Two recent notifications from the Department of Telecommunications (DoT) caused confusion, followed by pushback from industry stakeholders. Both reference the Telecommunications (Telecom Cyber Security) Rules, 2024. One of these was a directive that every smartphone used in India should have the Sanchar Saathi app mandatorily installed as part of the operating system. The second directive was that all over-the-top (OTT) apps, such as WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat, Josh and other “telecommunication identifier user entities” (TIUEs), must ensure that SIM cards are continuously linked to the respective services within the next 90 days.
Apart from being difficult to implement in technical terms, these mandates raise privacy concerns, can potentially interfere with use cases, and also lead to security issues.
The Sanchar Saathi order directed all smartphone manufacturers and importers to pre-install the app on all new mobile phones manufactured or imported for use in India by directly embedding it into the operating system. Moreover, the Sanchar Saathi app was to be force-installed on older smartphones already in use through an update within 90 days. The order, issued on November 28, 2025, mandated that the app be visible on first use, its functionality not be disabled and compliance be reported within 120 days.
This could potentially be a serious threat to privacy and security. Manufacturers, citizens concerned about privacy, security experts and legal experts pushed back. Apple and Google cited both privacy concerns and also technical issues where the existing OS would, in both cases, require extensive customisation as well as a change in policy since Android and iOS systems do not pre-install state-sponsored apps. Other smartphone manufacturers reportedly also privately expressed concerns.
Legal experts cited a constitutional concern, arguing that the order violates a citizen’s right to autonomy over personal devices by allowing the state to place its digital footprint on private property without explicit consent. The policy dilutes user rights because it forces citizens to trade privacy for a purported security benefit – failing the proportionality test laid down by the Supreme Court. Moreover, it leaves every smartphone user open to massive surveillance.
The Sanchar Saathi app was developed to protect smartphone devices, verify IMEI and report suspicious activities. Developed by the government, it has features such as Chakshu, which allows users to report suspected fraud attempts by call, SMS or WhatsApp, including impersonation, financial scams and spoofed calls. The app also helps users report lost and stolen phones, which can then be traced or disabled. Users may also use the app to check if any unauthorised mobile connections have been issued in their names. The app requires permissions to handle call and SMS logs, phone management, SMS sending, camera and file access, location, etc.
The app is, therefore, potentially a back door into every device on which it is installed, and it could enable government surveillance on a vast scale. The Sanchar Saathi code is not open source, so it is also difficult to check if there are any bugs that may allow black hat hackers to access devices. The directive reflected a disregard for user consent and choice, though the union minister of communications quickly clarified that users would be free to delete the app.
Experts also pointed out that the Sanchar Saathi app is not a comprehensive solution to combat cybercrime. It allows users to report fraud or spam calls and messages, block lost devices, verify IMEIs and flag spoofed international calls, but it cannot be used to file cybercrime complaints. For that purpose, users still have to visit the government’s National Cyber Crime Reporting portal, and a basic mobile-first application-based cybercrime reporting system does not exist. Finally, faced with pushback from all quarters, the directive was withdrawn on December 3, 2025.
The other directive on SIM-binding remains in force. If users use website or web-app-based access, apps must ensure users are logged out every six hours and have to re-login through a QR code. This directive will interfere with the functionality of these apps and disrupt the business models of many services provided on them, as well as cause inconvenience to a large number of retail users.
This DoT directive ensures that app-based communication service providers make it impossible for users to use services without an active SIM. This comes after DoT notified the Telecommunication Cybersecurity Amendment Rules, 2025, which created a new category of TIUE and brought these entities under the scope of telecom regulations.
The TIUEs are required to fulfil a range of cybersecurity obligations, including using a mobile number validation platform to verify customers or users associated with a telecommunication identifier for services linked to such an identifier. Besides validation, the government can direct TIUEs to stop using a specific telecom identifier to identify customers or deliver services.
When the rules were first introduced, many raised concerns that the TIUE category was too broad and would cover almost any business collecting customer phone numbers to provide a service. This could range from food delivery platforms such as Swiggy or Zomato to local grocery stores sending e-receipts via mobile numbers.
The new directives, which have been sent to WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat and Josh, effectively recognise these companies as TIUEs. They require platforms to ensure that SIM cards remain continuously linked to their services within the next 90 days. For website or web-app-based access, TIUEs must ensure users are logged out periodically (not later than six hours) and must offer an option to relink accounts through a QR code-based method.
The rationale behind SIM-binding is that apps using mobile numbers for customer validation may allow access even when the underlying SIM is not present in the device. The government argues that this creates avenues for cyber fraud. Without an active SIM, authorities have no call records, location data or carrier logs to establish where the service was used. Hence, the directive for persistent sim-binding.
However, these apps are already bound to devices. While subscribers sign up for accounts by using SIMs, it is, in fact, a useful feature in that these apps allow communication even when the SIM is not active. Some obvious use cases are for mariners at sea, or persons working in remote areas (such as oil prospectors, civil engineers, surveyors and defence personnel) where a SIM-based telecom network is not present but Wi-Fi connectivity is available through satellite broadband, fibre or some other means. It is also a common use case where Indians travelling abroad swap SIMs for convenience and cost savings while continuing to use WhatsApp. Similarly, foreigners travelling to India use these services even when their devices are carrier locked.
The government argues that this creates vulnerabilities that may be exploited to commit cyber fraud. Apart from causing inconvenience by disruption of use cases as mentioned above, the sim-binding directive may also disrupt the provision of WhatsApp business accounts, where multiple persons using different devices log in using the same business account. Most large consumer-facing businesses and many government services use such business accounts, but the directive binds every account to only one sim.
This directive could obviously be very disruptive to many users, including businesses, and interfere with the core features of messaging apps. It would require service providers to make radical changes to their code, in effect turning India into a global outlier.
It is not clear if the trade-off in terms of plugging vulnerabilities that “may” be used to commit fraud is beneficial, and DoT has made no real attempt to prove that it is the case. The common fraud patterns in India, such as phishing, caller ID spoofing, OTP theft, SIM swaps and VoIP-based impersonation, cannot be addressed by a process of persistent SIM-binding. These scams are based on using fake IDs to procure throwaway SIMs. Scammers only need to procure new fake IDs and use them to procure new SIMs to conduct their activities. In such cases, binding communication services to SIM cards may offer very limited benefits.
Meanwhile, the rule creates friction for legitimate users, impedes remote work, disrupts consumer relationship management systems, and breaks continuity for non-resident Indians and travellers using carrier-locked or single-SIM devices. Alternative approaches, including risk-based detection and carrier-led application programming interfaces (APIs), such as GSMA’s CAMARA API protocol, instead of blanket and continuous SIM-binding, enforcement may be worth exploring as being more efficacious as well as less disruptive.
However, since the sim-binding directive remains in force, these apps will need to change behaviour and possibly suffer a loss of functionality.
Devangshu Datta
