#142 India is Missing the Cybersecurity Plot
In this edition of Technopolitik, Anwesha Sen explores India’s cybersecurity regulations, and unpacks the privacy tradeoffs.
India faces a surging tide of cyber threats — over 265 million attacks in 2025 so far, with cyber fraud losses exceeding ₹22,800 crore — yet recent telecom interventions like Sanchar Saathi, SIM binding mandates, Telecom Cyber Security Amendments, and phone location surveillance proposals reveal a reactive, surveillance-heavy approach that sidesteps root causes like weak enforcement and porous digital infrastructure. These measures prioritise state access to personal data over robust, privacy-respecting defences, undermining trust in a nation where 1.2 billion subscribers fuel the world’s largest mobile market. True cybersecurity demands investing in forensic capacity, cross-jurisdictional policing, and public education, not shortcuts that risk mass surveillance.
Sanchar Saathi, launched as a citizen portal in 2023 and app-ified in 2025, enables IMEI checks, stolen phone blocking, and fraud reporting via Chakshu, boasting 1.4 crore downloads, 42 lakh devices blocked, and 1.43 crore fraudulent SIMs disconnected by December. The Department of Telecommunications initially mandated its undeletable pre-installation on all new smartphones in late November 2025, sparking backlash over excessive permissions, from flashlight access to potential device monitoring, before a U-turn amid privacy outcry. Critics likened it to a “Big Brother” tool, ineffective against tech-savvy criminals who spoof IMEIs or root devices.
SIM binding rules, notified under the Telecommunications Cyber Security (TCS) Amendment Rules 2025 and effective from February 2026, require messaging apps like WhatsApp, Telegram, and Signal to tie functionality to active, KYC-verified SIMs, with web versions logging out every six hours. Telecom operators pushed this to curb cross-border scams exploiting delinked accounts, but it burdens multi-device users, travelers, and e-commerce platforms with redesign costs and access friction. The draft TCS amendments, rolled out October 22, 2025, further expand cybersecurity to digital lockers and OTT platforms, mandating mobile number validation fees (₹3 per private query) and device traceability.
Telcos now propose always-on satellite tracking on smartphones for precise agency requests, as cell-tower data proves too vague. Apple, Google, and Samsung are resisting, citing privacy invasions, while the Telecom Act 2023 already empowers broad interception for “national security.” These align uneasily with the Digital Personal Data Protection Act (DPDPA) 2023, which mandates consent, data minimisation, and user rights — yet exempts state processing for “public order,” enabling telecom rules to bypass fiduciary duties. DPDPA requires breach notifications and audits, but exemptions swallow surveillance mandates whole, creating regulatory whiplash. For instance, Sanchar Saathi claims compliance via minimal data collection, yet demands broad device access.
India’s cybersecurity regulations contravene DPDPA’s core tenets by embedding mass data collection without granular consent or purpose limitation. SIM binding compels apps to process sensitive telecom data as fiduciaries, yet lacks opt-outs or erasure rights for non-fraudulent users, violating data minimisation, i.e. collecting only what’s necessary. Location surveillance proposals demand persistent tracking, clashing with DPDPA’s prohibition on non-consensual processing unless strictly exempt, while TCS amendments impose traceability on OTTs without independent audits, shifting compliance burdens to private entities amid vague “cybersecurity” definitions. Puttaswamy’s proportionality clause fails. These regulations aren’t narrowly tailored. Instead, they presume universal suspicion, enabling function creep from fraud detection to profiling. DPDPA’s Data Protection Board remains powerless against state exemptions, fostering a two-tier regime where telecom rules override privacy safeguards, eroding user agency in everyday communications.
This piecemeal approach misses the cybersecurity plot. Cybercriminals thrive on enforcement gaps — BNS Sections 316-318 penalise fraud, CEIR blocks stolen IMEIs, and IT Act Sections 43 and 66 target cyber fraud, yet low conviction rates persist due to untrained police and siloed probes. DPDPA alignment falters as telecom rules favor traceability over proportionality, echoing Puttaswamy’s tests of legality, necessity, and minimal intrusion. India must pivot by funding training in tackling cyber crimes for law enforcement agencies, establishing interstate units and cyber forensic labs, and raising public awareness on grievance redressal for cyber crimes.
By doubling down on capacity over coercion, India can secure its cyberspace without sacrificing privacy rights.
‘China in the Changing Geo-economic Landscape’ is an all-virtual four-week course designed to equip policymakers, business leaders, analysts, journalists, and students with the tools to understand the second-largest economy’s role in shaping the emerging geo-economic order. In the course, participants will dive deeper into issues relating to China’s phenomenal rise, its economic model, the repercussions of its rise on the global economy, weaponisation of trade, de-risking, catching up with the West, and plans to reform the global financial system.
And before you go-
Check out Grammar of War, a newly launched newsletter by Adya Madhavan, that looks at advanced military technologies!