day blackout- the longest in any democracy.
Facial recognition technology is being deployed without legislative backing or independent oversight. Data retention laws mandate that internet service providers store user metadata for extended periods, creating vast repositories of information vulnerable to misuse.
The Digital Personal Data Protection Act of 2023, touted as a privacy safeguard, is riddled with exemptions that favor state surveillance over citizen protection. Section 17(2) allows broad government access on vague grounds like “national security” and “public order.” As digital rights expert Medha Garg noted, the law functions as “a shield to protect the state and its allies from scrutiny and accountability, while demanding transparency from citizens.” Privacy, she argues, is being weaponized-not as a citizen’s right, but as a tool of state control.
The Whistleblower’s Warning
Edward Snowden, the former NSA contractor who exposed US mass surveillance programs, has been a vocal critic of India’s trajectory. In 2018, speaking about Aadhaar, he warned:
“People are creating mandatory enrollment that is forcing identity on people throughout the country, to the point where you cannot have a child and get a birth certificate unless you provide your Aadhaar number.”
His broader insight resonates more powerfully today:
“No system of mass surveillance has existed in any society that we know of to this point that has not been abused.”
Snowden’s most damning observation cuts to the heart of the current crisis: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” In India, that argument is
being deployed by a government that increasingly confuses security with control, and protection with invasion.
What This Means for Ordinary Indians
The implications are staggering. If these proposals become law, every Indian who buys a smartphone will be purchasing a device whose security has been fundamentally compromised. Government labs will have dissected the code, creating potential backdoors that could be exploited not just by Indian agencies but by malicious actors worldwide. Software updates- critical for patching security vulnerabilities-will be delayed as manufacturers navigate bureaucratic approval processes, leaving users exposed to known threats.
The 83 security standards include requirements that manufacturers store device logs for 12 months, implement always-on GPS tracking, and allow apps to be preinstalled that cannot be removed. As the industry group MAIT pointed out, “There is not enough room on device to store 1-year log events.” More fundamentally, these measures transform smartphones from tools of empowerment into instruments of state surveillance.
For journalists, activists, lawyers, and ordinary citizens exercising their constitutional rights, the consequences could be catastrophic. Investigative reporters working on corruption or surveillance abuses have no way to know if the government has silently requisitioned their metadata. Citizens using the Right to Information Act face the same risk. Until 2027, when user protections in the Digital Personal Data Protection Act take effect, Indians have no enforceable right to challenge inaccurate data, demand corrections, or secure deletions.
The Democratic Paradox
India prides itself on being the world’s largest democracy, yet its digital governance increasingly resembles that of authoritarian states. China’s surveillance apparatus is comprehensive and unapologetic. Russia’s is brutal and efficient. India’s is becoming both-wrapped in the language of democracy and national security.
According to a 2025 academic study on digital authoritarianism in India, the Aadhaar privacy breach of 2018 revealed that data of over a billion citizens was available for purchase online for just ₹500 ($6). The Kashmir internet blackout caused economic losses estimated at $2.8 billion. These aren’t isolated incidents-they’re features of a system designed to prioritize state control over citizen rights.
The parallels with China’s Personal Information Protection Law are striking. Both frameworks claim to protect privacy while concentrating unchecked power in government hands. Both
exempt state agencies from the rules that bind private actors. Both use the language of security to justify opacity. As Apar Gupta, founder of the Internet Freedom Foundation, argued: “The government’s stated reasons (of national security and preventing fraud) to hand over our phone and personal data do not hold up to scrutiny. It is an expression of the state’s growing authoritarianism and appetite for mass surveillance.”
Industry Resistance and Global Implications
Apple has signaled it will not comply with the pre-installation mandates, according to Reuters. The company faces a difficult choice: compromise its global security architecture or risk losing access to one of the world’s largest smartphone markets. Samsung and Xiaomi, which together command 34% of India’s market share, are similarly positioned. Google, whose Android operating system powers the majority of Indian phones, faces an existential dilemma-how to maintain user trust globally while accommodating demands that undermine that very trust. IT Secretary S. Krishnan has attempted to downplay the controversy, telling Reuters that “any legitimate concerns of the industry will be addressed with an open mind.” But the government’s track record suggests otherwise.
When security camera manufacturers raised concerns about similar requirements, the government “brushed aside lobbying” and imposed rigorous testing standards, ostensibly to counter Chinese spying. The subtext was clear: comply or face the consequences.
If India succeeds in compelling source code disclosure, it will set a precedent that other governments-democratic and authoritarian alike—will rush to follow. Brazil, Indonesia, Turkey, and others already watch India’s digital governance experiments closely. A successful implementation would fracture the global internet, creating a Balkanized digital ecosystem where each country demands backdoor access to the technologies that connect us. The Path Forward
The government insists these measures are necessary to combat rising cybercrime and protect user data. Official figures cited by Reuters show that the Sanchar Saathi app has helped recover more than 700,000 lost phones, including 50,000 in October 2025 alone. Fraud incidents reported through the app average 2,000 per day. These numbers are real, and the threat of cybercrime is legitimate.
But here’s the uncomfortable truth: you cannot secure a system by fundamentally undermining its security. You cannot protect privacy by eviscerating it. You cannot defend democracy by adopting the tools of authoritarianism.
What India needs is transparent, accountable surveillance reform with independent oversight. It needs a privacy law that protects citizens first and exempts the state last. It needs judicial checks on executive overreach and legislative clarity on what constitutes legitimate security interests. What it’s getting instead is a surveillance state built on the fiction that safety and freedom are incompatible.
The debate over source code access and mandatory government apps isn’t technical-it’s existential. It’s about whether India will remain a democracy that uses technology to empower citizens or become a digital autocracy that uses technology to control them. Right now, the signs point ominously in the wrong direction.
India stands at a crossroads. Down one path lies continued democratic evolution, where technology serves citizens and accountability flows upward from the governed to their governors. Down the other lies digital authoritarianism, where every device becomes a monitoring tool and every citizen a data point in a vast surveillance apparatus.
The Sanchar Saathi controversy and the source code demands are not isolated policy proposals. They are symptoms of a deeper ideological shift-one that views security and freedom as zero-sum rather than complementary, one that treats transparency as a threat rather than a foundation, one that confuses state power with national interest.
As Edward Snowden warned, once such systems are built, they are never dismantled. They metastasize. They normalize. They become the infrastructure of oppression, dressed in the language of protection. India’s 750 million smartphone users deserve better. They deserve devices they can trust, laws that protect them, and a government that remembers it serves at their pleasure-not the other way around.
The world is watching. And what happens in India won’t stay in India. If the source code doors open here, they’ll swing open everywhere. The question isn’t whether India can build a surveillance state. Clearly, it can. The question is whether it should-and whether its citizens will let it.
Leave a comment