Who owns/controls our digital identities?

India’s new SIM-binding mandate for messaging platforms, which came into effect on 1 March, could fundamentally alter the way millions of citizens access and control their digital identities.

Introduced under the Telecom Cyber Security Rules, the directive issued by the Department of Telecommunications requires messaging applications to keep user accounts continuously linked to the physical SIM card used during registration. If the SIM is removed, deactivated, swapped or inactive, access to the account can be blocked until the original SIM is reinserted and verified.

The rule applies to major messaging platforms including WhatsApp, Telegram, Signal and others that rely on mobile numbers for authentication. While the government says the measure is aimed at curbing cyber fraud and misuse of mobile numbers, the implications for privacy, digital ownership and user autonomy are far-reaching.

Take the example of WhatsApp. Under the new regime, a user cannot access their account if the specific SIM card used during registration is not present in the primary device. In practical terms, this means that access to one’s personal conversations, contacts and digital history becomes dependent on possession of a particular SIM card.

This creates an unusual paradox: the user who created the account, built the contact network and generated the data may no longer have full control over it. Instead, access is effectively determined by the SIM card.

Ironically, even the SIM card itself is not legally owned by the user. Telecom subscribers are technically SIM holders, not SIM owners. The SIM card remains the property of the telecom operator that issued it. Consequently, control over messaging accounts is indirectly tied to infrastructure owned by telecom companies rather than to the individual who created the account. This shift raises fundamental questions about digital ownership and user rights in the age of platform-based communication.

Cyber law expert Pawan Duggal told National Herald, “The SIM-binding mandate is on shaky ground. Since no law was actually passed by Parliament for it, the mandate could easily be contested in court.”

India’s constitutional framework has already recognised privacy as a fundamental right. In the landmark K.S. Puttaswamy v. Union of India case, a nine-judge bench of the Supreme Court of India unanimously ruled that the Right to Privacy is intrinsic to the Right to Life and Personal Liberty guaranteed under Article 21 of the Constitution of India. The judgment explicitly recognised informational privacy — the right of individuals to control their personal data.

SIM binding complicates this principle. If a person’s digital account can only be accessed through an operator-owned SIM card, their ability to control their own digital information becomes conditional. Critics argue that informational privacy becomes difficult to protect when the user is not even the ultimate controller of access to their own account.

Concerns about the new rules are not limited to privacy activists. Technology industry groups have also raised legal questions. The Broadband India Forum, which represents global technology companies such as Google and Meta, has warned that the mandate may exceed the statutory authority of the telecom regulator.

In its communication to the government, the forum argued that extending telecom regulations to internet platforms through delegated legislation risks regulatory overlap and jurisdictional conflict. It also raised concerns about possible violations of the constitutional Right to Equality.

According to the industry body, forcing digital platforms to comply with telecom-style regulations could create inconsistent compliance requirements across sectors and add unnecessary operational burdens.

Another critical concern is the role of mobile numbers themselves. A phone number is considered personally identifiable information (PII). Linking it tightly to multiple digital platforms expands the scope of potential privacy risks.

Once a number becomes the central authentication key across several services, several dangers emerge:

• Data leaks: If a single platform is compromised, attackers may gain access to the mobile number associated with multiple accounts.

• Unwanted contact or harassment: Phone numbers exposed online can easily become tools for spam, abuse or stalking.

• Cross-platform tracking: Companies or malicious actors can track a user’s activities across platforms through the same number.

The new system could also intensify risks of targeted harassment and doxing. If a person’s phone number becomes the universal key to their online presence, exposing that number could reveal multiple digital identities at once.

For journalists, political commentators or activists — who often face online trolling — the stakes could be particularly high. Civil liberties advocates also worry about the potential for expanded surveillance. Because SIM cards are issued only after Know-Your-Customer (KYC) verification, every SIM is already tied to a verified identity.

When messaging accounts are permanently linked to these SIM cards, authorities theoretically gain an easier pathway to correlate digital communications with real-world identities.

Duggal asserts that the mandate infringes upon the right to privacy, right to expression and, by extension, right to life.

The government has defended the measure as a tool to combat cyber fraud and scams. India has witnessed a surge in digital fraud, including ‘digital arrest’ scams and SIM-swap frauds.

Authorities believe tighter SIM verification could help reduce such crimes. But experts caution that SIM binding is not a technological silver bullet.

Cybercriminals are quick to adapt. Instead of disappearing, crimes may simply evolve into new forms such as SIM cloning, where attackers duplicate a victim’s SIM card to gain access to accounts tied to it. If messaging access becomes entirely dependent on the SIM, cloning it becomes an even more valuable target.

Similarly, fraudsters could exploit stolen or illegally obtained SIM cards to create fully verified digital identities. For millions of Indians who rely on messaging apps for everyday communication, business, journalism and activism, the consequences may soon become visible in daily life.

The real debate is not just about SIM cards — but about who ultimately controls the digital identities that define modern communication.