Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Amid DoT push, WhatsApp appears to test SIM-binding

February 24, 2026 6 min read Science & Technology Polity & Governance GS3 (Science & Technology — Cybersecurity) GS2 (Governance — Regulation)
On This Page

What Happened

  • WhatsApp appears to be developing a SIM-binding feature in response to a Department of Telecommunications (DoT) direction issued on November 28, 2025, requiring messaging apps to bind user accounts to the SIM card used at registration.
  • The DoT direction mandates that platforms like WhatsApp, Telegram, Signal, Snapchat, JioChat, and others disable user access if the registered SIM card is removed from the device.
  • Additionally, companion access points such as WhatsApp Web must automatically log out users every six hours, forcing re-authentication via QR code scan.
  • The direction flows from the Telecommunication Cybersecurity Amendment Rules, 2025, which created a new regulatory category: Telecommunication Identifier User Entity (TIUE) — covering apps that use a telecom identifier (SIM number) to identify users.
  • WhatsApp's SIM-binding feature remains "under development" as of February 2026; privacy advocates have raised concerns that modern mobile operating systems limit apps' ability to access SIM-level identifiers.

Static Topic Bridges

Telecommunications Act, 2023 — Regulatory Framework for OTT Messaging

The Telecommunications Act, 2023 (No. 44 of 2023) was passed by the Lok Sabha on December 20, 2023 and by the Rajya Sabha on December 21, 2023, receiving Presidential assent on December 24, 2023. It replaced the Indian Telegraph Act of 1885 — a colonial-era legislation — and is the primary statute governing telecommunications in India.

The 2023 Act gives the DoT (Department of Telecommunications, under the Ministry of Communications) broad powers to regulate "telecommunication services," "telecommunication networks," and to prescribe cybersecurity standards. A key grey area was whether OTT (Over-the-Top) messaging services — which use internet connections rather than traditional telephone networks — fall under the Act. The government clarified that the Act does not regulate the OTT industry per se (which remains under MeitY and the IT Act), but messages sent through internet-based messaging services using a SIM number as the identifier are within scope.

  • Telecommunications Act, 2023: replaced Indian Telegraph Act, 1885; Wireless Telegraphy Act, 1933; and Telegraph Wires (Unlawful Possession) Act, 1950
  • Nodal authority: Department of Telecommunications (DoT), Ministry of Communications
  • OTT messaging: not regulated as "telecom service" under the Act, but DoT can issue directions on cybersecurity grounds affecting OTT apps
  • Cybersecurity Rules: issued under Section 22 of the Telecommunications Act, 2023 — empower the government to prescribe cybersecurity measures for "telecommunication networks"
  • Telecommunication Identifier User Entity (TIUE): new category under Cybersecurity Amendment Rules 2025 — apps that use a SIM/telecom identifier to identify users
  • TRAI (Telecom Regulatory Authority of India): recommends telecom regulations; DoT implements; TRAI has separately examined OTT regulation since 2015 but no full regulatory framework yet for OTT services

Connection to this news: The SIM-binding direction flows from DoT's authority under the Telecommunications Act, 2023 and the Cybersecurity Amendment Rules 2025 — using the TIUE category to regulate messaging apps at the intersection of telecom identifiers and internet communications.

SIM Binding — Technical Concept and Cybersecurity Rationale

SIM binding (also called SIM locking or SIM tying) is a security mechanism that links a software application's authentication to the physical SIM card present in the device. When SIM binding is enforced, the app checks at every login (or periodically) whether the SIM card that was present at registration is still in the device. If the SIM is removed, changed, or absent, the app denies access.

The cybersecurity rationale is fraud prevention: SIM swap fraud (where fraudsters convince telecom operators to transfer a victim's phone number to a new SIM, then access banking/financial apps) has been a major vector for financial crime in India. By binding the app to the physical SIM, the security of the app depends not just on passwords or one-time passwords (OTPs) but on possession of the original SIM card.

The six-hour automatic logout for WhatsApp Web is similarly aimed at reducing unauthorised companion device access — a vector for surveillance and data theft.

  • SIM swap fraud: fraudster ports victim's phone number to a new SIM by exploiting telecom porting processes; then intercepts OTPs for banking access
  • SIM binding countermeasure: app verifies SIM ICCID (Integrated Circuit Card Identifier) or IMSI (International Mobile Subscriber Identity) at access
  • Technical challenge: Android and iOS (post-2019) restrict app access to SIM identifiers for privacy reasons — makes SIM binding technically complex to implement
  • Affected platforms: WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai, Josh
  • WhatsApp Web logout: every 6 hours — requires QR code re-scan from mobile app
  • Compliance timeline: 90 days from November 28, 2025 (i.e., by late February 2026)

Connection to this news: WhatsApp's development of a SIM binding feature is a direct compliance response to the DoT direction. The feature — if implemented — would affect hundreds of millions of Indian users, as India is WhatsApp's largest user market globally.

Privacy and Surveillance Concerns — Constitutional Framework

SIM binding raises significant privacy concerns. The Indian Supreme Court's landmark ruling in K.S. Puttaswamy v. Union of India (2017) — a 9-judge constitutional bench — held that the Right to Privacy is a fundamental right under Article 21 (Right to Life and Personal Liberty) of the Constitution. Any state action that infringes privacy must satisfy the three-part test: legality (backed by law), legitimate aim (state interest), and proportionality (least restrictive means).

The Internet Freedom Foundation (IFF) has called on DoT to recall the SIM-binding direction, arguing that: (i) it effectively creates a government-mandated surveillance mechanism over users' communication app access; (ii) it mandates access to SIM-level hardware identifiers that modern OS deliberately block for privacy; and (iii) the six-hour mandatory logout disrupts legitimate multi-device use without proportionate cybersecurity benefit.

Personal Data Protection: India's Digital Personal Data Protection Act, 2023 (DPDPA) — the primary data protection law — governs how personal data (including SIM identifiers, which constitute personal data) may be collected and processed by apps. The SIM-binding direction would require messaging apps to collect and verify SIM-level identifiers — potentially creating DPDPA compliance obligations for these platforms.

  • K.S. Puttaswamy v. Union of India (2017): 9-judge bench; Right to Privacy = Fundamental Right under Article 21; three-part test: legality, legitimate aim, proportionality
  • Digital Personal Data Protection Act, 2023 (DPDPA): India's data protection law; applies to processing of personal digital data; SIM ICCID/IMSI = personal data
  • CERT-In (Indian Computer Emergency Response Team): India's cybersecurity response agency; has issued separate mandatory reporting directions for cybersecurity incidents
  • Section 69A of IT Act, 2000: allows government to block online content (separate from telecom direction powers)
  • Encryption debate: DoT direction does not explicitly mandate weakening of end-to-end encryption, but WhatsApp and Signal have historically resisted any measure that could compromise E2E encryption architecture

Connection to this news: The SIM-binding mandate sits at the intersection of cybersecurity regulation and privacy rights — a tension that will likely be tested in courts if major platforms challenge the direction, invoking both the DPDPA framework and the fundamental right to privacy under Article 21.

Key Facts & Data

  • DoT direction issued: November 28, 2025 (Telecommunication Cybersecurity Amendment Rules, 2025)
  • Compliance deadline: approximately 90 days from November 28, 2025 (~February-March 2026)
  • Apps affected: WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai, Josh (8 platforms)
  • WhatsApp Web mandatory logout: every 6 hours (forced QR re-authentication)
  • Regulatory category: TIUE (Telecommunication Identifier User Entity) — new category under 2025 rules
  • India is WhatsApp's largest market: 500+ million users (estimated 2024)
  • Telecommunications Act, 2023: replaced Indian Telegraph Act, 1885; enacted December 24, 2023
  • K.S. Puttaswamy v. Union of India (2017): 9-judge bench; privacy = fundamental right under Article 21
  • DPDPA, 2023: India's data protection law; SIM identifiers classified as personal data
  • SIM swap fraud losses (India, 2023-24): estimated thousands of crore rupees across financial fraud cases