In June this year, the Department of Telecommunications (DoT) released a draft amendment to the Telecom Cybersecurity Rules, 2024. Through this draft amendment, it has sought to introduce a new category of service providers within the scope of the rules. Called Telecom Identifier User Entities (TIUEs), these are entities that use telecom identifiers to validate their users or deliver their services.

MediaNama’s discussion aimed to understand the impact of these rules on businesses of different scales, workflow disruptions, and onerous compliance requirements. It also sought to explore the privacy implications of the draft amendment for end users and the jurisdictional issues arising between the IT Ministry and the DoT.

Our objective was to identify:

  • The scope of the compliance burden that the draft amendment imposes on businesses
  • Disruption to onboarding and validation workflows
  • The intent behind the draft amendment
  • The effectiveness of the MNV platform in preventing fraud and cybercrimes
  • The effectiveness of the current KYC measures in place
  • Risk of capturing businesses that have minimal telecom interactions (e-receipts/loyalty programs, and food delivery services)
  • Scope for shifting to alternative forms of user validation, like email
  • Impact of the platform on user privacy
  • Possible limitations on the scope of information TIUEs will have to give back to the DoT
  • Checks and balances to prevent misuse of MNV details by businesses
  • Privacy safeguards that are necessary for the MNV platform
  • Jurisdictional overlap between the IT Ministry and the DoT

Download the event report here

Executive Summary

In June this year, the Department of Telecommunications (DoT) released a draft amendment to the Telecom Cybersecurity Rules, 2024. With this amendment, businesses that use telecom identifiers to validate customers and deliver services will have a range of compliance requirements, including sharing data related to the identifiers with the Government and validating users via a Mobile Number Validation (MNV) Platform. During MediaNama’s discussion on the amendment to the rules, speakers pointed out several concerns about the broad scope of its application. They noted that the rules provide limited clarity on how the platform would function and what information would be shared with Telecom Identifier User Entities (TIUEs) seeking user validation services. Unanimously, participants expressed that the Government should provide transparency about the platform’s functioning. Some argued that the unclear voluntary or mandatory nature of the platform leaves businesses unsure about whether they have to integrate it into their workflows, particularly if they rely heavily on mobile numbers. It was argued that the lack of safeguards on the type of information TIUEs may have to share with the Government or telecom providers could expose commercial data and create competitive risks. Some participants agreed that telecom companies could potentially leverage this information to enter competing business lines, though it remains unclear whether the platform will reveal which business initiated what type of request or the purpose of that request.

One of the participants suggested that the lack of clarity around the MNV Platform structure and functioning could be intentional, with the rules leaving its form and manner largely undefined to accommodate different business needs. 

It was pointed out that the amendment could potentially affect all businesses that use mobile numbers for services, including digital businesses and physical retailers offering digital receipts. Participants also expressed worries about the high costs and challenges associated with the validation process, including financial, staff training, and data privacy concerns. The validation costs via the MNV platform were significantly higher than current methods like OTPs, which cost around 12–15 paise (p) per message. While some suggested that it could cause businesses to move to alternate forms of user validation, others pointed out that mobile numbers have become a key component of digital services, which would make a shift to other forms of validation infeasible. Concerns were also raised about the fact that the rules allow for multiple validations, which could create customer irritation. 

With regard to the implementation of the validation service by social media platforms, participants emphasised that it could eliminate anonymity, which is essential for personal safety and free expression. However, others argued that internet anonymity should not be used to defraud others. Besides this, participants expressed worry about the data disclosure requirement under the rules. They pointed out that the Government already has alternative methods for data disclosures from businesses, questioning the necessity of additional measures.

Despite these challenges, some suggested that an MNV platform could be useful to prevent fraud, provided that it gives businesses insight into the pattern of fraudulent activity based on the information that telecom companies have about their users. However, others argued that in their present shape, it is unclear how the rules would prevent fraud. Some pointed out that validating mobile numbers alone might not address broader fraud issues, as identity verification does not fully mitigate the risk. There are also underlying issues within the existing KYC (Know Your Customer) ecosystem, with fraud still prevalent despite updates to KYC processes. Some feared that by consolidating user data, the MNV platform could inadvertently facilitate surveillance or contribute to privacy risks, potentially exacerbating fraud in the digital space.

Questions were also raised about whether regulating digital services actually falls within the DoT’s jurisdiction, given that one of the major categories of businesses affected by the regulation would be internet companies that are currently under the IT Ministry’s jurisdiction. Some argued that the draft rules reflect an ongoing trend of jurisdictional overlap between the DoT and the Ministry of Electronics and Information Technology (MeitY), as the lines between the Ministry of Communications and MeitY have over time become increasingly blurred. This overlap could complicate regulatory enforcement, especially as multiple ministries, such as the Ministry of Health, are also introducing regulations that affect the internet. 

Advertisements

Elsewhere, concern was raised about the user rights implications of the draft amendment. Participants pointed out that the absence of clear oversight regarding who can initiate validation requests could lead to potential unauthorised data collection. There was also concern that the MNV platform could enable profiling of users based on the services they seek, which could result in commercial and users’ privacy violations. 

The lack of transparency in the validation process was a significant concern as well, as users would not be notified when their numbers are validated, leading to insecurity and diminished control over their personal data. Additionally, participants pointed out that the rules do not clarify who can access the MNV platform, leaving the door open for misuse by non-licensed entities. There was also concern about the lack of a clear authority to penalise businesses for misusing the platform. Furthermore, the rules do not address situations where a number is shared or used by multiple family members, which could lead to confusion between impersonation and legitimate usage.

Video and coverage:

MediaNama’s coverage of the discussion can be found here.

MediaNama hosted this discussion with support from PhonePe, Truecaller and Meta. Our community partners for this event were Broadband India Forum, CUTS-International and the Internet Freedom Foundation (IFF).

Also Read:

Support our journalism:

For You