Decluttering the debate on Regulating the OTT communication apps
While I have written many articles on this issue, and on this one, I plan to be absolutely straight — first lay out the objective, and then analyze whether the objective can get realized by regulating OTT communication apps using the conventional approach. If not, what possible alternatives can be explored?
What is the Government’s Objective?
To prevent OTT from being misused. This means — preventing the theft of identity on the OTT app and using it as a shield to spread fake messages and cause fraud.
How can an identity get stolen?
By getting temporary access to the SIM of a feature phone user (who does not have access to the OTT app) and using it to configure WhatsApp on your phone. Then returning the SIM back to the original user. Since WhatsApp does not need an underline SIM to function, the identity of the user (whose SIM you borrowed) remains with you, until you decide to change your WhatsApp number.
What problems can it cause?
It will be impossible for the agency (responsible for law and order) to attribute a crime to you as it shows up linked to the mobile number of the account whose identity you have stolen.
How can this problem be solved?
The only meaningful way to solve this problem is to bind the OTT app with the SIM. This means — for the OTT app to work on a mobile phone, the phone must be loaded with the same SIM which was initially used for logging into the OTT app.
How to bind the OTT app to the SIM?
We can do so by enabling the OTT app’s access to the mobile phone’s physical player. Please note that the OTT apps work on the application layer, quite unlike the mobile phone, which works on the physical player. Using this physical layer, the network reaches out to the mobile subscribers using their IMEI number (bound with the SIM). However, OTT app subscribers are identified by their IP address. There is no direct link between the IMEI number of the mobile phone and the OTT app's IP address.
Why IP addresses and IMEI numbers are NOT linked?
As it will make the system more vulnerable to attacks. Today, India uses SMS-based OTP authentication as an alternate means of logging into accounts. This system (using SMS-based authentication) has helped prevent financial fraud and increase the robustness of the internet-based service delivery system. Therefore, allowing OTT to have access to the SIM might make the system less secure and increase the opportunity for fraud.
Can licensing OTT communication apps solve the problem?
Might not. Why? As no purpose will be served unless you figure out a mechanism to bind the OTT app to the hardware of the mobile phone or at least the SIM. As explained above, doing so is difficult and not advisable. The reason — it jeopardizes the overall robustness of the mobile network system. If that happens it will result in a much bigger problem than what we have on hand. Note — mobile-linked Aadhar-based authentication is used for KYC and is the primary means of enabling the security of all internet-based banking transactions.
What can be an alternative solution?
The only way to enable a solution is to link the database of active mobile subscribers with that of the OTT platform along with the user's geographical locations. As soon as a user’s OTT IP address pops up in a location that is different from its mobile location, the same number should be flagged and investigated. Then appropriate action should be taken against the user which is cloning the identity. There could be other solutions, but none that I can think of now which can help mitigate this problem.
To sum up, it seems that the GOI has a problem in hand that it intends to solve. The debate on regulating the OTT app has emanated from this intent. But most of the narrative on the ground looks directionless and does not address the key issue on hand that needs resolution. I hope this throws some clarity on the problem and might help steer the discussion to a workable robust solution and not end up expanding the quantum of problems that we already have to resolve.
(Views expressed are my own and do not reflect that of my employer)
PS: Find the list of other relevant articles in the embedded link.
