India has ordered all new smartphones to come pre-loaded with a state-run cybersecurity app, sparking privacy and surveillance concerns.
Under the order - passed last week but made public on Monday - smartphone makers have 90 days to ensure all new devices come with the government's Sanchar Saathi app, whose 'functionalities cannot be disabled or restricted'.
It says this is necessary to help citizens verify the authenticity of a handset and report the suspected misuse of telecom resources.
The move - which comes in one of the world's largest phone markets, with more than 1.2 billion mobile users - has been criticised by cyber experts, who say it breaches citizens' right to privacy.
Under the app's privacy policy, it can make and manage phone calls, send messages, access call and message logs, photos and files as well as the phone's camera.
'In plain terms, this converts every smartphone sold in India into a vessel for state mandated software that the user cannot meaningfully refuse, control, or remove,' advocacy group Internet Freedom Foundation said in a statement.
Amid the growing criticism, India's Minister of Communications Jyotiradtiya Scindia has clarified that mobile phone users will have the option to delete this app if they don't want to use it.
'This is a completely voluntary and democratic system - users may choose to activate the app and avail its benefits, or if they do not wish to, they can easily delete it from their phone at any time,' he wrote on X.
The minister did not, however, clarify how this would be done if the app's functions cannot be disabled or restricted.
Launched in January, the Sanchar Saathi app allows users to check a device's IMEI, report lost or stolen phones and flag suspected fraud communications.
An IMEI - the International Mobile Equipment Identity - is a unique 15-digit code that identifies and authenticates a mobile device on cellular networks.
In a statement, India's Department of Telecommunications said that mobile handsets with duplicate or spoofed IMEI numbers pose 'serious endangerment' to telecom cyber security.
'India has big second-hand mobile device market. Cases have also been observed where stolen or blacklisted devices are being re-sold,' it said, adding that this makes the purchaser an 'abetter in crime and causes financial loss to them'.
Under the new rules, the pre-installed app must be 'readily visible and accessible' to users when they set up a device and its functionalities cannot be disabled or restricted.
Smartphone makers must also 'make an endeavour' to provide the app through software updates for devices that are out of factories but haven't been sold yet, the statement said.
All companies have been asked to give compliance reports on the order in 120 days.
However, experts express concern over the extensive permissions the app can access, which heightens surveillance risks. Technology analyst Prasanto K Roy notes that compliance will be difficult since this order contradicts many handset-makers' policies.
Apple, which has not publicly commented, reportedly does not plan to comply and will communicate its concerns to the Indian government.
This move follows similar regulations in other countries, such as Russia's order for state-backed applications on devices, raising similar privacy alarms.
