Online messaging apps must be linked to an active SIM card at all times for access to their services, following a government directive. The aim is to curb digital frauds but for millions of subscribers who use these apps for free and easy communication, it will lead to much inconvenience, explains Banasree Purkayastha
What does the order say?
The government has ordered online messaging platforms to bar users from accessing their services without the SIM card used to register for the application. A Department of Telecommunications (DoT) directive has asked messaging apps such as WhatsApp, Telegram, Signal, Arattai, Snapchat, Sharechat, Jiochat, and Josh to ensure that within 90 days, their services are “continuously” linked to the SIM card used to register with them and disallow access if the SIM is not there in the device.
The government says the move is aimed at curbing cyber frauds by making chats on these apps traceable to the SIM being used for it. “…it has come to the notice of central govern-ment that some of the app based communication services that are utilising mobile number for identification of its customers… allow users to consume their services without availability of the underlying SIM within the device… posing challenge to telecom cyber security as it is being misused from outside the country to commit cyber-frauds,” the DoT said in its notice to these online messaging platforms. A compliance report has to be submitted to DoT in four months.
How will messaging apps now work?
Messaging apps will now have to continuously verify that the SIM used to register the account is active in the device from which the service is being accessed. If the SIM is removed or deactivated, the app will stop working. In technical parlance, this is called SIM binding — a security feature that ensures that authentication processes are tied not just to the device but specifically to the unique identity of the SIM card, reducing the risk of unauthorised access. Combined with built-in biometrics like fingerprint or face recognition, it adds a strong second layer of protection beyond just passwords or SMS OTPs.
Currently, apps only verify the subscriber’s mobile number using a one-time password (OTP). The new rules will require apps to check the International Mobile Subscriber Identity (IMSI) stored on the SIM card. IMSI is a unique number that identifies each mobile subscriber globally.
How will this impact users?
The biggest impact will be on those using the web versions of an app. For instance, in case of WhatsApp Web, the service will log out automatically every six hours, and users will have to re-authenticate via QR code. WhatsApp or other messaging apps would also not be accessible on tablets without a SIM. It is also expected to pose problems for those who frequently change their devices or rely on multi-device logins. With the messaging account number now locked to the SIM, a subscriber moving out of India will have to retain the local mobile number to continue accessing old messages or contacts. Users have also expressed doubts on whether they will be able to use these apps on an international SIM when travelling abroad. Businesses also increasingly use WhatsApp to connect with customers, at times sending invoices or OTP over it. Where automation and API-based access is the basis of such business accounts, the mandate could impact usage.
Why is SIM binding needed?
App based communication services link to a subscriber’s mobile SIM card only during initial installation and verification. Thereafter, these continue to function even if the SIM is removed, replaced or deactivated — creating scope for fraud. According to the government, cybercriminals outside India log into apps using old or inactive SIM linked accounts. Since the SIM is not present in the phone, there is no record of where the phone actually is. This makes it hard to track criminals. Indians have lost over Rs 22,800 crore to cyber frauds in the last fiscal.
However, doubts have been raised on how effective these directives would be, since fraudsters use illegally procured SIM cards. Once the job is done, the SIM is discarded. India’s telecom verification system already uses AI and video KYC, yet cyber frauds are increasing. So the solution may lie in device binding which is also technically feasible. Countries with mandatory SIM binding include China, Russia, Iran, UAE and Qatar.
Industry reactions
The cellular operators Association of India (COAI), which represents all three private telecom companies— Airtel, Reliance Jio and Vodafone Idea— has said this mechanism will significantly reduce spam and fraudulent communications perpetrated through these platforms and help mitigate financial frauds.
It further urged the DoT to engage with the Reserve Bank of India to ensure that for all financial transactions, the primary factor of authentication should mandatorily be through short messaging services (SMS) OTP, which continues to remain the most secure, operator verified channel with guaranteed traceability. Mobile service operators have seen a massive fall in the use of SMS by subscribers who prefer to use the free OTT messaging apps.
Meanwhile, Broadband India Forum has said the directive raises significant questions of jurisdiction, proportionality, and consumer impact, and risk creating obligations that go beyond the mandate of the Telecom Act or the purpose of the Telecom Cyber Security Rules.
