Recently, India’s SIM binding rule went into effect. This rule requires messaging apps like WhatsApp, Signal, Telegram and others to continuously verify that a user’s SIM card is physically present in their mobile device. If people are using these services on laptops or desktops, they will need to be logged out every six hours. The government claims this rule will curb phishing and impersonation scams.

This is just one of many rules the government has introduced or proposed in its quest to protect smartphone users. Some of its other brilliant ideas were mandatory pre-installation of its Sanchar Saathi (Communication Companion) app and requiring vendors to share source code for inspection.

While these were rescinded after heavy backlash, there are other, lesser known regulations in the works. One of these is requiring GPS to be enabled at all times, with no off switch. Another is requiring an audit log to be stored on devices for at least one year, showing which apps were installed and which services were logged into.

Unintended Consequences

Let’s imagine we were born yesterday, and therefore trust the government. Even if these rules were created with the noblest intentions, they will ironically make phones more dangerous. They will make it easier, not harder, for cybercriminals to breach security. They will further endanger some of the most vulnerable people. They will hurt poor people and small businesses. And finally, they pose a serious threat to what is left of India’s liberal democracy.

Consider the SIM-binding rule. It will do nothing to prevent scams. First of all, most scammers are smart enough to use fake IDs to obtain SIM cards. Binding will be useless here. But it introduces a new vulnerability. If people have to login every six hours, they will stop paying attention eventually. Especially small businesses owners who are juggling ten different tasks at any given time. Attackers could serve fake login screens to gain access and impersonate the businesses.

While offering zero security benefit, SIM binding will make life harder for low income families. These families share phones and SIM cards out of necessity, and will be hit the hardest, warns a study from CUTS International. The same study also found that nearly 70% of small businesses rely on shared accounts for order management, customer support and coordination. Logging them out every six hours will result in delayed responses, broken automation and higher compliance costs. These businesses are the backbone of the Indian economy. They operate on thin margins, and any impact on them will be felt throughout the country.

The other rules are even worse. Consider the requirement for audit logs. 18% of Indian women have reported suffering domestic violence. If a woman installs apps that offer information and assistance to victims of domestic violence, or has secret social media accounts to reach out for support, she will be at greater risk. Even if she uninstalls the apps and signs out of the accounts, those will be recorded in the logs. Her husband could go through them and inflict further violence on her for daring to plan an escape.

Similarly, always-on GPS will be a disaster. If a woman manages to escape her abusive partner, he could track her more easily. There are also many inter-caste, interfaith and homosexual couples in India who have to elope and live in hiding. Their families would literally kill them for marrying the “wrong” person. For dubious gains in crime fighting, the government will endanger some of India’s most vulnerable people.

The Real Agenda

The harms discussed so far were under an assumption of sincerity and good faith on the government’s part. But we know the government’s real agenda is not to keep smartphone users safe. It is mass surveillance so they can root out dissent.

Understand the chronology here. On November 28, the government comes out with a rule that manufacturers must pre-install its Sanchar Saathi app on every phone. This is rightly decried as spyware, since the app wants permissions for basically the entire smartphone; call logs, text messages, camera, storage and even the flashlight. Due to heavy backlash from manufacturers and civil society, the government rescinds this rule in a week.

A month later, it comes up with a new rule. Manufacturers must provide access to source code, and cannot push critical security updates without government approval. Why? The government is known to deploy spyware such as Pegasus against political opponents and critics. But pesky manufacturers keep patching vulnerabilities, making the spyware ineffective. If the government has veto over security patches, it can delay them until it is done spying on its targets. Of course, manufacturers resist this rule as well, and it is also scrapped within a day. But there will be more attempts in the future.

This fits in the larger context of how the government operates. India has faced serious democratic backsliding under prime minister Narendra Modi. Press freedom has declined as Modi’s rich friends take over media outlets, and the remaining ones face raids and arrests on bogus charges. Activists are accused of terrorism and held for years without trial. Formerly independent institutions like the courts and the Election Commission have been captured by the regime.

This can be seen in the digital realm as well. In 2022, the government mandated that all VPN providers must collect and store user data for at least five years. Last year, in Jammu and Kashmir, VPNs were banned entirely for two months, and users were arrested during that period. The government also introduced a new tax law allowing officials to access people’s e-mails and WhatsApp messages.

Further proof of the government’s duplicity can be found in the way these new smartphone regulations have been introduced. The government has taken a page straight out of Steve Bannon’s playbook, and is “flooding the zone”. Consider the demand for source code, which was reportedly introduced in a package of 83 rules.

The game is simple. Introduce dozens of regulations simultaneously. Critics cannot pay enough attention to all of them. Even if a few rules must be dropped after heavy backlash, many others will slip through and tighten the state’s grip on people’s digital lives.

When officials are acting in such bad faith, we must stay on guard. Any regulation, no matter how well intentioned it may seem, is a power grab. Notice how these rules always reduce freedom and choice for the consumer.

If the government were truly interested in keeping users safe, it would do the opposite. It would promote the development of open source smartphones. Open source software tends to be more secure since many more people are inspecting it, and any security flaws are found and patched quickly. It is also difficult to hide back doors in open source software, since they will be discovered immediately. This ensures greater privacy, and thus the health of liberal democracy. Open source also results in more competition, and thus more freedom and choice. That is the only real way to improve safety.

But the government will not do that, because smartphone security is just a cover story. The real goal is mass surveillance and authoritarianism.

The featured image is “Malware Infection” by Blogtrepreneur, CC BY 2.0.