As cyber fraud mounts and cross-border criminal networks grow more sophisticated, India’s government is quietly reshaping how millions of people stay logged in to their digital lives — tightening rules on messaging apps, redefining security responsibilities, and testing the limits of user convenience in the name of national security.
A Security Push Born of Rising Cyber Losses
The trigger was not a single incident but an accumulation of alarms. In 2024 alone, cyber fraud caused losses exceeding ₹22,800 crore, according to government estimates, with some cases ending in suicide after victims were drained of savings through impersonation scams and digital extortion. Intelligence and law-enforcement agencies warned that encrypted messaging platforms had become the backbone of international cybercrime rings, many operating beyond India’s borders.
Against this backdrop, the Department of Telecommunications (DoT) began coordinating closely with investigative agencies, raising concerns internally and with industry players. A senior security official told The Times of India that DoT’s field units had independently flagged the same vulnerabilities: cloned SIM cards, frequently reauthenticated web sessions, and messaging accounts controlled remotely from overseas locations.
SIM Binding and the Logic of Constant Verification
On November 28, DoT issued a directive mandating “SIM binding” for messaging platforms — a requirement that accounts remain continuously linked to a verified mobile number. The measure aims to ensure that control of an account rests with the individual physically holding both the SIM card and the device.
Officials argue that repeated re-authentication makes it harder for criminals to hijack accounts using stolen credentials or virtual numbers. Banking and UPI applications, they note, already rely on similar mechanisms, including automatic logouts and device-based verification, without major disruption.
Government Tightens SIM-Binding Rules, Mandates 6-Hour Logouts For OTT Apps Under New Orders
The directive also dovetailed with earlier recommendations from a multi-agency technical group formed by the Ministry of Home Affairs in September 2024. That panel — which included DoT, Delhi Police, Ministry of Electronics and Information Technology (MeitY), the Intelligence Bureau and Telecom Regulatory Authority of India — had urged tighter linking of mobile numbers with social media and OTT platforms. In April 2025, MHA followed up with directions to implement SIM binding and geofencing for high-risk applications.
The Six-Hour Logout Debate
The most contentious element has been the automatic logout requirement for web and desktop versions of messaging apps, set at six hours. Under current DoT rules, users of platforms like WhatsApp must periodically re-link their devices by scanning a QR code, a step app companies say could frustrate heavy users and businesses.
Government sources acknowledge the concern and suggest flexibility. According to officials familiar with the discussions, the six-hour window could be extended to 12 or even 18 hours for web sessions, though not beyond 24 hours. Mobile apps, notably, are exempt from this requirement.
There is also a legal nuance. DoT does not directly regulate messaging platforms, which fall under the IT Act. Its authority, officials argue, flows indirectly through telecom networks and internet service providers — a distinction that has prompted quiet pushback from app companies wary of regulatory overreach.
Privacy, Travel, and the Cost of Security
Messaging platforms have raised another objection: SIM binding could force users traveling abroad to rely on costly international roaming to keep their accounts active. The government’s response has been unsympathetic. Officials point out that travelers who can afford flights and hotels overseas are unlikely to be disproportionately burdened by roaming charges.
At a strategic level, New Delhi sees the measures as a shield against foreign cyber gangs and hostile intelligence agencies seeking to siphon sensitive data. Still, the administration appears aware that public trust hinges on proportionality. Signals emerging from ongoing consultations suggest that some relaxation of the strictest logout norms may be considered — without diluting the core security framework.
