Medianama, August 07, 2025
In July this year, the Department of Telecommunications (DoT) released a draft amendment to the Telecom Cybersecurity Rules, 2024, introducing a Mobile Number Validation (MNV) platform. The draft amendment has introduced a new category of services that will fall within the scope of the DoT’s rules. These services are referred to as Telecom Identifier User Entities (TIUEs), which validate users via phone numbers.
The amendment has imposed several obligations on TIUEs, including following orders to suspend the use of certain telecom identifiers, providing the DoT with data related to these identifiers, and validating users using an MNV platform, as per government directions. According to the rules, the usage of the MNV platform can be mandatory for certain sectors if ordered by a government entity.
MediaNama’s discussion on the MNV rules and their impact on internet businesses highlighted several issues related to user rights and privacy.
Ambiguity on How MNV Data Is Protected and Accessed
Aman Taneja, a technology lawyer and partner at Ikigai Law, points out the ambiguities of the draft amendment regarding who can use the MNV platform. “Are there any checks and balances in my ability to even start pinging this database? For instance, with Aadhaar, to be a user entity, there are certain requirements that you need to meet. That’s how you get onboarded and have the ability to ping that database. Here, that doesn’t seem to be the case. At least not something which is coming out specifically from the rules.”
The rules also do not contain any penalty provisions for the misuse of the data obtained from the MNV platform. Apar Gupta, the co-founder of the Internet Freedom Foundation (IFF), says, “This is a platform. It can be used to enrich other databases. But which database it enriches and how long it is stored is not specified. And the safeguard is that it should be used strictly for that cybersecurity incident. However, if you examine rules four and five, which pertain to private platforms making such requests to validate users, as intended, and the data security requirements, there are no penalty provisions.”
“Usually in regulations, you have penalty provisions that if there is an authority, firstly, you need to identify the authority that identifies the misuse. Secondly, what sanctions can it place on the identification of that misuse, like the issuance of a show cause or the termination of that entity from being there on the platform? These things are not present within these rules,” he elaborates.
Taneja points out that the MNV platform is “potentially one of the largest honeypots of data which you get to add on top of every service that I, as an internet user, am using.”
Data Protection Laws & the MNV Platform
Pointing out (in a query about the misuse of data from the platform) that the Digital Personal Data Protection (DPDP) Act, 2023, has not been enforced, MediaNama Founder-Editor Nikhil Pahwa asked what laws apply to users of the MNV platform. Taneja responded that businesses need to adhere to “applicable laws relating to data protection; that is what these rules refer to.” In the absence of the DPDP, he says that these are the Information Technology Act, 2000, and the Sensitive Personal Data Rules, 2011.
Pahwa further questioned what user protections are in place in cases “where your activity information could actually be given back to the platform for profiling you at a centralised level”. Taneja points to a lack of clarity on the issue in the amended rules.
When referring to the DPDP and whether it can protect user data from being accessed by the government, Aman Taneja points out that the law has exemptions. “I think the risk there is that there are sufficient exemptions within the DPDP framework as well, where if a government order or a mandate is coming from law, which could basically dilute all the requirements under the DPDP Act. So, there is a genuine risk to user rights that I anticipate coming from there,” he says.
“If you see the DPDP exemptions also, in Section 17, it talks about exemption in cases of the interest of preventing a crime or on the basis of a lawful order by an entity entrusted with law enforcement, for instance. Those are two separate exemptions within the law. So, consent, which is otherwise the construct in that law, goes away,” he elaborates.
DATA Insecurity CONCERN, not surveillance RISK
In this discussion, Gupta opined that the risk is not political surveillance from this platform. He says, “I’m not talking about political surveillance risks here. I would like to make that very clear. I’m talking about the insecurity that will result over a period of time when different agencies of the central government gather our data, sell that data, and take it from the private sector as well, and there is a lack of a mere notice to you.”
He refers to the economic value of this data for the government, saying, “The state is looking to trade in data. The National Economic Survey makes it very clear, and this is going to lead to a greater degree of control and a lesser number of user rights.”
The Lack of a Grievance Redressal Mechanism
For consumers, phone numbers have become a crucial aspect of validating identity and accessing services, including crucial sectors like healthcare, communication, and payment. However, the draft amendment does not contain any grievance redressal mechanism for users whose numbers are not validated.
Krishank Jugiani, a senior research associate at CUTS International, says, “I think we also inferred that any entity could be potentially included under the purview of these amendment rules. So, it is clear that once the denial of services has happened, there is no mechanism for grievance reversal that is proposed in the rules. I think, at a minimum, there should be at least a notification to the user if that is a genuine user, or let’s say, a resolution window should be open. But it also raises the question that it puts the burden on the consumer to prove that they are the genuine user of the number.”
Pahwa enquired what the grievance redressal mechanism could be if someone’s number is cut. “Let’s say my access to services has been cut off under the telecom rules; can I still go and file a grievance redressal claim under the IT rules to get my number reinstated? And then what would supersede in this case? Would the IT rules supersede or would this supersede telecom?” he asked.
Taneja pointed out that grievance redressal mechanisms of companies under the IT rules would not have the power to overturn government orders on directions to block a number.
Meanwhile, Gupta highlighted that Rule 5 of the original Telecom Cybersecurity Rules empowers the Central Government to issue directions to telecom entities to block the use of telecom equipment with tampered IMEI numbers within their networks or services. However, disconnection under this rule can be appealed after the order is issued.
“I would imagine that if somebody’s number is disconnected, their inability to access daily services will cause a high amount of harm to them. And they will look towards utilising another phone number, possibly of a relative or a friend, without giving their own KYC records. If a disconnection happens of that number itself, or a security incident is established under Rule 5, I don’t think there is an expeditious or a real remedy that is here. Because the barrier for disconnection that is there is not present here,” Gupta adds.
A use-case scenario that came up during the discussion was of families or groups that share SIM cards. Pahwa and audience members raised the possibility that someone might register a number under a specific family member’s name or use their own number to access a service on behalf of a family member.
Amrindar Dhaliwal, the Chief Product Officer of IndiaMART, drew attention to the “line between impersonation and doing it for someone else”, saying that “the line can’t be judged digitally”. “I mean, you need to have a method to do it,” he said.
Dhaliwal said that under these rules, the service will have to be taken in the name that the phone number is registered to.
This news item can also be viewed at:
https://www.medianama.com/