SIM-Binding Necessary Evil, But Govt Must First Win Trust

There has been a sharp pushback against the government’s directive to all mobile phone makers and importers to preload, within 90 days, the government app, Sanchar Sathi, on phones freshly sold in the country. In the case of another related security-oriented mandate that seeks all messaging and communications apps to stay bound all the time to a particular SIM issued to the user, the response has been more mixed: while cellular operators think this is a good idea, the Broadband India Forum, which represents the interests of stakeholders in cyber business, has sought more time and consultations.

In either case, the articulated concern has been privacy. It has been reported that Apple has expressed its inability to comply with the Sanchar Sathi demand, as it would compromise its global commitment to privacy. The Broadband Forum’s demand for consultations and broad consensus on the timeframe within which such far-ranging changes are brought in is legitimate, as well. That said, there needs to be a wider acceptance of the reality that there exists a genuine tradeoff between absolute privacy and security of the individual, and the larger community.

On the face of it, the services offered by the Sanchar Sathi app are wholesome and helpful for individual mobile phone users, helping them find out, for example, how many SIMs have been issued in their name, to block a lost or stolen phone, and to report cybercrime. The trouble is that people have little trust that the state would not use a government-sponsored app to do a whole lot more than arm the citizen with some useful tools.

Such lack of trust harks back to past revelations about spyware being surreptitiously installed on the phones of targeted political and media personalities, in a context of the failure of Indian data privacy laws to institute any framework of accountability for official breaches of citizen privacy.

The government as well as volunteer groups could subject the Sanchar Sathi app to technical audits to verify if the app performs any covert functions that go beyond its stated services. This is necessary, even after the telecom minister’s clarification that whether to activate or delete the app is the consumer’s choice.

The government’s official notification says that the pre-installed app should not be allowed to be deactivated or deleted. The ministerial clarification runs counter to this directive, and should be communicated as an amendment to the notification, and not remain a post on X, albeit ministerial.

Privacy is a fundamental right. So is liberty. However, an individual’s liberty is circumscribed by the need to respect other people’s liberty, and prevent inflicting harm on society at large. Take the question of wearing a helmet while riding a two-wheeler. Most jurisdictions mandate protective headgear for bike riders. Does this not violate an individual’s liberty to decide whether he needs protection or not? It certainly does. Libertarians decry the paternalistic state that wants to appropriate the citizen’s right to decide how to take care of themselves. But it is not paternalistic instinct alone that warrants a helmet mandate.

If a rider without a helmet meets with an accident on the road, he might need expensive treatment to repair the damage caused by the accident. The cost of the treatment might go beyond what the rider can afford. In case of death or debility, his dependents might need financial support from the state or other members of society. The flip side of a libertarian refusal to wear a helmet should be being left alone to bear the cost of the consequence. However, the social contract of interdependence and solidarity that is implicit in being a part of society precludes such total indifference by society towards the consequences of libertarian folly. That means a cost for the rest of society as a result of libertarian refusal to wear a helmet. The libertarian’s liberty does not extend to imposing such cost on the rest of society.

This is the case for privacy as well. We live with constantly evolving technology and its dispersal across society, including to malign actors, who can commit crime — financial fraud, defamation, blackmail — or stage terror strikes or mob violence. Terrorists can potentially assemble explosives or biological weapons to inflict harm on the state and society. An absolutist approach to privacy would entail protecting the malign actors’ right to plan, prepare and execute their attacks in protected privacy. This is not acceptable. It should be possible to breach the privacy of suspected malign actors to protect the larger society from avoidable harm.

The real question is not of particular apps or directives. The real question is striking the right balance between individual privacy and societal security, and of accountability for actions undertaken in the name of security.

Let us be clear that the state can track the movement of mobile phones, and the meta data of phone communications without great difficulty. Web-based Real Time Communication tools and apps are all amenable to interception. Some messaging apps have powerful encryption, true. But it should not be so powerful as to thwart law enforcement’s requirement to trace messages across time and devices.

Given the proliferation of financial fraud, drug smuggling and terror attacks making use of digital communications, it is reasonable to demand that communication apps be bound to SIMs, and SIMs to particular phones, each of which has its own unique International Mobile Equipment Identity number. If the app can be used on a linked device, the user should be logged out from the linked device when the user logs out from the SIM originally used to open and operate the account.

The only question is how best to do this, and how fast. This calls for consultation among all stakeholders, and clarity on the government’s own accountability.

Governments with access to the most advanced and powerful computing will be able to penetrate the insulation that encryption offers communications. The advent of quantum computing promises to make the current generations of encryption technologies defunct.

Do we believe that a tech regime in which privacy is absolute but the governments of the US and China alone can pierce the veil of ‘protected’ communication, is superior to technology that enables legally sanctioned privacy breaches?

India must institute legal changes to make the government accountable for its breaches of citizen privacy. Surveillance must be explicitly sanctioned by a court, even if not publicly, and the details of such sanction and the results of the use made of it must mandatorily be placed before a committee of Parliament, which can hold the executive to account.

Democratic accountability of the executive alone distinguishes democracy from dictatorship. The absence, in India’s current laws on data privacy and protection, of any mechanism or procedure for such accountability, while the government enjoys the right to breach that privacy, is inimical to democracy, and needs to be remedied. Security cannot be allowed to become a steppingstone to dictatorship via unchecked state surveillance, with or without a specific app or directive.