India: The Indian government passed directions on Friday requiring services like WhatsApp to only work if users have the SIM card used to sign up for the service in their device, and to log out web-based chat sessions every six hours.
The order, sent directly to messaging platforms like WhatsApp, Telegram, and Signal, represents a major enlargement of the Department of Telecommunications (DoT)’s exercised jurisdiction, building on groundwork laid by a set of contentious cybersecurity guidelines notified this year.
Government officials have expressed frustration over their inability to track cyberfraudsters who use apps like WhatsApp, which currently only require users to validate their mobile number once, before being able to use the service on a range of devices. “SIM binding,”‘ as the directions put it, would force WhatsApp and other messaging platforms to stop working if the SIM is taken out, and presumably aid in the traceability of cyberfrauds operating on WhatsApp – by, in return, adding possible friction to other users.
The DoT said in its order that SIMs used outside the phone where WhatsApp has been registered were “being misused from outside the country to commit cyberfrauds”. The order is in effect from February 2026. The DoT and WhatsApp did not have an immediate response to a query by The Hindu sent outside normal working hours. An industry source called the instructions “problematic” and that no feasibility study or consultation was held before these directions were issued, and that it was unclear if these measures would resist circumvention by fraudsters.
The Internet and Mobile Association of India, which represents Meta and other digital firms, said in a filing to the DoT this year that the amended rules not only represented a “clear overreach of the delegated legislative power under the [2023] Act, but will also have broad implications for digital businesses across fintech, e-commerce, mobility, social media, and essentially any service that relies on telecom identifiers”.
