On December 6, 2024, India's Department of Telecommunications notified the Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024, replacing the much-debated Rule 419A of the Indian Telegraph Rules that had governed phone tapping since 2007. Issued under the Telecommunications Act, 2023, the new rules are now the operative framework for state interception of communications carried over licensed networks. Through 2025 and into 2026, however, the more consequential debate has been about what the new regime could reach next: end-to-end encrypted messaging apps like WhatsApp, Signal and Telegram, which today sit under the IT Act, 2000 and the IT Rules, 2021 — not the telecom code.
What actually changed in December 2024
The 2024 Rules retain the basic architecture of 419A — interception orders must be issued by the Union Home Secretary (or a State Home Secretary), reviewed by a committee headed by the Cabinet Secretary, and are valid for limited periods. But they tighten timelines, formalise digital workflows, and explicitly contemplate emergency interception by senior officers with a 7-day ratification window. Crucially, they sit under Section 20 of the Telecommunications Act, 2023, which itself uses a broader vocabulary than the 1885 Telegraph Act it replaced.
That definitional choice is where the OTT question lives. Section 2(p) of the Telecommunications Act defines telecommunication as the "transmission, emission or reception of any messages, by wire, radio, optical or other electro-magnetic systems". Section 2(t) defines a telecommunication service as "any service for telecommunication". Read literally, that is wide enough to cover any internet-based messaging app. Read in light of the Act's licensing carve-outs and the Government's own 2023 assurances during parliamentary debate, OTTs were said to remain governed by the IT Act. The Rules themselves do not resolve the question — they leave it to the parent statute.
The OTT-into-telecom debate
That ambiguity has been actively exploited. Industry associations representing telecom carriers — most prominently COAI — have argued for years that "same service, same rules" should apply to OTT communications apps that compete with SMS and voice. In 2023, the Telecom Regulatory Authority of India (TRAI) reopened a consultation on regulating OTT communication services, including the possibility of lawful interception parity. The 2024 Rules give that long-running campaign a more concrete target: if OTTs are read into the Act's definitions through subordinate notification or judicial interpretation, the new interception framework becomes the default.
For end-to-end encrypted services, the implications are severe. WhatsApp has been litigating the IT Rules, 2021 traceability mandate in the Delhi High Court since 2021, arguing that compelled identification of the "first originator" of a message is technically impossible without breaking encryption for all users. Bringing the same providers under the lawful interception regime designed for telcos — who hold the keys to their own networks — would compound that pressure rather than resolve it.
Why proportionality should win this argument
India has legitimate security interests. The Supreme Court's PUCL v. Union of India (1997) judgment and the Puttaswamy privacy ruling (2017) both accept that interception is permissible — but only where it is necessary, proportionate, and procedurally safeguarded. The 2024 Rules improve procedure at the margins. They do not, however, supply a doctrinal answer to the harder question: what does proportionality require when the "interception" demanded would force a provider to redesign a global encrypted protocol?
A pro-innovation reading of the Act would treat the OTT-inclusion question as a policy choice for Parliament, not a definitional one to be settled by executive notification. Three reasons:
- Encryption is critical infrastructure. Banking, healthcare, journalism and government workflows all depend on commodity E2EE messengers. Weakening them to mirror a telco-style intercept regime imposes systemic costs that fall outside what any single Home Secretary order is equipped to weigh.
- The IT Act framework already exists. Section 69 of the IT Act and the 2009 Decryption Rules provide a parallel — and arguably overbroad — mechanism for compelling decryption assistance. Layering the 2024 Telecom Rules on top would create duplicate, conflicting authority without closing any genuine gap.
- Global comparators are moving the other way. The UK's 2023 climbdown on the Online Safety Act's E2EE scanning provisions, and the European Court of Human Rights' 2024 Podchasov v. Russia ruling that compelled decryption violated the ECHR, both point to a hardening international consensus that bulk encryption-breaking is disproportionate.
What good policy looks like from here
The Government should clarify — by amendment or formal clarification — that the Telecommunications Act's lawful interception framework does not extend to OTT communication services, which remain governed by the IT Act. If India wants to revisit OTT-specific obligations, that conversation belongs in primary legislation, with the full Puttaswamy proportionality test applied. The Standing Committee on Communications and IT, which has examined OTT regulation in earlier reports, is the right forum.
The 2024 Rules are a genuine modernisation of a creaking 419A framework. They are not, and should not be quietly converted into, a backdoor for breaking end-to-end encryption in one of the world's largest messaging markets.