India Mandates 6-Hour WhatsApp Web Logout
India's Department of Telecommunications (DoT) has mandated that all WhatsApp Web sessions must automatically log out every six hours for re-authentication. The move has sparked debate over user convenience versus security in the government's push for a more regulated "Digital India."
The directive is part of a broader "SIM binding" protocol issued by the Department of Telecommunications (DoT) to combat rising digital fraud. The government aims to prevent the misuse of messaging apps by cybercriminals who operate accounts without the physical SIM card, often from outside India. This move ties the app's functionality directly to the physical, KYC-verified SIM card used for registration. This mandate extends beyond WhatsApp to include other messaging services like Telegram, Signal, Snapchat, and Sharechat. These platforms, now classified as "Telecommunication Identifier User Entities" (TIUEs), must ensure their services cease to function if the original SIM is removed from the device. Companies were given a 90-day window, with a compliance deadline of February 28, 2026. The rules stem from the Telecommunication Cybersecurity Amendment Rules, 2025, which significantly expand the DoT's oversight from traditional telecom operators to any digital service using mobile numbers for user identification. This represents a fundamental shift in how app-based communication services are regulated in India. For global platforms like WhatsApp, which has over 500 million users in India, this requires re-engineering their service specifically for the Indian market. The continuous SIM verification and forced web logouts necessitate system changes that differ from their operations in other countries. This isn't an isolated action but part of a larger trend of tightening digital regulations in India. Since 2022, the Indian Computer Emergency Response Team (CERT-In) has enforced stringent rules, including a mandate for tech companies to report cybersecurity incidents within six hours and maintain ICT logs for 180 days. While the government cites national security as the primary driver, tech industry executives and privacy advocates have raised concerns. They argue that the constant SIM checks and frequent logouts could erode user privacy, disrupt professional workflows, and create friction for users, particularly those who rely on desktop access for work.
