India Directs WhatsApp to Implement SIM Binding, 6-Hour Auto Logout for Web Users

On November 28, 2025, the Union government issued directives mandating that users log out of web-based chat sessions every six hours and that applications like WhatsApp only function with the SIM card used to register for the service in their device. The directive, which was delivered straight to messaging apps like WhatsApp, Telegram, and Signal, is a significant expansion of the Department of Telecommunications' (DoT) jurisdiction and builds upon a series of controversial cybersecurity rules that were announced this year.

Apps like WhatsApp, which presently only require users to authenticate their mobile number once before allowing them to access the service on a variety of devices, have made it difficult for government investigators to hunt down cybercriminals. According to the instructions, "SIM binding" would make WhatsApp and other messaging apps cease functioning if the SIM card is removed. This would supposedly help identify cyber scams that utilise WhatsApp by potentially making things more difficult for other users.

Why Government Opted to Take this Shot?

In its ruling, the DoT claimed that SIMs used on phones other than the one on which WhatsApp was registered were "being misused from outside the country to commit cyber-frauds." The directive will take effect in February 2026. An industry source referred to the guidelines as "problematic", stated that no consultation or feasibility study was conducted prior to their issuance, and questioned if the restrictions would be difficult for scammers to get around.

With the notable exception of website blocking, the DoT, which normally regulates telcos, has hardly ever ventured beyond 'carriage', or the means of transmission, into the 'content' layer of the internet, where apps like WhatsApp may function. According to one official, these distinctions need to be continuously "rethought" in light of the recent "convergence" of the telecom and internet ecosystems.

The foundation for directives such as these to messaging platforms was established this year when the Department of Technology announced changes to the 2024 Cyber Security Regulations that clarified the meaning of "Telecommunication Identifier User Entities", or TIUEs. This phrase could be used to describe any business, including chat apps and e-commerce sites, that uses mobile numbers to identify users.

Response from Internet and Mobile Association of India

In a filing to the DoT this year, the Internet and Mobile Association of India, which represents Meta and other digital companies, stated that the amended rules will have a wide range of effects on digital businesses in the areas of fintech, e-commerce, mobility, social media, and pretty much any service that uses telecom identifiers. It also stated that the rules clearly exceeded the legislative authority granted by the [2023] Act.

The telecom sector has frequently urged the DoT to take this action, arguing that stringent anti-spam laws that are regularly imposed on them don't stop scams on WhatsApp and other platforms.