Inconsistent solutions: Recent telecom directives must be reconsidered

Two recent directives from the Department of Telecommunications have led to confusion and controversy. One mandates that apps such as WhatsApp, Telegram, Signal, Arattai, Snapchat, and JioChat and other “telecommunication identifier user entities” must ensure that subscriber identity module (SIM)  cards are continuously linked to respective services. If users opt for website or web-app-based access, the apps must ensure they are logged out every six hours and re-login through the QR-code. This directive will interfere in the functionality of these apps and disrupt the business models of many services provided on them, as well as cause inconvenience to a large number of individual users. The second directive orders all smartphone manufacturers and importers to pre-install the Sanchar Saathi (SS) app on all new cell phones manufactured or imported for use in India. Moreover, the SS must be force-installed on older smartphones already in use through an update. This would in effect install in every smartphone a backdoor, which could be a threat to privacy and security. The government on Tuesday clarified that the app was not mandatory and users could remove it.

 

The rationale for SIM-binding is that apps like these may allow access even when the underlying SIM is not present or active. It has been argued that this creates vulnerabilities that may be exploited to commit cyber fraud. But these apps are already bound to devices. While subscribers sign up for accounts by using the SIM, one of the most useful functions is that these apps allow communication even when the SIM is not active. Some obvious use cases are for mariners at sea or persons (such as oil prospectors, civil engineers, and defence personnel) working in remote areas where a SIM-based telecom network is not present but WiFi connectivity is available. The SIM-binding directive would also disrupt the provision of WhatsApp business accounts, where multiple persons using different devices log in using the same business account.  This directive could obviously be disruptive to many users including businesses, and interfere in core features of messaging apps.

 

The SS app is used to protect smartphone devices, verify the international mobile equipment identity (IMEI) number, and report suspicious activities. Developed by the government, it has features like Chakshu, which allows users to report suspected fraud attempts, by call, SMS or WhatsApp, including impersonation, financial scams, and spoofed calls. The app also helps users report lost and stolen phones, which can then be traced or disabled. Users may also use the app to check if any unauthorised mobile connection has been issued in their names. SS requires permission to handle call and SMS logs, phone management, SMS sending, camera and file access, and location. It is, therefore, potentially a backdoor into every device on which it is installed and it could enable government surveillance on a large scale. The SS code is not open-source so it is hard to check if there are any bugs that may allow hackers to access devices. The best way to combat cybercrime would be to foster awareness among users rather than to force SIM-binding and the pre-installation of an app that many users may not know how to use, and some may prefer not to use.