New Delhi: WhatsApp has told a government committee it needs four to six months more to comply with its SIM-binding directive, a measure the Department of Telecommunications (DoT) had asked five months ago and which the Ministry of Electronics and Information Technology (MeitY) already flagged the platform for ignoring.
The information was shared in a status report filed before the Supreme Court on 30 March, and made public Tuesday, by the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs and co-signed by Attorney General R. Venkataramani.
The report was filed in response to a suo motu writ petition—Re: Victims of Digital Arrest Related to Forged Documents—that the Supreme Court initiated in October 2025 after a senior citizen couple from Ambala wrote to the court, saying they had lost Rs 1.05 crore to scammers who displayed forged Supreme Court orders over WhatsApp to coerce payment.
A bench of Chief Justice Surya Kant and justices Joymalya Bagchi and N.V. Anjaria has since driven a sweeping multi-agency response.
Digital arrest is a fraud in which criminals impersonate law enforcement officials over video calls, keep victims under continuous surveillance for days or weeks, and coerce them into transferring savings under threat of fabricated arrest.
According to a parliamentary statement by the Ministry of Home Affairs, Indians lost Rs 1,935 crore to digital arrest scams in 2024, a 471 percent increase from the previous year.
Also Read: SIM binding: What India’s new mandate means for your WhatsApp & why big tech is pushing back
What the directive said
On 28 November 2025, the DoT issued a circular requiring all app-based communication platforms operating in India using Voice over Internet Protocol (VoIP) — including WhatsApp, Telegram, Signal, and a regional platform called Arattai — to bind user accounts to verified SIM cards and fix session durations.
The goal was to prevent scammers from recycling phone numbers and creating fresh accounts immediately after being banned, a tactic the government says has allowed criminal networks to survive repeated enforcement actions.
WhatsApp appeared before the Inter-Departmental Committee’s (IDC) third meeting on 12 March 2026, and told the committee that “work on SIM binding implementation is underway, including technical integration and testing”, but that “full rollout may require approximately 4–6 months due to technical dependencies and the need to avoid disruption to legitimate users.”
A detailed compliance report, it said, would be submitted by 28 March.
What the platform did not address before the IDC was a finding MeitY had already placed on record separately.
During a 6 January compliance review of major intermediaries including Google, Meta, and Microsoft, the MeitY observed that “Microsoft acted expeditiously on intelligence shared by I4C, whereas WhatsApp did not take adequate remedial action despite prolonged engagement”.
Skype, which Microsoft owns, has become a reference point in the proceedings, with the IDC directing WhatsApp to examine user-protection features “similar to those adopted on the Skype platform” and submit a detailed proposal within 30 days.
Before the case reached this stage, the MHA had already blocked 83,668 WhatsApp accounts and 3,962 Skype IDs involved in digital arrest frauds.
WhatsApp told the IDC it had banned an additional 9,400 accounts since January 2026 through a dedicated internal investigation, reaching that number from just 17 seed signals specifically tied to digital arrest — mapping entire criminal networks through what it calls a “fan-out” approach that targets administrators, linked accounts, and shared infrastructure simultaneously.
The platform said its investigation found scammers operating predominantly from Cambodia, using display names such as “Delhi Police,” “CBI,” “Mumbai HQ,” and “ATS Department,” and profile photographs bearing official government logos.
Where gaps remain
Pressed by the committee across multiple issues, WhatsApp made a series of commitments before the IDC. It agreed to retain data from deleted accounts for 180 days as required under Rule 3(1)(h) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, after the committee noted this was necessary for law enforcement investigations.
In the 12 March meeting, it committed to examining whether device IDs used in digital arrest scams can be permanently blacklisted — so that fraudsters cannot simply switch numbers on the same device to create new accounts — and said it would submit a compliance report within 45 days.
On the question of proactive user protection, WhatsApp said it had deployed logo detection systems matching profile pictures against a database of Indian law enforcement insignia including Delhi Police, Mumbai Police, CBI, and the Anti-Terrorism Squad (ATS).
It said it had introduced account age as a visible signal for unknown callers, suppressed profile pictures for suspicious first contacts, and deployed large language model-based detection tools to identify impersonation patterns.
It also committed to examining safeguards against prolonged scam calls — the multi-hour and multi-day video calls that characterise digital arrest — and said it would submit proposed technical measures within one month.
But the platform was candid about its limits. Its written submission to the IDC stated that “logo detection currently applies prospectively — retrospective matching is a limitation we are working to address,” and that dismantling the underlying criminal operations “requires coordinated multi-jurisdictional law enforcement action.”
On end-to-end encryption, it noted that “consistent enforcement requires corroborated on-platform evidence” and that where such evidence is limited, it cannot act immediately.
The IDC, for its part, has asked MeitY to secure compliance by WhatsApp on all commitments made before the committee and report back to the court.
(Edited by Ajeet Tiwari)
Also Read: India’s biometric SIM issuing system to be implemented by December, DoT says in court submission