On the morning of Sunday the 30th of November, we saw media reports that the Indian government is mandating the presence of an active SIM card to use messaging apps. 

What this means is that you will not be able to log in to such apps unless your SIM card is on the same device as the one where you are running the app.

For more details, see Scroll.in’s article, “Why India’s telecom department has mandated ‘SIM binding’ for WhatsApp, some other app services”

Does it apply to Prav?

Our first action was to find the details of the order to understand if the mandate also applies to Prav.

The Telecommunication Cybersecurity Amendment Rules, 2025, introduced a new category of service provider called the Telecommunication Identifier User Entity (TIUE). This term covers any messaging services which use a phone number as a means to identify users. 

We consulted Software Freedom Law Center (India), and they confirmed that Prav has to comply with the order as well.

Implications of the order

We at Prav have several concerns regarding this order, both regarding our own service as well as messaging apps in general. These concerns are as follows.

User privacy will be eroded

SIM binding will degrade user privacy by enabling more location tracking. Users will not have the option to leave their phone at home and conduct messaging on a different device.

Sharing a smartphone will become impractical

The new rules would break legitimate use cases like multiple people sharing the same smartphone for accessing digital products while carrying an ordinary (feature) phone for daily use.

With SIM binding, these users will have to remove their SIM card from their own phone, insert it into the shared smartphone, and go through the re-authentication process each time they want to check messages. When they have finished, they will have to transfer the SIM card back again to their primary phone. This also increases wear and tear on the SIM card.

This would greatly reduce accessibility of messaging services. This is especially important given that many other services (such as booking Metro tickets via WhatsApp, receiving medical lab reports on WhatsApp, etc) are not only tied to the phone number, but also expect the use of some other digital messaging platform to deliver services.

Multi-device use will be worsened

The order would make it inconvenient to access the account on devices that don’t have a SIM card, such as tablets or laptops. The new rules have a provision for signing in with a “secondary device” but these “secondary devices” must be automatically logged out again within 6 hours, meaning you will have to set it up again each time you want to use it.

Compatibility layers and bridges will be broken

On a related note, it would be impossible to access phone-number-based messaging services (for example, via laptop or desktop) without possession of a smartphone which runs an OS that the messaging app supports.

For example, users of Mobian and postmarketOS rely on the Waydroid compatibility layer to run Android apps. Waydroid does not currently support SIM binding, so running an affected app (like WhatsApp or Signal) on these devices will no longer be possible.

On a similar note, it would no longer be possible to access phone-number based messaging services via bridges (like Slidge and Matterbridge) and multi-protocol clients (like Beeper and Pidgin), which let you access multiple messaging accounts in a single app.

International travelers will be affected

SIM binding would require mandatory international roaming if people traveling overseas want to continue communicating using their Indian accounts.

Switching to a local SIM card in the destination country would require registering a new account on the messaging service as well. This defeats a major purpose of using the messaging service in the first place!

Worse, if the messaging app doesn’t support multiple accounts, it would mean losing access to your earlier messages.

Possible motivations for the order

After reading about the implications, we started analyzing the arguments put forth by the government to understand exactly what they were trying to prevent, and whether we could mitigate those concerns using other means.

Preventing malicious account takeover

One possibility we considered is that this SIM binding order could prevent users from accidentally sharing access to malicious parties by forwarding OTPs. 

This would not happen if users refused to share OTPs with other people, as instructed by warnings regularly circulated by the government as well as by private entities. Unfortunately, the reality is that OTP sharing is unavoidable in some cases (not necessarily related to messaging), resulting in people being tricked into sharing their OTPs in other cases as well.

In the case of messaging apps, mitigating unauthorized access to accounts can be accomplished by less intrusive means, such as actively notifying users when logging in from new devices, and allowing remote invalidation of other logged-in devices. 

Therefore, we feel that mandating SIM binding is an excessive measure compared to the risk it is trying to mitigate.

Preventing account sharing itself

Another theory we have is that, besides preventing involuntary account sharing through trickery and manipulation, the government may also be worried about voluntary account sharing, in which many people share access to a single account.

We thought that scam rings could use such a technique to get a single account via a throwaway SIM card, and then use that shared account to conduct illegal activities (such as tricking people into sharing OTPs with them). 

The SIM binding order would make it more difficult for such scam rings to get started, as they would now have to obtain a separate SIM card for each individual involved, rather than just one for the whole group. 

The order would also help prevent such operations from running internationally, unless the people in such an operation use international roaming as described above.

Of course, this is all speculation on our part, and we are not sure how realistic this situation is.

Weakening VPN services

Another motivation for the SIM binding order could be to circumvent privacy-preserving tools like VPNs. 

A VPN can hide your physical location, but with the SIM card being present, governments (as well as other entities) can locate people via their mobile signal even if they are using a VPN for Internet access.

What will Prav do?

Since the order comes from the Department of Telecom, we have no choice but to comply with it.

However, we will also try to challenge this order in court, on the basis of some of the arguments presented above. Specifically, we are looking to challenge this requirement as…

1. being excessive, given that other options to prevent unauthorized access exist. If nothing else, this should be one of the many options to prevent unauthorized access.

2. preventing legitimate uses of a single account on multiple devices, and using multiple accounts on a shared device

3. inconveniencing citizens traveling internationally (for studies or vacation), by forcing them to choose between subscribing to international roaming, or losing access to messaging services (and potentially losing all past conversation history)

4. mandating the use of a smartphone to access communication services

Unanswered questions

In the meantime, we are also looking into ways to mitigate the situation while still being in compliance with the current order. Here are some of the questions we are considering.

1. Would Prav still be considered a TIUE if, instead of using phone numbers as usernames, we implemented custom usernames? (i.e. standard XMPP IDs.)

2. Would Prav still be considered a TIUE if, instead of storing phone numbers on the server, we only stored their hashes?

3. Would Prav still be considered a TIUE, if we were to only use a phone number for password recovery?

4. Does Prav need to enforce SIM binding at the server level as well?

   If server-side enforcement is not required, users will have the option to continue accessing our services using a standard XMPP app that does not perform SIM binding (such Monocles Chat for Android, or Monal for iOS).

   However, if server-side enforcement turns out to be required, we would have to block third-party clients from being able to use the Prav server, and people using other XMPP apps on platforms where Prav is not yet available (like desktop/laptop) would lose access to their accounts.

Parting words

In any case, if Prav were to implement SIM binding, we will have to educate our users of the implications of their choices, and offer a way out of this by using another XMPP app that does not use a phone number to identify users.

Also, since Prav is Free Software, it will be easy for any developer to remove this “feature” and start their own Prav-like service without it, since Free Software gives everyone the freedom to study, modify, and redistribute its code.