The Department of Telecommunications (DoT) has directed messaging apps like WhatsApp, Telegram, and Signal to ensure their services cannot run unless an active SIM is installed in the user’s device and linked to their account.
The government insists this “SIM binding” requirement will close loopholes exploited by cyber scam networks that rely on disposable numbers, virtual lines and multi-device logins to stay untraceable.
But the directive has split the ecosystem. The Cellular Operators Association of India (COAI), the telecom industry’s main body, has welcomed it as a long overdue step toward traceability. Platforms represented by the Broadband India Forum (BIF), however, say this pushes internet apps into telecom-style regulation without legal grounding.
BIF’s core worry is jurisdictional drift: the forum argues that DoT is reaching beyond its mandate and treating OTT messaging apps like telecom operators—a shift that, in its view, requires explicit legislation and wider consultation.
The order comes around the same time as the Sanchar Saathi controversy, in which DoT briefly directed handset makers to pre-install a government cyber-safety app and then withdrew the mandate after tech firms and privacy groups warned the move risked enabling broad surveillance.
This backtracking showed how surveillance and overreach issues can force a rethink, and privacy advocates argue the SIM-binding directive deserves similar attention.
How will SIM binding work?
SIM binding would tie a messaging app to the specific SIM card inside a user’s phone. Each SIM has unique identifiers (like IMSI and ICCID), and an app is expected to check these every time it runs. If the SIM is swapped, removed, cloned or duplicated, the app is supposed to shut down.
This mandate sits under the Telecommunication Cybersecurity Amendment Rules, 2025, which introduce a new regulated category—Telecommunication Identifier User Entities (TIUEs)—and require them to verify users through the government’s Mobile Number Validation system. WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, and JioChat have now been formally classified as TIUEs.
The directive which came in late-November gives these platforms 90 days to keep user accounts continuously linked to their SIMs. For web users, TIUEs must log them out every six hours and enable QR-code relinking.
All OTT communication services, like WhatsApp and Telegram, have 120 days to file compliance reports. The DoT has warned that failure to comply could trigger action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, and other applicable laws.
How feasible is this?
According to critics, the idea might sound straightforward but the technology to enforce “true” SIM binding on OTT apps simply doesn’t exist.
Cybersecurity consultant Venkata Guttula explained that Android and iOS deliberately block apps from accessing SIM identifiers for privacy reasons. He described the operating system as a “strict landlord”: each app lives inside a locked room, or sandbox, and cannot peek at sensitive system information.
Since apps cannot read identifiers like the IMSI, he said, they “cannot cryptographically confirm whether the original SIM you registered with is still in the phone.”
With OS-level access off-limits, apps would be pushed into weaker workarounds. Tech lawyer Salman Waris said platforms typically fall back on repeated OTP checks, tying accounts to device IDs, monitoring IP or behaviour changes, or quietly verifying SIM activity through telecom networks. These layers, he said, “make fraud harder, but they still don’t deliver what the government imagines with true SIM binding.”
And beyond feasibility, strict SIM checks could disrupt everyday use. Travellers who insert a local SIM abroad could be locked out because their original SIM isn’t inside the phone and they wouldn’t receive OTPs to get back in. India’s dual-SIM users could face similar issues: switching data from SIM 1 to SIM 2 might trigger false alarms, leading to unnecessary lockouts.
Is SIM binding enough to curb scams?
Experts told BOOM that SIM binding might fix a sliver of the problem but not the scams actually driving India’s cybercrime epidemic.
Waris said SIM binding can reduce fraud involving Indian numbers, like SIM-swap attacks or fake local registrations. But that’s where the benefit ends. “Most large-scale scams now use international numbers, VoIP routes or foreign SIMs,” he said. “SIM binding cannot restrict those.”
He also pointed out that many scams use phones that are rooted, jailbroken, or run in virtual environments, which makes it hard for apps to track or verify them.
Guttula pointed out another blind spot: mule accounts. These are accounts registered by real people using valid KYC documents and legitimate SIMs, then handed over to bad actors. “From the system’s point of view everything looks clean—the SIM is verified, the documents are real— but a criminal is operating the account,” he said. “SIM binding does nothing to stop this.”
‘It will destroy anonymity’
Beyond the technical and practical hurdles lies a deeper concern: what this does to private communication in India.
Guttula warned that mandatory SIM binding could “fundamentally change the nature of the internet” by erasing the separation between private messaging accounts and government-verified identity.
OTT apps currently allow users to communicate without exposing legal identity. But SIM binding ties every account to a SIM that is itself tied to KYC documents.
This creates a direct, traceable link between a user’s messages and their real-world ID. “Every message becomes metadata-linked to your official identity,” Guttula said. “Whistleblowers, journalists, activists—anyone who relies on anonymity—loses the ability to communicate safely. It risks turning private messaging into a surveillance grid.”
If the Sanchar Saathi mandate triggered concerns over state access and device-level control, the SIM-binding directive raises the same red flags—highlighting how far regulators can reach into internet services and the privacy risks of permanently linking a user’s messages to a government-verified SIM.
