India over the last few days has been pushing tech companies like Apple and Google to install a state developed app that is meant to be enhancing security onto phones in the country and make sure that the app could not be removed. After pushback from pretty much everyone, India yesterday backed away from that effort.
If you want to go down the rabbit hole on this, here’s a story on this along with India’s “spin” on why they backed away from doing this.
Ted Miracco, CEO, Approov had this to say:
“With most of us living and working on our mobile devices, the challenge is not just balancing security and privacy, but also balancing control of the private information between the tech giants as “gatekeepers” and government regulators, who often lack the expertise or execution to keep up with the pace of technological changes.
“True security cannot reside in the operating system alone because the OS can be compromised. It must be anchored in silicon, and the tech giants do facilitate security via the Secure Enclave (Apple), the Titan M2 chip (Google) and Knox Vault (from Samsung). These are separate microcomputers inside your phone with their own processor and memory that store your biometric data and encryption keys. We must ensure apps use these hardware APIs to generate keys that never leave the secure chip, and this data cannot be shared with governments, which was the overreach by the Indian government with the Sanchar Saathi app that has unfettered access to device level APIs.
“To roll back Big Tech without empowering “Big Brother,” we must decouple service from surveillance using both laws and source code. The legal lever involves enforcing an “Information Fiduciary” standard, which legally obligates tech companies to act in your best interest by banning them from exploiting your data for profit and effectively neutralizing their exploitative business models. The technical lever involves Self-Sovereign Identity (SSI) and Zero-Knowledge Proofs (ZKP), which ensure that while these fiduciaries can verify you are a citizen or over 18, they technically never possess your raw identity data; this means that when a government issues a subpoena or demands mass surveillance, the tech giants have no central database to hand over because the keys remain exclusively on your mobile device in the secure silicon enclave.
“While the EU’s GDPR focuses on protecting data, the DGA (passed in 2022) focuses on restructuring who holds it – creating a regulated class of “Data Intermediaries”, as neutral third parties that legally cannot use your data for their own profit like selling ads. Instead of you fighting Facebook alone, you join a “Data Cooperative” or “Data Union” where the union holds your data in a vault and if a company wants to target you with ads, they must negotiate with your union, which can demand a fee or strict privacy guarantees. Hence, the mobile app never “owns” the data, but they can license access to it temporarily.”
George McGregor, VP, Approov follows up with this:
“Government initiatives to reduce mobile-enabled crime through citizen-facing apps are laudable — public safety is a critical goal. But making such apps mandatory sets a troubling precedent. Which apps are installed on an individual device must always be a personal choice.
“Security isn’t based in who publishes an app, but from how that app proves its integrity and behavior. Government apps need to be held to the same standard of provable security and transparency as any other apps. Without strong safeguards like runtime attestation and Zero Trust principles, mandatory apps risk becoming new vectors for abuse, surveillance, or exploitation — even if well-intentioned.”
Michael Bell, CEO, Suzu Labs had this to say:
“The problem with India’s approach wasn’t the goal of improving mobile security, it was the implementation: closed-source code, root-level access, no independent audit, and no user control. If the goal is mandatory security that doesn’t become surveillance, the framework needs to be transparent (open-source, publicly auditable), minimal (only the permissions absolutely necessary), and accountable (independent oversight, clear data access logs). The EU’s approach with GDPR and the upcoming Cyber Resilience Act comes closest to getting this right: they mandate security outcomes and transparency requirements on vendors rather than installing government software on every device, which keeps the trust relationship between users and their hardware intact.
“The honest answer is that perfect security and perfect privacy are fundamentally in tension, and any system that claims otherwise is lying. What we can do is shift the burden: instead of governments monitoring citizens, require device manufacturers and app developers to meet security baselines, mandate transparency about data collection, and give users genuine control. The US hasn’t gotten this right at scale, though California’s CCPA and some state-level IoT security laws are moving in the right direction by regulating the ecosystem rather than surveilling the endpoint.”
This rollback is a good thing as I really had some reservations about what the Indian government was doing. Hopefully a more thoughtful approach to this app is done so that it can be rolled out with a fair amount of confidence that there are not any side effects.
Related
This entry was posted on December 4, 2025 at 10:56 am and is filed under Commentary with tags India. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
India Backs Down From Forcing A “Cybersecurity” Apps Onto Phones After Backlash
India over the last few days has been pushing tech companies like Apple and Google to install a state developed app that is meant to be enhancing security onto phones in the country and make sure that the app could not be removed. After pushback from pretty much everyone, India yesterday backed away from that effort.
If you want to go down the rabbit hole on this, here’s a story on this along with India’s “spin” on why they backed away from doing this.
Ted Miracco, CEO, Approov had this to say:
“With most of us living and working on our mobile devices, the challenge is not just balancing security and privacy, but also balancing control of the private information between the tech giants as “gatekeepers” and government regulators, who often lack the expertise or execution to keep up with the pace of technological changes.
“True security cannot reside in the operating system alone because the OS can be compromised. It must be anchored in silicon, and the tech giants do facilitate security via the Secure Enclave (Apple), the Titan M2 chip (Google) and Knox Vault (from Samsung). These are separate microcomputers inside your phone with their own processor and memory that store your biometric data and encryption keys. We must ensure apps use these hardware APIs to generate keys that never leave the secure chip, and this data cannot be shared with governments, which was the overreach by the Indian government with the Sanchar Saathi app that has unfettered access to device level APIs.
“To roll back Big Tech without empowering “Big Brother,” we must decouple service from surveillance using both laws and source code. The legal lever involves enforcing an “Information Fiduciary” standard, which legally obligates tech companies to act in your best interest by banning them from exploiting your data for profit and effectively neutralizing their exploitative business models. The technical lever involves Self-Sovereign Identity (SSI) and Zero-Knowledge Proofs (ZKP), which ensure that while these fiduciaries can verify you are a citizen or over 18, they technically never possess your raw identity data; this means that when a government issues a subpoena or demands mass surveillance, the tech giants have no central database to hand over because the keys remain exclusively on your mobile device in the secure silicon enclave.
“While the EU’s GDPR focuses on protecting data, the DGA (passed in 2022) focuses on restructuring who holds it – creating a regulated class of “Data Intermediaries”, as neutral third parties that legally cannot use your data for their own profit like selling ads. Instead of you fighting Facebook alone, you join a “Data Cooperative” or “Data Union” where the union holds your data in a vault and if a company wants to target you with ads, they must negotiate with your union, which can demand a fee or strict privacy guarantees. Hence, the mobile app never “owns” the data, but they can license access to it temporarily.”
George McGregor, VP, Approov follows up with this:
“Government initiatives to reduce mobile-enabled crime through citizen-facing apps are laudable — public safety is a critical goal. But making such apps mandatory sets a troubling precedent. Which apps are installed on an individual device must always be a personal choice.
“Security isn’t based in who publishes an app, but from how that app proves its integrity and behavior. Government apps need to be held to the same standard of provable security and transparency as any other apps. Without strong safeguards like runtime attestation and Zero Trust principles, mandatory apps risk becoming new vectors for abuse, surveillance, or exploitation — even if well-intentioned.”
Michael Bell, CEO, Suzu Labs had this to say:
“The problem with India’s approach wasn’t the goal of improving mobile security, it was the implementation: closed-source code, root-level access, no independent audit, and no user control. If the goal is mandatory security that doesn’t become surveillance, the framework needs to be transparent (open-source, publicly auditable), minimal (only the permissions absolutely necessary), and accountable (independent oversight, clear data access logs). The EU’s approach with GDPR and the upcoming Cyber Resilience Act comes closest to getting this right: they mandate security outcomes and transparency requirements on vendors rather than installing government software on every device, which keeps the trust relationship between users and their hardware intact.
“The honest answer is that perfect security and perfect privacy are fundamentally in tension, and any system that claims otherwise is lying. What we can do is shift the burden: instead of governments monitoring citizens, require device manufacturers and app developers to meet security baselines, mandate transparency about data collection, and give users genuine control. The US hasn’t gotten this right at scale, though California’s CCPA and some state-level IoT security laws are moving in the right direction by regulating the ecosystem rather than surveilling the endpoint.”
This rollback is a good thing as I really had some reservations about what the Indian government was doing. Hopefully a more thoughtful approach to this app is done so that it can be rolled out with a fair amount of confidence that there are not any side effects.
Share this:
Like this:
Related
This entry was posted on December 4, 2025 at 10:56 am and is filed under Commentary with tags India. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.