Legislation & Litigation , Standards, Regulations & Compliance

India Targets Worsening SIM Fraud With New Telecom Law

Bill Mandates Biometric Verification of SIM Card Users and Bans Right to Anonymity
India Targets Worsening SIM Fraud With New Telecom Law
Headquarters of BSNL, India's largest state-run telecom provider, on Janpath Road in New Delhi (Image Shutterstock)

India's new telecommunications law has raised concerns over the possibility of government surveillance but supporters say it addresses the need for a strong legal mechanism to clamp down on worsening SIM fraud and shadow telecom networks.

See Also: OnDemand | Protect and Govern Sensitive Data

The government's Telecommunications Bill, 2023 passed both houses of the Parliament on Thursday, fulfilling the government's mandate to replace legacy laws with an identity-based governance regime for wireless communications.

The bill now awaits presidential assent. Minister for Electronics and Information Technology Ashwini Vaishnaw told reporters the new law will bring in identity verification rules for users of telecommunications services and will protect India's 1.17 billion telecom subscribers from cyber fraud.

India has the world's highest spam call rates, and do not disturb registries maintained by telecom operators have had little effect. Marketers have started using mobile numbers to make unsolicited marketing calls and texts to bypass the feature, and so have fraudsters.

A survey in February found that 92% of mobile users in India continued to receive marketing or spam calls even after registering in their telecom providers' DND registries. About 4 in 5 of those surveyed also complained about receiving unwanted calls from finance and real estate companies.

Under the bill, telecom services providers must conduct biometric authentication for every SIM card registration and that mobile users will be able to see the name or identity of those who call or text them. The bill also mandates entities obtain prior consent of users to receive specified calls or messages and prescribes penalties for entities who use false identities to access telecommunication services.

Telecom service providers will also be required to establish an online mechanism to enable users to register complaints and to resolve them - and for the first time, they will be legally obligated to prepare and maintain DND registries to ensure users do not receive spam calls or messages unless they have given prior consent.

Critics Decry Enhanced Surveillance Measures

Through the Telecom Bill, the Indian government proposes to create standards for encryption and data processing that telecommunication providers must comply with - a move that, critics say, will give the government powers to weaken encryption in messaging services to access private communications.

The government would also obtain information on the telecommunication equipment, networks and security systems that telecom providers use. In certain situations, it may also take possession of, restrict, or suspend telecom services in certain regions or for specific person or groups.

"The ability to suspend, curtail, or revoke the authorization or assignment in case of breach of any of its terms and conditions rests with the Union government," the Internet Freedom Foundation said. "This clause cements the colonial powers of the Union government, which upon misused and if extended to internet services, may become nothing less than draconian."

The government's move to enforce biometric authentication for users of telecommunication services also restricts whistleblowers and journalists' ability to remain anonymous when communicating, IFF warned. "Services such as Twitter and Instagram, which currently provide users with the option to communicate anonymously, will possibly have to take back this facility if they wish to operate in India."

New Delhi-based data privacy lawyer Gaurav Bhalla said the proposal to mandate biometric authentication for users of telecom services may put citizens' data security in peril since the government has not specified the safeguards it will use to secure citizens' biometric details.

Bhalla said the government has also armed itself with powers to rely on various subjective arbitrary criteria to simply suspend telecom/internet services in specific regions as it deems fit. "This provision would potentially deprive citizens of their right to access the internet and would potentially be in violation of the citizens' right to freedom of speech and expression.

New Delhi-based law firm Khaitan & Co. said the bill will give the government powers to notify standards and conformity assessments for matters relating to cybersecurity for telecommunication services and networks, encryption and data processing in telecommunication, etc. Such powers may overlap with other information technology-related regulations such as CERT-In's directions or the Digital Personal Data Protection Act, 2023 and cause confusion in the industry.

Critics have raised concerns over the government rushing the Telecom Bill through both houses of Parliament. The government introduced the Telecom Bill as a "money bill," restricting the upper house of the Parliament's powers to only recommend amendments not binding on the lower house, where the government enjoys a healthy majority.

The government also passed the bill while as many as 146 members of both houses of the Parliament, principally from opposition parties, were suspended for disciplinary reasons. "Passing important legislations by suspending opposition MPs is not democracy. It is the worst kind of authoritarianism," opposition leader Mallikarjun Kharge tweeted.

Telecom Bill Necessary to Curtail SIM Card Fraud

"The proposed Telecom Bill, while potentially intrusive to personal privacy, reflects the government's recognition of the pressing issue of SIM card fraud," Shomiron Das Gupta, founder and CEO of DNIF Hypercloud, told Information Security Media Group. The government in November blocked as many as 7 million mobile numbers that it said were being used to commit financial fraud and various cybercrimes, indicating the scale at which malicious actors have used telecom services to commit fraud.

"The escalating rate of scams utilizing anonymous SIM cards is a significant concern, making it challenging to trace and counter these fraudulent activities. Without a traceable mechanism to identify the original user or subscriber, addressing the rampant fraud becomes difficult. The financial losses incurred in these scams are substantial, and the current lack of tracking capabilities is a cause for alarm," Das Gupta said.

He added that the burden placed on telecom providers to conduct verifiable biometric authentication of new users may seem to infringe on privacy, but it is a necessary step to establish traceability. "This alone may not fully address the intricate challenges associated with tracing back to the source of fraudulent activities. The need for equally effective countermeasures is paramount in light of the serious challenges faced in dealing with SIM card fraud."

According to Bhalla, political parties or privacy campaigners may approach the courts to nullify the requirement of biometric authentication for mobile subscribers. "It remains to be seen whether the judiciary favors the argument of national security, public order, etc., or whether it comes to the rescue of the citizens' core fundamental rights or puts in place some checks and balances to the power granted to the government under the bill," he said.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.