Strengthen your Chhattisgarh mains preparation with our Chhattisgarh Mains Judgment writing Master Course starting from 12th November 2025.
         









Home / Editorial

Civil Law

DoT's WhatsApp SIM-Binding Mandate: Security vs. Convenience

    «
 03-Dec-2025

    Tags:
  • The Information Technology Act, 2000 (IT Act)

Source: The Indian Express 

Introduction 

On November 28, 2025, the Department of Telecommunications (DoT) issued directions under the Telecom Cyber Security Rules, 2024, mandating "SIM binding" for major messaging platforms including WhatsApp, Telegram, Signal, and others. The directive requires these apps to maintain continuous linkage with active SIM cards, effectively ending the current practice where apps function independently after initial registration. 

  • This measure, aimed at combating cyber fraud that cost India over Rs.22,800 crore in 2024, has created a sharp divide between telecom operators supporting the directive and technology firms warning of regulatory overreach and significant disruption to legitimate users. 

What is SIM Binding? 

Technical Requirements: 

  • The directive mandates continuous verification that messaging apps remain linked to active SIM cards using the International Mobile Subscriber Identity (IMSI) number. 
  • Apps must verify SIM presence persistently, not just during initial OTP-based registration. 
  • Web or desktop versions must automatically log out users every six hours, requiring re-authentication via QR code scanning with the mobile device. 

Implementation Timeline: 

  • Complete implementation within 90 days (by February 26, 2026). 
  • Submit compliance reports within 120 days (by March 28, 2026). 

Affected Platforms: 

  • WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat, and Josh are specifically covered under the directive. 

Why Does the Government Want SIM Binding? 

Security Vulnerabilities Addressed: 

  • Remote Account Misuse: Currently, messaging accounts continue functioning even after associated SIMs are removed, deactivated, or moved abroad. This enables criminals to conduct "digital arrest" frauds and impersonation scams using Indian numbers from foreign locations. 
  • Long-lived Web Sessions: Web sessions authenticated once in India can operate indefinitely from abroad without fresh verification, allowing criminals to control victims' accounts remotely. 
  • Traceability Gap: Without continuous SIM linkage, law enforcement struggles to trace fraudulent accounts back to KYC-verified identities. 

Expected Benefits: 

  • Anchor every active account to a live, KYC-verified SIM, restoring traceability. 
  • Force criminals to repeatedly prove device/SIM control, increasing detection risk. 
  • Shut down long web sessions used for remote-access misuse. 
  • Prevent account takeover and mule-account operations. 
  • Align communication apps with security practices already mandatory in banking and UPI systems. 

What are the Legal Frameworks that are Referred to? 

Telecommunications Act, 2023: 

  • Received Presidential Assent on December 24, 2023. 
  • Section 22(1) empowers the Central Government to prescribe measures for protecting telecom cyber security. 

Telecom Cyber Security Rules, 2024: 

  • Notified on November 21, 2024, under Section 22(1) read with Section 56(2)(v) of the Telecommunications Act, 2023. 
  • Rule 4 obliges telecommunication entities to adopt cyber security policies, identify risks, address security incidents, and implement government directions. 
  • Rule 3 grants data collection powers to the Central Government for protecting cyber security, with sharing permitted to law enforcement agencies. 
  • Rule 5 requires reporting of security incidents within 6 hours. 
  • Rule 6 allows suspension or termination of telecommunication identifiers posing cyber security threats. 
  • Penalties for non-compliance: First offense up to ₹25,000; subsequent offenses up to Rs.50,000 per day. 

What are the Jurisdictional Concerns related to it? 

  • OTT platforms fall under the Information Technology Act, 2000, within IT Ministry's jurisdiction. 
  • Telecommunications Act lacks legislative basis to regulate OTT communication platforms. 
  • Measure requires legislative sanction and must respect jurisdictional boundaries. 

What will be the consumer impact of this development? 

  • Travelers and NRIs: Accounts become inaccessible when local SIM cards are inserted abroad while relying on Wi-Fi for Indian numbers. 
  • Multi-device Users: Families separating primary SIM from messaging numbers of face disruptions. 
  • Professional Users: Forced re-authentication every six hours disrupts 8–10-hour workdays. 
  • Vulnerable Users: Elderly or low-literacy users struggle with repeated re-authentication. 
  • Wi-Fi Only Devices: Tablets and secondary phones lose messaging access entirely. 

What are the Privacy Concerns? 

  • Allows government to collect "traffic data" and "any other data" without clear definitions, potentially including message contents. 
  • No limitation on data retention duration, allowing indefinite storage. 
  • Data sharing permitted with any Union government agency engaged in law enforcement, raising misuse concerns. 
  • Review mechanisms lack independent oversight from judiciary or civil society, consisting solely of executive members. 

What is the Global Context? 

  • India is believed to be the first country mandating continuous SIM linkage for global messaging apps. 
  • Some countries like Russia require linking state messaging accounts to phone numbers, but none demand persistent verification tied to physical SIM cards. 
  • Measure could significantly complicate overseas use for business travelers, students abroad, NRIs, and international remote workers. 

Conclusion 

The DoT's SIM binding directive represents a critical juncture in India's approach to cybersecurity regulation. The government's rationale—anchoring digital identities to KYC-verified SIMs to combat Rs.22,800 crore annual cyber fraud losses—is compelling in principle. 

However, legitimate concerns about regulatory jurisdiction, absence of public consultation, tight implementation timelines, and selective platform application reveal potential gaps in the policy-making process.  

As India positions itself as a global digital leader, this directive will test how the world's most populous democracy navigates cybersecurity regulation. Success depends not just on technical implementation, but on achieving security objectives while preserving the openness and accessibility that have made digital communication indispensable to modern Indian life.