New Delhi: Come Sunday and popular messaging apps like WhatsApp, Telegram, Signal, SnapChat, ShareChat, JioChat, Arattai and Josh will only function when the correct Subscriber Identity Module (SIM) card is in the phone.
This follows a November 28 order by the Department of Telecommunications (DoT) to the apps to implement the measure within 90 days.
Noncompliance could result in legal action under the Telecom Cyber Security Rules, the Telecommunications Act of 2023 and other relevant laws, the government warned.
The DoT’s AI & Digital Intelligence Unit, which has been given more power to govern Telecommunication identity User Entities (TIUEs), which are basically online services that employ a phone number as an identity, issued the guidelines.
“The SIM-binding regulation stands and we hope all service providers will come on board,” telecommunications minister Jyotiraditya Scindia said recently, citing security concerns. He said that the move as “need of the day.”
Under the new rules, messaging apps need to certify that, when used on different devices, individuals are immediately logged out of web-based services like WhatsApp Web every six hours. However, this logout will not happen on devices where the SIM is installed.
The apps must verify that t
he primary mobile device has the registered SIM card linked to the account. If the registered SIM is not present, services must cease to operate. The centre clarified that users who are roaming will not be impacted if the SIM card remains active in the device.
What happens now is that an OTP (one-time password) provided to the user’s mobile number during installation is used by the majority of messaging apps to verify users. The platform continues to work after verification, even if the SIM is taken out, changed or deactivated.
Similarly, web versions of the apps work by OTP or QR code-based verifications, where the app can be used on a device, like a computer, without the presence of the SIM card used to register for that account.
The government believes that this has led to widespread fraud and misuse of the feature and hopes that the new rule will alter this practice.
Hence, a security measure called SIM-binding, which connects a messaging software to the SIM card, has been introduced. The app will only run after activation when the registered SIM remains inserted in the same smartphone. This implies that removing the SIM would cause applications to stop working.
In November 2024, the Centre notified the Telecommunications (Telecom Cyber Security) Rules, which required telecom service providers to report security incidents within 24 hours. They were also told to put in place thorough cybersecurity measures, including designating a Chief Telecommunication Security Officer to supervise adherence to the new regulations.
It allowed the government the authority to obtain non-content and traffic data from telecom entities to improve cybersecurity protocols.