- 8 hours ago
Cybersecurity expert Amit Dubey decodes the Sanchar Saathi app controversy amid government mandates for pre-installation on all smartphones. Designed to track lost devices via CEIR, block stolen IMEI numbers, and report fraud calls/scams, the app has recovered over lakhs of phones, but critics raise alarms over privacy risks from permissions like call logs.
Category
🗞
NewsTranscript
00:00Today I have with me Amit Dubey. He's one of India's most trusted cyber security experts.
00:17First of all, thank you so much for joining in and having a discussion on this entire political
00:23chaos around Sanchar Saathi application which is a completely government built application.
00:30I really want to begin with a very simple question. The government release regarding this app says that
00:37all of the companies they need to ensure that this application is pre-loaded in the devices
00:45and it says that they need to ensure that the pre-installed Sanchar Saathi application is
00:50readily visible and that its functionalities are not disabled or restricted. So my simple question
00:55to you is that for example I get a new brand new phone. If I switch on that phone will that
01:01application be activated at that time according to this press release that we have in front of us?
01:08No, it will not be activated. It will be pre-installed but not activated. You will have to activate it.
01:15For example, there are phones, they give you pre-installed Facebook, they give you pre-installed
01:20some UPI apps because they are bundled with their some commercial understandings. They are pre-loaded
01:26with some OTT platforms but that doesn't mean that you can use them unless until you create an account,
01:32you log in, you configure, you pay, then only you can use it. So even if it is installed, it's not doing
01:38anything. It is there in your phone. You have to configure it. You have to log in. Then only you can use Sanchar Saathi.
01:45Okay, so if this application is pre-loaded, pre-installed until and unless a user activates
01:51this application, there will be no harm. Is that what you are saying?
01:56There will not be any harm even after you complete it. So I think there is a big communication.
02:00We will come to that later on but for now I want to break this.
02:03But I really want to avoid that word harm. In either situation, there is no harm. So they should be very,
02:09very clear about it. Okay. Before configuration, it's not doing anything. And even after configuration,
02:16it's not doing anything for you because you have to do it. It is not something which is automatically
02:22doing anything. It is an app which requires an action every time you want to use it.
02:27No, but for example, if I install this application, it will definitely ask me to check mark all of these
02:33pointers. Like I need to give access to all of these XYZ pointers. For example, access to my calls,
02:40messages, notifications, even my camera. All of this needs to be encrypted, needs to be protected,
02:47and comes under the right to privacy. But if I give access to all of this,
02:51how can you then say that with this configuration, you will not be harmed?
02:57So that's the communication gap. Giving access of some functionality to an app doesn't mean that the
03:02app is collecting this data. For example, if you would like to know that this particular app is
03:08collecting what kind of data from my device, you just go to Play Store, search that app. For example,
03:13Facebook, Instagram, Twitter, Discord, WhatsApp, Zaini or Sanchar Saki. Search that on Play Store.
03:20You will have that icon. Click on that icon. Then scroll down and you will have an option called
03:24Data Safety. Click on that Data Safety button and there is an option called See Details. Click on that
03:30button and then Google because you are downloading it from Play Store or App Store. They will be telling
03:36you each and every thing. They'll be telling you that this app collects these many data points from
03:41your phone. If you do the same exercise with Sanchar Saki, it clearly says that this app does not collect
03:48anything, anything, anything. That makes it very clear. So it's not collecting anything. Now you can ask me
03:55that then why it is taking these permissions? And where is it stored then? If the access is there,
04:00so is it only that the access is there and this data is not downloaded and stored anywhere?
04:04No, it's not downloaded. It's not stored anywhere. I'm just giving you the answer because I myself have
04:11given you both the first two. First two, so there's no collection of data because no collections or no
04:17storage. Simple. Then why it is taking permissions? Why it is taking camera permission? Why it is taking
04:22SMS permission? Why it is taking call log permission? It's taking that permission because the app has some
04:27features where you would like to report those. For example, you have to report a QR. So you need
04:32camera access to capture the report. If you would like to report a call log because you are getting
04:37continuously calls from someone and there are 20 calls, you can't report one by one. So you can give
04:42this call log access that these calls I would like to report to Sanchar Sathi Chakchukwattal so that this
04:46number will be blocked or there should be a legal action against them. Then there is an option called SMS.
04:51Suppose you are getting some unsolicited communication SMS or WhatsApp or E-Pay. So that access is given
04:56only during that time when you are reporting that content. It is not like that they are reading it
05:02all the time. No, they are not collecting it. What you are trying to say is that there is no real-time
05:08accessibility of data but only once you report is then the government can
05:12access the data and then crack down on the crime. There is no real-time, there is no non-real-time,
05:19no offline, no online, no data collection for sure. Unless until you give some data and you give
05:26that data to report that data. You don't give this data, you don't give camera access so that somebody
05:31can watch you. You give this camera access because you would like to scan a QR code. Now if you do the
05:37same exercise with Facebook and then you will be surprised. You have given what all data to Facebook
05:43because in the data collection option in the Play Store you will be scared. You could clearly see that
05:48Facebook knows your political belief. Facebook knows your religious belief. Facebook is collecting
05:54your financial data. Facebook is collecting your health data. They are claiming that and it has been
05:59mentioned by Google itself and Facebook has accepted. Yes, we are collecting all your call details,
06:04your SMS, your OTPs, your emails. We are listening you all the time. Facebook clearly says that we are
06:09capturing all your voices around you. And then we are also copying your call records. We are also copying your
06:15sound records. We are also taking copies of your voice loop. You just scroll, scroll and you will be
06:22scared that oh we have given so much data to Facebook but you have never raised any concern on
06:25Facebook or to Google. More than that for sure. Or to any other app. Now there is an app which is not
06:31collecting anything. It is happening. This is greater. Yeah, I understand what you're saying. Do you think that
06:37there's a greater trust deficit? Because this is not a private entity but this is a government entity that we are
06:44talking about. Let's suppose if this application had been built by a public-private partnership and
06:50there was some private stake in this, then there would have been greater trust in general public
06:56like me or my friends and family around me. They would have, you know, accepted it in a far better
07:01way rather than being a completely government-built application because then there will be trust issues.
07:09You are suggesting government that okay, if you would have done it with some private partnership,
07:13there is no such data privacy concern to the user. No, because we generally, for example, we need
07:18to use some application. We generally don't give so much of heat to us what access we are giving to
07:24that application as you yourself also mentioned. Why don't we give that? Because there is a lack
07:31of awareness in general public but here the government involvement. Exactly, because it's not because
07:37that they are private or public doesn't matter. It's because people don't know. People will react to
07:43only those things which will be told to them. Now there are set of parties, there are set of journalists,
07:50they are talking about it. That's why they know it and otherwise they don't know and they have never
07:55checked it. And if you will tell them the clear picture, okay, this is not like that what you are
08:01thinking in your mind that they are listening because there is no data collection. There is no server to
08:06store your data. So that's why I think there's a communication gap. It's not about the public
08:11private or government private doesn't matter. If there will be some partnership with some special
08:17business group would have concern over there. If it is involving some other countries, you will have
08:24concern over there. The concern you can have on anything. It is not like that. The only thing is
08:29that you should have an ability to test it, verify that whether there is really any concern. For example,
08:35people used to ask me that should I use DG Atra because they capture our face and they know my
08:42travel, it is safe, it is okay. Not because they don't know that DG Atra does not capture your face.
08:49DG Atra just capture your facial parameters and then recognize you based on the hash value,
08:56which is a signature. Now that hash values cannot be rehashed. It is one direction. For example,
09:04you type a password and the password is hashed. Now I can use that hash to match in the database,
09:10whether you have typed the same password. But even if I get the hash value, I can't generate the
09:14password. You get my password. Now that is the way it has been managed so that the BBC is intact,
09:19the security is intact. But they will definitely raise concerns on it. But they will give their face
09:25to Facebook, to any other app, to Goop, to AI, to anybody sharing it freely. They won't have any concern.
09:31The concern is only with the government when they are actually doing it for security. Because it is
09:36for you one. It is not for the government. Why do they need to install DG Atra to do the service?
09:43They can do it easily. There are n number of ways. So first of all, I would like to make this very clear
09:48to the audience and to the public that government does not need to specifically ask you to install
09:53something. They don't need to do that. They are empowered enough. They can do it without installing
10:00anything. If they want to go. So don't have that illusion. Okay? And this is true with every country.
10:08This is not only with your government. This is with any government, any country. They are powered
10:12because they have to ensure security. And they can even ask the telecom operator or to any service
10:17provider. So don't think that they are listening all the time. Nobody has time. And this country is of 140
10:25people. You can't do that. But we have already seen that Apple has pushed back to this and is saying
10:33that they would want to have a negotiation if there can be something which is not preloaded,
10:39but can nudge the users to install the application. Don't you think it will be better for the citizens,
10:45for the laymen who don't really understand all these technicalities? For example, you just talked
10:49about DigiApp. I mean, we don't know. Me as a journalist, I didn't know that it actually does
10:56not capture your face, but captures the parameters. So how do you think that Apple is giving a better
11:04option to the government that you do not have this preloaded on your devices, but you can nudge the
11:09users at the time of first time setup that they can choose and install this application?
11:15So let me tell you that this Sanchar Sethi app is not a new app. It's there almost one year. The
11:24portal is there for almost three years. 2222 I think they have launched. In last one year, I think it
11:31has 10 million downloads already. Almost one crore. In last one year, because of this app, we have
11:40recovered more than 24 lakh phones. And the 42 lakh phones were blocked because of this app. Those were
11:47eventually otherwise being used by criminals. And we have already seen the result. The government wanted
11:54to promote it heavily. But whatever awareness we can give, even Prime Minister Modi has mentioned in his
12:01Monkey Bar about digital arrest. Last week itself, we got two cases of digital arrest where people have
12:08lost 24 crores. So my point is, and these people are intellectuals. These people read newspaper every
12:13day. They are people who have had high positions in the government or in private sector. The point is,
12:20whatever awareness you do, it won't work in a country like India. We have been doing it since last
12:2520 years. But people are still ignorant for a few basic things. Now we'll have to deduce methods to
12:34enable these tools where we can protect them proactively. So this was one of that initiative,
12:40aggressive initiative, that okay, we'll make part of that everything. And we'll be, we'll make it visible
12:46at the top. It should be clearly visible. It should not be hidden. This is the clear indication. So that if
12:50you have any such, every day you are watching the tech, every day you know that if something
12:55happens, you can report it. And then the crime can be reported in real time. Because cybercrime happens
13:00in online. And if it is happening, if it is not stopped in real time, you can't stop. For example,
13:06if you are getting continuous calls from an international worker, they are bothering you.
13:12And then you go to a police station and then report it. And eventually after two months, it has been,
13:17some action has been taken against it. It won't help you. You need immediate help. And that will happen
13:22through Chakshu portal, Sanchar Saathi. Go, report, block. Similarly, if somebody is sending you nude
13:28pictures or obscene messages on WhatsApp, you want to report it right now and you want action right now.
13:33You don't want this action to be taken after three months. Because by that time, the person will be
13:38confident. This is the mindset of cybercrime. They should be blocked immediately in real time. That's
13:44why this app is given to all the users. That you report immediately and let them be blocked.
13:48They should not have enough SIM cards to use if their numbers will be blocked. How can they
13:54generate SIM cards so fast? But I think the awareness campaign at the part of the government was too
14:00weak because not many of us knew that this was rolled out back in January this year. And now only
14:06when they asked all the companies to preload it on the new devices is then when we know that this is a
14:12big issue. Amit, I also want to talk about the thing that you just pointed out. For example,
14:20if somebody steals my phone and tries to clone an IMEI of another user and try to operate that phone,
14:30that stolen phone, then the original person will be held accountable, will become a criminal, of course,
14:38because we don't have evidence. And this is one thing which government wanted to crack down on.
14:43But my point is that there are a lot of softwares available online which actually helps with this
14:49IMEI spoofing. So don't you think that the government needs to also work on that aspect?
14:55And I just want to talk about can the government be more proactive rather than reactive? I do understand
15:00when the crime is happening, it's necessary to report it. But don't you think that the government also
15:04needs to be proactive so that all of these spoofing softwares which are available online can be undone
15:11with? You know, this power of spoofing any number or a changing IMEI, we find in only 0.001% cases.
15:22Only in those categories. 99 plus percentage of time criminals are using your phone as it is. We know
15:29that. And that's why we were able to block it. Otherwise, if they all were spoofed, how could we
15:34block it? How could we deal with it? How could we retrieve them? Which says something. It says that,
15:38okay, we'll work in that direction. Still, we are doing something for the people. We should not avoid
15:44that efforts. Otherwise, just to focus on those 0.01, we may lose this chunk of misuse. So I think that is
15:55the intention, just to follow. As far as proactive actions are taken, this aggression was just to do
16:01the proactive actions only. See, if the crime happened, then Sanchas Sati can't do anything.
16:06Sanchas Sati will only help you proactively. If something is approaching you, calling you,
16:12at that time, you can report the number to be blocked. But if you have already lost money,
16:16then for that Sanchas Sati is not doing anything. Sanchas Sati, and why? Because cyber security is a
16:24mutual responsibility. It can't be achieved in isolation. See, if I get a call from some unknown
16:29number and I have been targeted, I know that this is a fraudster's number, but I have not reported it.
16:34Actually, I have enabled that criminal to move somewhere else. I should have reported it. Because
16:40this is also my responsibility. If I see a girl walking on the road alone, and there are people who are
16:47disturbing her, and if I don't report, that is also my responsibility. It's a mutual responsibility.
16:53So in cyber space, we wanted community to bring, they should join hands together, and they should
16:59put this effort so that we can target crimes together. Otherwise, it's not possible. I'll give you a real
17:04example. Suppose I get every day tons of cases, and these victims are so desperate.
17:10The basics are that if I go to get the KYC of that Sip card, it belongs to some farmer or foodie
17:27who does not know there is a Sip card on his name. If I go to trace the KYC of that bank account where you
17:32have transferred you money, it belongs to some vegetable banker in West Macau, who does not know
17:38there is a bank account on his name. If I go to find the owner of the phone, I mean, this is stolen phone.
17:47It's being reported by someone in Delhi. Now, we don't know anything about that crime. Neither the phone
17:53belongs to him, nor a bank account, or the SIM cards. The only thing that we know is his location.
17:58And he will not be there in his location for more than two hours. He will keep changing his location.
18:03Even if I create a pattern, mostly in the border areas, and if we try to never do some hoops and
18:11strokes, if we arrest him, we will not have enough evidence to even prosecute it in the court.
18:17We can't prove that this person is the same person. How do we know it?
18:22Right. It is not practically possible. So, the point is, post-mortem activities won't help.
18:29The only thing that will help you, Sachs. Report, block, report, block. That is the only thing.
18:35Amit, because you also coordinate with law enforcement agencies and help them crack down
18:40all these cyber criminal cases, you must be knowing what is the scenario like in all the other countries.
18:46Because we see that predominantly the countries like Russia, China, we see major cyber crime
18:52activities, hackers from those countries trying to get into systems of other countries. How is this
18:57scenario in other countries? How do they tackle it? Do you think that it's important that only
19:02government, you know, do this basis preloaded applications on new phones? Do you think that
19:08there can be better way? And how do you compare this with what is happening in other countries in terms of
19:13cracking down on cyber criminal cases? So, Hina, first of all, we are mixing two things.
19:21We are actually telling about the expertise of Russian hackers. Russian hackers do not hack Russians.
19:29Yeah. Russian hackers actually target other country. It's critical. They don't target users like you and me.
19:38We are not bothered. We are not. We don't have problem because of the Russian hackers.
19:42Rather than we don't have problems with the Indian hackers also. These are not hackers. They are not tax-saving guys.
19:48They are not engineers. They are uneducated people from Jaapkara, Mewad, Albargu, Bharatpur,
19:53Urangabad, all these 55 hotspots. They are targeting you and they are using social engineering. They are manipulating you.
20:02So antivirus or security, you don't need it in your phone. You need it in your brain. That is the problem.
20:08Now, whatever expertise Russia has, Israel has, Turkey has, doesn't matter. It is not an arming ban.
20:14Okay. Now we come to the point, how do they tackle cybercrime over there? First of all, let me make it
20:20very clear that every country is struggling. Every country is facing more cybercrime than India.
20:24Let me give you some figures. Australia, they are losing $30 billion every year. India is losing $1 billion or maybe
20:31$10 billion. But Australia is definitely more than that. Then Japan, then UK, then US. UK is losing
20:38$3 million every day. It's the official record. Every day they are losing $3 million to cybercrime
20:44and close to $1.5 billion a year. So let's be very honest that every country is facing this problem
20:50because this cannot be stopped. But the countries that you're mentioning, I'm sorry,
20:56I'm interrupting, but the countries that you're mentioning, they are not building something on
21:00a government level and deploying it on this scale on all the new devices and even the old devices
21:06trying to roll out updates to install this application. These countries, they must be tackling
21:11it in a different way. They are doing it even more monitoring than us. Any country which is,
21:16which you feel secure, more secure than India, they are, they are secure because they do more
21:20monitoring. Otherwise, they can't manage. There are infiltrators, there are criminals. If you purchase
21:25anything in UK or if you create a bank account and you try to cheat someone, they can monitor that
21:33transition within seconds and they can catch you because they are monitoring from your social security
21:38numbers. They are monitoring each and every activity to a single server. Despite of that monitoring,
21:44they are losing $3 million. Because people themselves are paying that money now. Nobody is stealing it.
21:50They are mentally prepared to transfer. They are mentally convinced to transfer. So my point is
21:56monitoring is going to be a lot of regulations. But they can't stop it 100% because if the person
22:03himself has decided to pay to someone, he'll pay. You can't forcibly stop it because he's convinced
22:08either in some lucrative offer or either he's scared or he's having some sort of confusion. But
22:14he is actually doing it willing. That's for sure. So what UK did, UK did a very beautiful thing.
22:22They made a law last year. The law says in October last year. The law says whether it is
22:28mistake of a victim or bank, it doesn't matter. The bank is responsible to pay 100% money and then
22:34fight this to the victim. We don't care who has done the mistake. We don't care. Literally don't care.
22:41Now all the banks in UK, they are in panic mode because they know that people will take advantage of
22:46this law. They themselves will transfer this money to some other account and they'll say fraud.
22:50fraud. They will take advantage of a bank. And this is happening. This is exactly happening in
22:57last month. But the government was adamant. They said that all these kind of frauds can't happen
23:03without the involvement of the bank. So we'll have to make them account. And they brought that law and it
23:08is actually working in the favour of victims now. But despite of that, the crime is happening. The point is
23:13if suppose Indian government takes the same call, do you know the repercussions? Do you know the
23:21retaliations? It is not that easy in India. UK can do it. I think the people here will try to exploit
23:29the system as much as possible. And it can't happen. We all know about this, that these kind of
23:36frauds cannot happen with the support of banks, with the support of telecom operators, with the support of
23:42people who are actually enabling them all these infrastructure, locations, ice hideouts, even
23:47traditional systems. It is true. Why do they get bail so easily? Keep them in jail at least for two months.
23:54And there'll be innocent people who will be in jail for six months, but they'll not get bail.
23:58Which means there is somebody who's enabling this. Because this is a business for them. So we should
24:03understand this, that there are multiple stakeholders now. It is not just a group of people that you can
24:07target and stop it. When there is an industry of 100,000 crores in a year, all kinds of support
24:13systems will start building. Amit, final brief answer I need from you. Two quick questions. First,
24:20what is the best way in this situation? Because a lot of people are definitely concerned about this
24:24application. What is the best way out for the government so that it is also able to enable us to
24:29help ourselves in this kind of cyber criminal cases? But also ensure that there is a trust
24:34which is secured between public and the government. And secondly, I want to know from you, what is it,
24:40what is the basic things that we can do as general common citizens of the country to protect ourselves
24:46from online cyber crime activities? As far as government is concerned, government is trying hard.
24:53I'm sure that this initiative is also because of that. We have been pushed too much that the crime is
24:58increasing. You are not doing anything. They have got thousands and thousands of cyber commandos in
25:05three states. They have got awareness programs running by each and every school, institutions,
25:12government institutions, and that has become mandatory. But whatever cyber awareness program we do,
25:19people are still unaware because unless they are targeted, they become victims. They don't take it seriously.
25:25So this is a human problem. This is a psychological problem. We can't solve it by just putting money
25:30or efforts. Whether it is being said by Amitabh Bachchan or Navarjidin Siddiqui,
25:34who doesn't listen to them. So the point is that. Now government can bring some tools so that they can
25:41regulate these systems at the foundation level. For example, if you are transferring money,
25:45four times, you ask them, they are going to your decision. They are not afraid. They are not afraid.
25:49They are not afraid. They are not afraid. They are going to be retired. They are going to get 4 calls and 25
25:52000 people. So that is on both sides. So they have to delay them. If suppose there is an amount,
25:58we have tried all kinds of suggestions. Honestly speaking, there was a suggestion that you have done
26:03that, take the amount of equipment, and delay them half an hour. And give that window to the
26:08user who is transferring to Sony, so that he can take it back. Suppose we have done it. So there are
26:25some ground-level challenges. And that's why we wanted this community to build. And criminal
26:33has to use a bank account. We should start blocking that in real time. And I think this is the purpose.
26:48If we could convey this clearly that what Sancha Sati wants to achieve. If we could do that,
26:54this will be a disruption. Nobody in the world would do this. India would be leading. Only this can be
27:00done. We can actually mobilize crores and crores of people against criminals. We can actually report
27:06and block them. Whether they are harassing girl, whether they are harassing kids, whether they are
27:10cyberbullying, games apps, or anything which is actually enabling criminals to do that crime. We
27:15keep blocking them. And this power we give, we give to the users. I think this was the reason.
27:20Now coming to your second point. What we could do as an individual if suppose we don't use Sancha Sati.
27:25We have to believe this, that no crime can take place without your involvement. You would have done
27:33something. Whether it is calm, crores, low, mo, arming card. These are the five human vulnerabilities
27:38which is getting exploited in every kind of crime. Whether it is cybercrime or any other kind of crime.
27:44So it is you. Because we don't teach kids about these human vulnerabilities. They are trapped. We have seen
27:53cases where people were offered jobs and they ended up in Laos and KK Park and being tortured and
28:00they were asked to do this other time. And it's been happening for years. Why? Because they could,
28:08they could not have, they could not use their common sense that if something is too good to be accepted,
28:15they should at least do some verification. I think these kind of things are human traits. We will have to
28:20buy in the beginning, from the beginning to these kids. That is something which is a long term solution.
28:26These are the common sense. I always give a one financial system thumb rule. If everybody will remember that,
28:35I can guarantee that 70% cybercrime cannot happen. I can give you in return. And the basic thumb rule is,
28:44if money is coming in your account, you should not do anything. Money will come automatically.
28:52So you have to put effort only when you have to transfer. Now, if you take any app, I have. Sir,
29:00I got a call from somebody. He said that we are transferring grant to your account. Just click this
29:04link and get your money. Sir, I got a call from someone insurance copy that there's a dividend and
29:08you please receive this money and install this stock and you conveniently get this dividend. Sir,
29:12I got a call that you have money from Lottery Hall. Something was coming to your account. You were actually
29:17allowed to receive that. If the money is coming in your account, you should not do anything. Whether
29:22it is clicking a link, QR code, sharing OTP, anything, you should not do anything. Just focus on that
29:27simple thumb rule. 70% cybercrime can't do that. Right. And the remaining 30% is if there is something
29:34which is offered to you, which looks too good or somebody is scaring you. If you just focus on these
29:39two emotions, wait, verify and then take it off. Sir, there are definitely pros and cons of this
29:45application. But all I can say in conclusion is that there could have been a better rollout
29:51taking into confidence some of the stakeholders, for example, the parliamentarians, because they
29:57point out that this is some kind of an attack on the constitutional right on the citizens of the
30:02country. Thank you so much, Amitji, for speaking with Asianet News and giving your perspective on this.
Be the first to comment