The 19-Minute Leak: India’s Voyeurism Crisis and the Urgent Need for Digital Consent

In the last week of November 2025, a storm erupted in India’s digital policy landscape when Reuters revealed that the Department of Telecommunications (DoT) had quietly directed mobile manufacturers to pre-install the government’s “Sanchar Saathi” suite (comprising CEIR, TAFCOP and Chakshu apps) on every new smartphone sold in India and push it via system updates to existing devices. Within 48 hours, faced with domestic outrage, parliamentary questions and subtle but firm push-back from global manufacturers (particularly Apple), the government performed a swift U-turn, declaring the app “optional” and deletable.  

The episode has become one of the most debated digital-governance moments since the Aadhaar rollout and the Pegasus revelations. Here examines what actually happened, what Sanchar Saathi does, why the government wanted it embedded at the operating-system level, the legitimate public-interest arguments, the serious privacy concerns, and the broader trend of state–citizen digital relations in 2025.

What is Sanchar Saathi and How Did It Begin?  

Sanchar Saathi was launched in May 2023 as a citizen-centric portal and mobile application under the Department of Telecommunications. It bundles three main services:

1. CEIR (Central Equipment Identity Register) – allows users to block and trace lost or stolen mobile phones by IMEI across operators. 
2. TAFCOP (Telecom Analytics for Fraud Prevention and Consumer Protection) – lets citizens check how many SIMs are registered against their Aadhaar and report fraudulent ones. 
3. Chakshu (launched 2024) – a real-time fraud-reporting facility for spam calls, SMS, WhatsApp scams, KYC fraud, etc.

By mid-2025 the government claims the platform helped block and recover over 1.1 million stolen devices and facilitated the disconnection of millions of fraudulent connections. These are impressive figures in a country that registers over 100 million new mobile connections annually and sees rampant phone-snatching and telecom fraud.

The November 2025 Directive and the Backlash  

On 15 November 2025 the DoT issued an internal directive (first reported by Reuters on 27 November) giving manufacturers 90 days to make the Sanchar Saathi suite non-removable system software on all handsets sold in India from 1 March 2026. The language reportedly stated that the app should be “embedded in the operating system” and “non-uninstallable without root access”.

Within hours of the Reuters story, civil-society organisations, opposition MPs, technology columnists and ordinary citizens raised alarm on three grounds:

• Lack of public consultation or parliamentary discussion before mandating system-level software. 
• Extremely broad permissions requested by the app (access to call logs, SMS, storage, camera torch, location, and in some versions even screen-capture capability). 
• Fear that an embedded government application could evolve into a surveillance or remote-control tool.

Parliament was in session, and MPs across parties (P. Chidambaram, Priyanka Chaturvedi, John Brittas and others) compared the move to “Pegasus-plus” and “Big Brother surveillance”. Apple, according to sources quoted by The Economic Times and The Hindu, privately informed the government that it would not comply with non-removable pre-installation on iOS devices, citing its global policy against government-mandated backdoors or non-deletable code. Samsung and Chinese manufacturers remained silent publicly but industry bodies reportedly flagged logistical nightmares of maintaining two separate software builds (India-specific vs global).

The Government’s Rapid Retreat  

By the evening of 29 November 2025, Union Minister Jyotiraditya Scindia told reporters outside Parliament that “there is no compulsion” and that “users will have full rights to delete the application”. The DoT issued a clarification the next day stating that the original directive had been “misinterpreted” and that Sanchar Saathi would remain voluntary.

The Official Justification  

The government has consistently argued that:

• India has amongst the highest rates of mobile theft and telecom fraud in the world. 
• Voluntary downloads (around 8–10 million by late 2025) are insufficient to create network effects strong enough to deter organised gangs. 
• Pre-installation is common globally for emergency services (e.g., EU’s eCall, US’s Amber Alerts, Israel’s Home Front Command app). 
• Permissions are required for legitimate functions: reading SMS to detect fraudulent KYC links, torch access for “Find My Device”-style flashing, etc. 
• Data is processed on government servers with strict retention limits and is not used for surveillance.

The Privacy and Security Counter-Arguments  

Critics, including the Internet Freedom Foundation (IFF), Software Freedom Law Centre, and several independent security researchers, highlighted the following risks:

1. Overreach of Permissions – Even if currently used only for anti-fraud, future governments could repurpose the same permissions. 
2. No Independent Audit – Unlike Aadhaar’s biometric systems, Sanchar Saathi’s source code has never been opened for public audit. 
3. Remote-Control Potential – Security researchers demonstrated in 2024 that certain Android “Device Admin” and “Accessibility” privileges (which Sanchar Saathi requests) can be abused to lock devices remotely or push files – a capability already being used by some Indian lending apps (now under RBI scrutiny). 
4. Chilling Effect – Citizens may self-censor knowing a government application with deep system access is permanently present.
5. Precedent – Only three countries are known to mandate non-removable government monitoring apps on consumer devices: North Korea (signature-checking Red Star OS), China (various provincial “anti-fraud” apps), and Russia (post-2022 “national communication app” requirements).

Comparative Global Perspective  

Many democracies mandate pre-installed emergency or public-safety applications, but with important safeguards:

• European Union: eCall is limited to crash detection and location sharing; no SMS reading or storage access. 
• United States: Wireless Emergency Alerts cannot be disabled, but carriers do not grant government apps system-level permissions. 
• South Korea & Japan: Disaster-alert apps are pre-installed but run with minimal permissions and are fully deletable.

India’s proposed model was unique in combining anti-fraud, IMEI blocking and spam-reporting into a single non-deletable app with extensive permissions.

The Bigger Picture in 2025  

The Sanchar Saathi episode must be viewed alongside other ongoing developments:

• SIM–Aadhaar re-verification drives (2024–2026). 
• Draft Broadcasting Services (Regulation) Bill proposing government take-down powers over online content. 
• Expansion of the Central Monitoring System (CMS) and NATGRID. 
• Continued non-transparency around Pegasus-type tools (Supreme Court closed the case in 2024 citing lack of government cooperation).

Taken together, these create an impression – for some citizens – of incremental movement towards greater state visibility into private communication.

Lessons and the Path Ahead  

The 2025 U-turn demonstrates that public vigilance, parliamentary scrutiny and the leverage of global technology companies can still force course corrections in India’s democratic system. Yet the episode also reveals gaps:

1. Need for a modern, enforceable Digital Rights Act that clearly demarcates permissible government access to personal devices. 
2. Mandatory security and privacy audits for any government application seeking system-level privileges. 
3. Greater transparency on data retention and third-party access (the Sanchar Saathi backend reportedly still routes some logs via Gmail APIs – an anomaly flagged in 2025). 
4. Public consultation before far-reaching technical mandates.

Sanchar Saathi remains a genuinely useful tool for millions of Indians who lose phones or fall victim to telecom fraud. The government’s desire to scale its reach is understandable. However, embedding any application at the operating-system level without deletion rights crosses a bright red line for privacy and democratic freedoms in most open societies.

The swift retreat in December 2025 is welcome, but it should not be seen as the end of the debate. As India hurtles towards 1.5 billion mobile connections and increasingly digital lives, the balance between safety and surveillance, between voluntary cooperation and mandated compliance, will have to be negotiated openly, transparently and with robust legal safeguards.

Only then can technology serve both the citizen and the state without one devouring the other.

Introduction to Pegasus Spyware

Pegasus is a highly advanced form of spyware developed by NSO Group Technologies, an Israeli cyber-intelligence firm founded in 2010. Marketed exclusively to governments and law enforcement agencies, Pegasus is designed for remote surveillance and data extraction from mobile devices. It targets both iOS (Apple) and Android operating systems, enabling operators to infiltrate smartphones without the user's knowledge or interaction. The spyware's name draws from the mythical winged horse, symbolising its ability to "fly under the radar" of traditional security measures.

While NSO Group claims Pegasus is intended for legitimate purposes—such as combating terrorism, tracking criminals, and locating missing persons—its deployment has sparked widespread controversy. Revelations of misuse against journalists, activists, politicians, and dissidents have positioned it as a symbol of the growing risks posed by commercial spyware in the digital age. As of December 2025, Pegasus remains a persistent threat, with ongoing legal battles, technical evolutions, and reports of active targeting underscoring its relevance.

Development and Marketing by NSO Group

NSO Group, headquartered near Tel Aviv, Israel, specialises in offensive cyber tools. Pegasus was first developed around 2011 as a response to client demands for more sophisticated mobile surveillance. The company licenses the spyware on a subscription basis, reportedly costing between $500,000 and $10 million annually, depending on the number of targets and features accessed. NSO conducts "due diligence" on buyers, claiming to vet governments for human rights records, but critics argue this process is opaque and ineffective.

The spyware operates on a client-server model: Governments purchase access to a control panel where they select targets by phone number. NSO's servers then deploy the exploit, and data is exfiltrated back to the client's secure dashboard. This "spy-as-a-service" approach has made Pegasus accessible to over 45 countries, according to investigations by groups like Citizen Lab at the University of Toronto. However, NSO maintains that it has no visibility into how clients use the tool post-sale, a defence frequently invoked in lawsuits.

Technical Capabilities and Functionality

Pegasus is renowned for its stealth and comprehensiveness. Once installed, it transforms a victim's device into a surveillance hub, granting near-total access to personal data and hardware. Key capabilities include:

• Data Extraction: Reading text messages (SMS, iMessage), emails, and encrypted communications from apps like WhatsApp, Telegram, and Signal. It can harvest passwords, browser histories, contacts, and calendar entries.
• Audio and Visual Surveillance: Activating the device's microphone for call interception or ambient recording, and the camera for photos or video without indicators like LED lights.
• Location Tracking: Monitoring GPS data in real-time to map movements.
• Network and App Harvesting: Capturing details on Wi-Fi networks, app usage, and keystrokes, including sensitive inputs like banking PINs.
• Persistence Mechanisms**: Self-updating to evade patches, duplicating into hidden system modules, and manipulating backups (e.g., iCloud or Google Drive) to reinstall after resets.

Pegasus minimises detection by using minimal bandwidth—sending scheduled updates rather than constant streams—and evading forensic tools. It can also self-destruct or go dormant if tampering is detected. As of 2025, its capabilities evolve rapidly; recent variants incorporate AI-driven anomaly detection to blend into normal device behaviour.

Infection Vectors: From Phishing to Zero-Click Exploits

Early versions of Pegasus (pre-2016) relied on "phishing" attacks, where targets clicked malicious links in SMS or emails, downloading the payload. This required user interaction, limiting scalability.

By 2016, NSO shifted to "zero-click" exploits—attacks that install the spyware without any user action. These leverage unpatched vulnerabilities in widely used apps and protocols:

• iMessage and iOS Exploits: Since 2019, Pegasus has targeted iMessage flaws, such as the FORCEDENTRY exploit (CVE-2021-30860), allowing infection via invisible messages. As of September 2023, it could compromise iOS up to version 16.6. Apple patched this in iOS 14.8 (2021) and subsequent updates, but new variants emerge.
• WhatsApp Vulnerabilities: In 2019, Pegasus exploited a zero-day in WhatsApp's voice-calling feature (CVE-2019-3568), infecting devices via missed calls. This affected over 1,400 users globally.
• Android Targets: On Android, it abuses network-based attacks and app permissions, often via Google Play services or SMS over IP.
• Network Injection: Advanced deployments use "man-in-the-middle" techniques on cellular networks to push malware during data sessions.

These methods make Pegasus "in the wild" for years before detection; code traces date back to iOS 7 (2013). In 2025, infection rates remain low for average users but high for high-value targets, with operators adapting to patches like iOS 16.6.1 and 17.x.

Global Deployment and Notable Incidents

Pegasus has been linked to surveillance operations in at least 45 countries, often without judicial oversight. High-profile cases include:

• Project Pegasus (2021): An Amnesty International and Forbidden Stories investigation revealed a list of 50,000 phone numbers potentially targeted, including French President Emmanuel Macron, Mexican journalists, and Saudi dissident Jamal Khashoggi's associates. Forensic analysis confirmed infections on 67 devices.
• India (2019–2023): Over 100 targets, including opposition leaders, journalists, and activists. The Supreme Court ordered a probe in 2021, but it stalled due to government non-cooperation.
• Mexico and Bahrain: Used against anti-corruption campaigners and human rights defenders.
• Poland (2021–2025): Targeted opposition politicians; in January 2025, former Justice Minister Zbigniew Ziobro was arrested for alleged misuse.
• Recent 2025 Incidents: In February, two BIRN journalists in Serbia were targeted via Viber phishing. April reports confirmed nearly 600 victims under Poland's prior government. In October, iVerify noted Pegasus traces in business executives' devices amid iOS 26 rollouts.

These incidents highlight a pattern: While marketed for counter-terrorism, Pegasus is frequently weaponised for political suppression.

Legal and Regulatory Responses

Pegasus's controversies have triggered international backlash:

• U.S. Actions: In 2021, the Biden administration blacklisted NSO on the Commerce Department's Entity List, restricting U.S. tech exports. In May 2025, the Trump administration rebuffed NSO's removal pleas. A landmark WhatsApp lawsuit (filed 2019) culminated in May 2025 with a $167.3 million punitive damages award against NSO for hacking 1,400 accounts across 51 countries, including 456 in Mexico and 100 in India. Apple sued in 2021 but dropped it in 2024 to protect user data.
• European Union: The European Parliament formed a Pegasus Committee in 2022 to probe misuse; it continues into 2025, focusing on cross-border targeting.
• International Pledges: In 2024, the U.S.-led Political Declaration on Responsible Military Use of Military and Intelligence Capabilities aimed to curb spyware exports. The Trump administration endorsed a 2025 code of conduct for ethical deployment.
• Meta's Victory: In May 2025, Meta won $444,719 in compensatory damages, reinforcing corporate pushback.

Despite these, enforcement remains challenging due to NSO's secrecy and state immunity claims.

Current Status in 2025: Ongoing Threats and Evolutions

As of December 2025, Pegasus is far from obsolete. NSO continues development, with reports of active campaigns in the EU (e.g., Latvia, Lithuania targeting exiled activists) and Jordan (35 civil society figures in 2024). A July 2025 Safety Detectives analysis confirmed its persistence, noting NSO's secret client list and new tools. iOS 26's October 2025 update inadvertently erases shutdown.log evidence of infections, complicating forensics.

Antivirus tools struggle against Pegasus due to its rootkit-like evasion, though tools like Amnesty's MVT (Mobile Verification Toolkit) can scan for indicators. NSO's financial hit from blacklisting has not halted operations; executives lobbied U.S. Republicans in May 2025 for relief.

Detection and Mitigation Strategies

Detecting Pegasus requires vigilance, as it leaves few traces:

• Indicators of Compromise (IOCs): Unusual battery drain, data usage spikes, or Apple "state-sponsored attack" alerts. Forensic tools like MVT analyse iOS backups for Pegasus domains (e.g., blastpass.com).
• Prevention:
• Update devices promptly: Patches like iOS 16.6.1 (2023) and 17.x block known exploits.
• Avoid suspicious links; use encrypted apps with end-to-end verification.
• Employ VPNs and secure DNS to thwart network injections.
• Factory reset as a last resort, but avoid restoring untrusted backups.
• Removal: Professional forensics or MVT scans; for Android, revoke Device Admin privileges.

For high-risk users (e.g., journalists), tools like iVerify's apps monitor for threats in real-time.

Broader Implications for Privacy and Democracy

Pegasus exemplifies the "mercenary spyware" market's dangers, where private firms arm authoritarian regimes. It erodes trust in digital communications, creating a "chilling effect" on free speech—targets self-censor fearing exposure. In democracies, it blurs lines between security and suppression, as seen in India's stalled probes or Poland's political scandals.

Ethically, it raises questions about export controls: Should tools for "good" be sold without end-use safeguards? Economically, blacklisting has crippled NSO, but proliferation to rivals like Intellexa's Predator persists. Globally, it fuels calls for treaties banning offensive spyware sales.

Navigating the Spyware Shadow

Pegasus remains a stark reminder of technology's dual edges—empowering security while threatening freedoms. In 2025, with legal wins like Meta's $167 million judgment and ongoing patches, the tide may be turning against unchecked surveillance. Yet, as NSO evolves and state actors adapt, users must prioritise updates, awareness, and advocacy for robust privacy laws. Only through collective vigilance can the winged horse be grounded, ensuring digital spaces remain sanctuaries rather than panopticons. For those in high-risk professions, consulting cybersecurity experts is advisable; for all, fostering informed discourse is the first line of defence.

Related Posts