Not A Saathi After All: Why Sanchar Saathi Rings Alarm for Trade Secrets
SpicyIP
The Sanchar Saathi application has largely been analysed as a privacy issue. However, as Anjali Tripathi argues in this entry for the SpicyIP–Jhana AI Blogpost Writing Competition, it raises a more serious and underexplored concern—one that could directly threaten the protection of trade secrets and confidential business information in India’s smartphone-first economy. Anjali is a fifth-year law student at JGLS with an interest in IP rights, access to education, and the creative arts.
Not A Saathi After All: Why Sanchar Saathi Rings Alarm for Trade Secrets
By Anjali Tripathi
The Indian landscape has been worrisome recently – with flight schedules going haywire, fires occurring, raging AQIs, and of course, political tensions. Amongst all this chaos, there has been a rise in digital risks such as cyberattacks in the form of GPS spoofing at Indian airports or the quiet release of the Sanchar Saathi application by the Department of Telecommunications (DoT). Most of us have read, thought or written about the Sanchar Saathi application issue through the lens of a privacy issue. While it most definitely is that, it is also something more crucial and interesting: a potentially direct threat to how India’s smartphone-first economy protects trade secrets and confidential business information. Although as of date, the mandatory pre-installation requirement has been removed, the risks upon use and the possibility of the Government introducing similar intrusive measures in the future remain salient.
Sanchar Saathi as Device-Level Control
When DoT quietly directed all handset manufacturers to pre-install the Sanchar Saathi cyber-safety app on every phone sold in India, Reuters reported that the app was meant to be undeletable and pushed even to existing devices through software updates. The stated aims: counter cyber‑fraud and IMEI cloning. Unfortunately, there are concerns to be addressed, and once again, the devil sits in the details of this design. Sanchar Saathi has been framed as a citizen service which helps to check handset genuineness, blocks stolen phones and report frauds, as mentioned in the official press release. But the legal language used in this release under the Telecom Cyber Security Rules insists that the application be “readily visible” and that its “functionalities are not disabled or restricted” at the device level. That phrasing reads less like user empowerment and more like operating-system capture.
Independent technical analysis by organisations like MediaNama, helps us understand the breakdown of the Android package, which noted that Sanchar Saathi requests broad-spectrum access: reading and sending SMS, access to the full call log, reading and writing external storage, camera use, wake-lock, run-at-startup and network access.
Another report traces how the app could become a high-privilege point of failure on every Indian smartphone, if implemented with system-level privileges (as digital-rights groups warn would be necessary for a truly non-removable installation). None of this is necessary to submit IMEI numbers or fraud complaints to a web backend. Modern Android already offers OTP verification APIs that avoid full SMS access; Sanchar Saathi simply does not use them – pointing to concerning use-cases in the future if left unchanged.
From Privacy Risk to Trade Secret Risk
For ordinary citizens, the above-stated issue is an obvious privacy problem. For businesses, on the other hand, it is a trade secret problem of a different order. Contemporary trade secrets are not just recipes and manufacturing processes locked in a safe, as we visually imagine hearing these words. They now include customer databases, pricing algorithms, data-driven insights, source code, ML models, performance dashboards and internal strategy decks, as Indian practitioners point out. A large fraction of this material either lives directly on phones or flows through them in the form of (encrypted?) messaging, approval chains, emails and two-factor authentication messages that unlock deeper corporate systems of major companies.
Now, if an app like Sanchar Saathi, a government-owned app with extensive access to internal documents and processes, is released – even if we assume perfectly good faith by the state, any vulnerability in that app becomes a vulnerability into the trade-secret stack of Indian industry. Anything could prove to be harmful to whole companies – a spear-phishing link, a compromised update server, a malicious insider at a vendor – and suddenly an attacker has a privileged foothold on millions of devices used by executives, in-house counsel, bankers, engineers and founders. This wouldn’t just have a grave economic impact, it would also affect the very real lives of the very real people working for these giants. In fact, companies like Apple and Google’s lobby groups have already explicitly warned that such measures pose risks to “military, judges, corporate executives and journalists,” who “hold sensitive information.” That list is a map of where trade secrets and high-value confidential data actually sit.
India’s Fragmented Trade Secret Framework
And, the lobby groups are not wrong – this is why the Sanchar Saathi episode intersects uncomfortably with India’s half-built trade secret regime. When the device environment itself introduces a mandatory and privileged third-party application to access confidential material like internal datasets, client information or data compilations, it only leads to a whole other can of worms. The patchwork blanket that is the law surrounding trade secrets in India, is made of pieces of fabric from contract law, the IT Act’s duty towards sensitive data, equitable principles of breach of confidence and criminal breach of trust. Courts expect trade secret holders to show “reasonable measures” to maintain secrecy through legal instruments like NDAs or limited access, internal policies and other security controls. The Law Commission’s 289th Report on “Trade Secrets and Economic Espionage” goes further and proposes a dedicated Protection of Trade Secrets Bill, 2024, aligned with TRIPS Article 39 and international practice. Yet that proposed framework still assumes a familiar cast of characters: firms, employees, competitors, rogue insiders, foreign states. It does not meaningfully contemplate the state itself putting a privileged app on every corporate device in the country. The compliance implications of such an architecture are glaringly alarming to anyone responsible for safeguarding corporate confidentiality.
Always-On Location and Economic Espionage
It’s a whole other can of worms once we factor in the parallel push for a deeper location surveillance. A fresh Reuters report describes how the Cellular Operators Association of India has urged the government to mandate always-on A-GPS tracking on all devices, with no user option to switch it off. Apple, Google and Samsung have pushed back, calling it unprecedented; experts quoted in the report note it would effectively turn smartphones into “dedicated surveillance devices,” capable of tracking users within about a metre.
A mandatory app backed by the state is fundamentally different from a private company app with broad permissions because users have no real avenue to refuse, uninstall, or litigate against state-mandated software, and the state acts both as regulator and host of the app – concentrating authority without the market or legal checks that constrain private entities. Let us read that again from the perspective of a trade secret-heavy business. If always-on location tracking were ever paired with a privileged government app that holds SMS, call-log or storage permissions, the resulting data layer could – at least in principle – allow an investigative agency or a successful attacker to map not only where key employees are, but also patterns of contact, authentication rhythms, and recurring client interactions. India’s own experience with large government databases shows that even critical state systems can be breached or exposed. For example, unrestricted access to the Aadhaar database was reportedly sold for as little as ₹500, exposing the personal details of over a billion citizens and spawning widespread security concerns about identity data. The official Aadhaar ecosystem has also seen hundreds of government websites inadvertently exposing personal information and unauthorized internal access, underscoring that state systems are not immune to compromise. Seen through the Law Commission’s own language, this kind of latent capability edges uncomfortably close to the contours of economic espionage, even without any allegation of present misuse.
Official materials emphasise that Sanchar Saathi is “user-driven” and “voluntary,” stressing consent and DPDP Act compliance. Yet the pre-installation directive, as Harsh Gour notes, pulled the rug from under that framing by treating the app as mandatory at the device level, with removal difficult and disabling discouraged. Once public and industry backlash grew loud, the government rescinded the mandatory order. But the architecture lesson remains: once a state-mandated app is welded into the firmware layer, the line between “voluntary, citizen-centric tool” and “hard surveillance infrastructure” can be redrawn silently by a software update. For trade secrets though, the harm does not require mass, real-time snooping. A more mundane scenario is enough.
Reasonable Measures in an Unreasonable Stack
Scholarly work on trade secrets in India has already flagged how fragile the “reasonable measures” test becomes in a data-saturated economy. Some reports note that businesses increasingly rely on logs, security controls and detailed data trails to prove that they guarded their secrets. DPDP obligations push in the same direction, demanding logging, accountability and auditability. But those same trails, if exfiltrated via a privileged app, become a roadmap to the very secrets they were meant to protect. This is precisely why a sui generis trade secret law needs robust exceptions and safeguards: to prevent security and privacy instruments from turning into tools of economic surveillance.
The Sanchar Saathi saga shows how quickly those lines can blur when cybersecurity policy is rolled out through opaque executive directions instead of debated legislation. A telecom-security narrative can mask a deeper redesign of device architecture in which the state gains a new, privileged interface to phones that now double as corporate briefcases. In a country trying to pitch itself as a hub for high-value R&D, chip design, fintech and biotech, this has consequences. Multinational firms performing serious technology transfer will look not only at statutory language, but also at the practical reality of who sits between their employees and the truly sensitive parts of a device – such as the trusted execution environments or secure enclaves where encryption keys, biometric credentials, and authentication tokens are stored in isolated hardware – which are designed to protect these assets from less-trusted software and peripheral access. In this context, ‘secure elements’ refers to hardware-isolated zones within modern chips that are specifically engineered to keep sensitive data and operations insulated from normal apps and the main operating system.
A Stress Test for India’s Trade Secret Future
The government’s decision to roll back the mandatory pre-install order is welcome, but it is not enough. The episode should be treated as a stress test for three overlapping regimes: telecom security, personal data protection and trade secret protection. Any future version of Sanchar Saathi – or any replacement security app – should be strictly opt-in, minimally permissioned, and subject to independent code audits whose results are public. The Protection of Trade Secrets Bill, when it eventually appears in Parliament, must explicitly address state-owned digital infrastructure as a potential vector of misappropriation or economic espionage, and set out hard safeguards: functional limits, logging, and meaningful remedies when state tools create avoidable risk.
The larger principle is simple. India needs robust tools to combat cyber-fraud and IMEI cloning, and it needs a serious trade secret regime. It cannot credibly build the latter while casually experimenting with making every business phone in the country double as a high-privilege endpoint for state software and always-on location tracking. The fight over Sanchar Saathi is therefore not only about privacy or civil liberties, important as they are. It is also about whether India can promise domestic and foreign businesses that their competitive lifeblood – their trade secrets – will not become collateral damage in the march toward total telecom visibility.