India’s decision to bind every messaging account to a physical SIM card is the world’s boldest anti-fraud gambit. It may also be its most blunt.
Sanjay Shah
Priya arrives at her desk every morning, opens her laptop, and finds WhatsApp logged out. Again! She is a journalist. Her sources message her on WhatsApp. Her editor sends assignments on WhatsApp. Half her working day runs through it. She has already done what the government asked: She has ‘bound’ her account to her phone’s SIM card. And yet the desktop version keeps dropping her, sometimes mid-conversation, sometimes before she has even had her first cutting chai. Reconnecting means grabbing her phone, opening WhatsApp, finding the right menu, scanning a QR code on screen, and waiting. By the time it is done, a source has sometimes already moved on. This is not a glitch. This is the rule working exactly as designed.
Since 1 March 2026, every Indian WhatsApp user who works on a computer, or a tablet without a SIM slot, must prove, every six hours, that their registered SIM card is sitting inside their primary phone. No exceptions. No grace period. The rule applies to Telegram, Signal, ShareChat, and several other messaging apps as well. If the SIM is missing, the app stops. If the session timer runs out, the desktop logs out. Priya’s frustration, multiplied across crores of working Indians, is the daily price of a policy built to solve a very different problem.
What Is SIM Binding, In Plain Language?
Think of it like a padlock and a specific key. Your WhatsApp account has always been tied to your phone number. The new rule adds a second condition: The SIM card for that number must be physically inside your phone at all times… not just when you first sign up, but every time you use the app, especially on a computer.
The app checks for this using something called the IMSI, the International Mobile Subscriber Identity. Unlike the IMEI, which identifies the handset, the IMSI lives on the SIM card itself and travels with it. Think of the IMSI as the aadhaar of your SIM, it is what the network uses to say ‘yes, this SIM, this subscriber, right here.’ If that SIM is absent, the app will not work. On web or desktop, sessions automatically expire every six hours regardless, after which you must scan a QR code on your phone, with the SIM present, to regain access.
For someone who uses WhatsApp only on a mobile phone, with the SIM always inside, the change may feel minor. For Priya, and for anyone who works across devices, it is a significant daily jugaad, a workaround they must now perform just to do their job.
Why Did the Government Do This? Reason?
The problem the rule is trying to solve is real, and it is enormous. According to the Ministry of Communications, cyber fraud losses in India in 2024 crossed Rs 22,800 crore, a 206% jump from the year before. Nearly 12 lakh complaints were filed with India’s central cybercrime registry. Almost half of them traced back to ‘scam compounds’ in Cambodia, Myanmar, and Laos: organised crime centres where thousands of workers, many of them Indians trafficked abroad on false promises of tech jobs, ran fraud operations using Indian phone numbers.
Here is how the scam worked.
A criminal would get an Indian SIM, use it once to activate a WhatsApp account with an OTP, hand the SIM card to someone else, and then keep using that WhatsApp account from a laptop in Phnom Penh indefinitely. The account looked like it was calling from India. The criminal was not.
The old system had a fatal flaw: verify once, use forever.
SIM binding is designed to close that loophole by forcing a continuous check: is the original SIM still here, right now?
Telecom Minister Jyotiraditya Scindia left no room for debate when he ruled out any deadline extension. National security, he said, comes before industry convenience.
The ambition is understandable. The execution has complications that the government has not fully answered for.
The first is technical, and it is serious. Apple’s iPhone does not allow third party apps to read the SIM’s hardware identity directly. This is a security decision built into iOS, not a setting that can be switched off. With over 7 crore iPhone users in India, the rule as written is technically incompatible with a significant portion of the devices it governs. The government has offered no public guidance on how this is to be resolved.
The second is about civil liberties. The Internet Freedom Foundation (IFF) has pointed out that under the new framework, which officially classifies WhatsApp and similar apps as Telecommunication Identifier User Entities, or TIUEs, the government can now instruct a platform to cut off a specific phone number from messaging services, with no court order and no notification to the account holder. A minister’s judgement that a number poses a security risk is enough. The Editors Guild of India has raised the same alarm from a press freedom angle: tying every account to a KYC-verified, Aadhaar-linked SIM means anonymous communication is no longer structurally possible in India, which has consequences that go well beyond fraud prevention.
The third problem is the most deflating for anyone who believed this rule would break the fraud rings. Cybersecurity researcher Anand Venkatnarayan of DeepStrat made the point plainly: organised scam networks do not reuse SIM cards. They buy fresh ones, often with forged documentation, for each campaign. They need perhaps 10 SIM cards to defraud a hundred victims. The rule will not stop them. It will stop Priya.
India currently is the only democracy in the world to have taken this step. Every other country that has grappled with messaging app fraud has stopped short of commanding the application to continuously interrogate the hardware.
The European Union, for instance, designated WhatsApp as a Very Large Online Platform under its Digital Services Act in January 2026, obliging Meta to manage systemic risks like disinformation and electoral manipulation, with fines of up to 6% of global revenue for failures. But private messaging is explicitly outside that framework. The UK’s Online Safety Act focuses on child protection and illegal content. Singapore and Brazil have tightened KYC at the moment a SIM is issued, controlling the entry point, not the application running on top of it. Nigeria, Indonesia, and the Philippines have all done the same. The logic everywhere else is: get the SIM registration right at the source, and the downstream apps do not need to be policed at the hardware level.
That’s where India differs, strictly.
India has chosen a different philosophy: continuous monitoring at the application layer. It is more intrusive. Given the iOS problem and the easy availability of fraudulent SIMs, it is also, by most technical assessments, less likely to achieve its stated goal.
Every government that has faced this problem has had to decide how much surveillance it is willing to deploy, and against whom. India has chosen breadth over precision, speed over consultation. The fraud problem is genuine, the scale is alarming, and doing nothing was not an option. But a rule that logs out Priya every six hours while the scam compounds in Phnom Penh simply buy new SIM cards is not a security victory. It is an added task – an added burden – on the very people it was never meant to target. The courts will eventually weigh in. Until then, Priya will keep scanning that QR code, every single morning, before her first cup of chai.
