TRAI’s Whitelisting Directive Explained: Everything You Need to Know

In August 2024, the Telecom Regulatory Authority of India (TRAI) issued an important directive aimed at enhancing the security of commercial telecom communications. Known as the Whitelisting Directive, this new rule targets malicious actors who exploit telecom messaging channels to deceive consumers through phishing scams, malware, and unauthorized links. TRAI's goal is to build a more secure telecom ecosystem that both protects consumers and ensures the integrity of commercial communications.

‍

Key Goals of the Directive:

‍

• Consumer Protection: Shielding consumers from phishing, smishing, and malware attacks.
• Restoring Trust: Reaffirming SMS as a secure and reliable communication channel for enterprises.

‍

In this comprehensive guide, we will break down the technical aspects of this directive, explain its implications for enterprises and access providers, and answer frequently asked questions (FAQs) about the new regulations.

‍

What is TRAI’s Whitelisting Directive?

‍

TRAI's Whitelisting Directive is a regulatory mandate that requires all URLs (web links), APKs (Android Package Kits), and OTT (Over-The-Top) platform links used in SMS communications to be whitelisted—approved and verified—before being sent to consumers. The directive is effective from October 1, 2024. Any URL, APK, or OTT link that is not on the approved whitelist will be blocked from being transmitted through telecom channels.

‍

This regulation was introduced as part of TRAI’s continued effort to combat telecom fraud, especially phishing and smishing attacks that use SMS as a medium to target consumers.

‍

Why Was the Whitelisting Directive Introduced?

‍

Over the past few years, there has been a surge in phishing attacks and fraudulent activities via SMS, where malicious actors trick consumers into clicking harmful links or downloading unsafe applications. These scams often lead to identity theft, unauthorized financial transactions, or malware infections.

‍

TRAI’s directive aims to address these issues by enforcing stricter security measures:

‍

1. Preventing Fraud: Whitelisting ensures that only trusted URLs and applications reach consumers.

2. Safeguarding the SMS Channel: By reducing the number of fraudulent messages, TRAI seeks to restore trust in SMS as a reliable communication medium.

‍

Key Components of the Whitelisting Directive

‍

The Whitelisting Directive primarily focuses on the following elements:

‍

• URLs: Any web link shared through SMS must be vetted and approved by telecom operators before being sent. This prevents malicious URLs from reaching users.

• APKs (Android Package Kits): APKs, the files used to distribute applications on Android devices, are often used in SMS campaigns. With whitelisting, only authorized APKs can be distributed via SMS.

• OTT Links: OTT platforms like messaging apps (WhatsApp, Telegram) are frequently included in SMS campaigns. These links must also be whitelisted before they can be shared with consumers.

• Call-Back Numbers: A separate but related concern under this directive is the verification of call-back numbers (e.g., customer care or toll-free numbers). While the regulation around call-back numbers will be introduced later, this move aims to close loopholes that allow fraudsters to use fake numbers to deceive consumers.

‍

How Does Whitelisting Work?

‍

Whitelisting refers to the process of approving certain digital elements (such as URLs and APKs) before they can be used in telecom communications. Here’s how it works:

‍

1. Submission of Digital Assets: Enterprises must submit all URLs, APKs, and OTT links to their Access Providers (telecom operators like Vodafone, Jio, or Airtel) via the Distributed Ledger Technology (DLT) platform.

2. Review and Approval: The access provider reviews the submitted links, APKs, or OTT links to ensure they are safe and trustworthy.

3. Whitelisting: Once approved, these elements are added to a whitelist database, allowing them to be included in SMS communications.

4. Blocking Unverified Content: Any SMS containing a non-whitelisted URL or APK will be automatically blocked by the telecom operator, preventing it from reaching the consumer.

‍

Impact on Enterprises and Access Providers

‍

Both enterprises and telecom access providers are affected by this directive. For businesses that rely on SMS campaigns, compliance with this new regulation is critical. The directive brings a significant shift in how enterprises approach their SMS campaigns. They now have the responsibility to whitelist any URLs, APKs, and OTT links they intend to include in their communications. This process involves submitting these elements for verification and approval to Access Providers (telecom operators like Vodafone, Jio, or Airtel) through the Distributed Ledger Technology (DLT) platform.

‍

For Enterprises

‍

• Compliance Requirement: Enterprises must ensure that all the digital assets they use in SMS campaigns are whitelisted. Failure to do so may result in blocked communications, affecting their marketing and customer engagement efforts.

• Planning and Coordination: Enterprises need to coordinate with their telecom access providers to submit URLs, APKs, and OTT links in advance. This ensures their campaigns are not disrupted.

• Revaluation of Shortened URLs: Many businesses use URL shorteners to save space in SMS messages. With the new directive, even shortened URLs need to be whitelisted before they can be included in an SMS.

‍

For Access Providers

‍

• Whitelisting Database Management: Access providers must maintain and update a database of whitelisted URLs, APKs, and OTT links. They are also responsible for ensuring the smooth operation of the whitelisting mechanism.

• Deployment of Chain-Code: To enable the secure exchange of whitelisted information across networks, access providers need to deploy chain-code technology, which ensures that whitelisted data can be shared securely between different telecom providers.

‍

Call-Back Numbers: What to Expect

‍

While the directive on call-back numbers will be rolled out separately, this feature is crucial for preventing fraud via voice calls. Fraudsters often manipulate caller IDs to appear as legitimate businesses, deceiving consumers into sharing sensitive information. TRAI’s regulation around call-back numbers aims to address this loophole by ensuring that only verified numbers can be used in telecom communications.

‍

What Qualifies as a Call to Action (CTA)?

‍

A Call to Action (CTA) refers to any element within an SMS that encourages the recipient to engage, such as clicking a link, calling a number, or sending an email. These digital assets must be whitelisted under the new regulation to ensure legitimacy.

‍

Examples of CTAs:

‍

• URLs: Directing users to a website.

• OTT Chatbot Links: Opening messaging platforms.

• Customer Care Numbers: Toll-free numbers or short codes.

• Email Addresses: Encouraging email communication.

‍

All these CTA elements must be registered and whitelisted through the DLT platform to prevent fraudulent entities from using fake or malicious links to deceive consumers.

‍

How to Ensure Compliance with TRAI's Directive

‍

To comply with TRAI’s new regulations, enterprises need to follow a specific process for whitelisting their URLs, chat links, APKs, email addresses, and phone numbers. Here are the steps:

1. Compile a List of Digital Assets: Identify all URLs, APKs, OTT chat links, and phone numbers used in SMS campaigns.

2. Submit to Access Providers: Submit these assets via the DLT platform, which serves as a centralized registration and approval system.

3. Review and Approval: Access providers will review the submissions, and approved assets will be added to the whitelist database.

4. Monitor and Update: Enterprises must ensure their whitelisted assets remain up-to-date to avoid disruptions in SMS traffic.

‍

Security of the Whitelisting Process

‍

Security is paramount when it comes to the whitelisting process, particularly when dealing with sensitive data such as URLs, email addresses, and phone numbers. TRAI’s directive ensures that communications and digital assets are encrypted during transmission and storage.

‍

Blockchain technology plays a key role in providing transparency and safeguarding data integrity, as all transactions and approvals are logged and decentralized. This guarantees that businesses can trust the platform while remaining compliant with global data protection standards.

‍

The Cost of Whitelisting

‍

The core whitelisting service is free for enterprises on platforms like Vodafone's DLT. However, some additional services, such as URL shortening, may carry a cost after an initial grace period.

‍

For enterprises managing long URLs in SMS campaigns, Vodafone offers a built-in URL shortening service, which will be available under both subscription-based and pay-per-use models. This service ensures that even shortened URLs are compliant with TRAI’s regulations and helps enterprises better manage their SMS communications.

‍

Timeline for Compliance

‍

The Whitelisting Directive is set to be enforced starting October 1, 2024. Enterprises and access providers must ensure compliance by this date. Failure to comply will result in messages containing non-whitelisted URLs or APKs being blocked.

‍

The timeline for whitelisting call-back numbers will be announced separately. While enterprises will have additional time to comply with the call-back number regulation, they should start preparing for it now.

‍

Conclusion

‍

The Whitelisting Directive is a game-changer for telecom security in India, ensuring that consumers are protected from malicious SMS campaigns and fraudulent activities. While it presents challenges for both enterprises and access providers, the long-term benefits of increased security and consumer trust far outweigh the initial efforts required for compliance.

With the October 1, 2024 deadline approaching, now is the time for businesses to ensure they are ready to comply. By following TRAI’s guidelines and staying informed about updates, enterprises can avoid disruptions to their communications and contribute to a safer telecom ecosystem.

‍

Frequently Asked Questions

‍

1. What is the new TRAI regulation regarding SMS communications?

‍

The Telecom Regulatory Authority of India (TRAI) has mandated that all URLs, APKs, OTT links, and callback numbers used in commercial SMS messages must be whitelisted before they can be transmitted. This regulation aims to combat fraudulent activities and enhance consumer protection by ensuring only verified and trusted content is sent to consumers.

‍

2. When does this regulation come into effect?

‍

The regulation comes into effect on October 1, 2024. Starting from this date, telecom operators will block any SMS traffic containing non-whitelisted URLs, APKs, or OTT links.

‍

3. Why has TRAI introduced this regulation?

‍

The primary reason is consumer protection. There has been a rise in fraudulent activities like phishing scams and malware distribution via SMS. By mandating the whitelisting of URLs and other CTAs, TRAI aims to prevent malicious entities from deceiving consumers and to restore trust in SMS as a secure communication channel.

‍

4. What qualifies as a Call to Action (CTA) under this regulation?

‍

A CTA is any element in an SMS that encourages or expects the recipient to engage or respond. This includes:

1. URLs directing to websites.

2. APK links for app downloads.

3. OTT chat links (e.g., WhatsApp links).

4. Callback numbers (mobile numbers, toll-free numbers, landlines).

5. Email addresses for further communication.

‍

5. How do enterprises whitelist their CTAs?

‍

Enterprises must register their CTAs on the Vi DLT (Distributed Ledger Technology) platform. The platform allows for both single and bulk CTA whitelisting. Once registered, the CTAs are propagated across all telecom operators via blockchain technology, ensuring compliance network-wide.

‍

6. Are there any charges for registering or updating CTAs on the Vi DLT platform?

‍

Currently, there are no additional fees for registering or updating CTAs on the Vi DLT platform. CTA whitelisting is included as part of the annual maintenance fee that enterprises already pay.

‍

7. What about URL shortening services?

‍

The Vi DLT platform offers a URL shortening service as an add-on feature beneficial for enterprises dealing with SMS character limitations:

1. First 60 days: Free usage of the URL shortening service.

2. After 60 days: Available under subscription-based or pay-per-use models, competitively priced compared to public URL shortening services.

‍

8. Do enterprises need to modify their existing SMS templates?

‍

Yes, enterprises may need to modify SMS templates to include the whitelisted CTAs. Specifically, when using shortened URLs, the new format requires including the SMS header within the URL. This may involve development changes on the enterprise's side to comply with the new format.

‍

9. How does the new format for shortened URLs work?

‍

The new format for shortened URLs includes:

1. Protocol: https:// or http://

2. Shortened Domain: Your whitelisted domain.

3. SMS Header: Your registered SMS header.

4. Dynamic Key: A unique identifier or path.

Example: https://shortdomain.com/SMSHeader/dynamicKey

‍

10. What happens if an enterprise fails to whitelist their CTAs by October 1, 2024?

‍

Any SMS containing non whitelisted URLs, APKs, or OTT links will be blocked by telecom operators starting October 1, 2024. There will be no grace periods or extensions, so it's crucial for enterprises to act promptly to avoid communication disruptions.

‍

11. Are dynamic URLs with variables supported under the new regulation?‍

‍

Yes, but with conditions:

1. Dynamic parameters are allowed only after the query string (?).

2. Dynamic paths before the query string are currently not supported.

3. Enterprises should whitelist the static part of the URL up to the query string.

‍

12. What about callback numbers and email addresses?

‍

While the regulation for URLs, APKs, and OTT links is effective from October 1, 2024, the scrubbing of callback numbers and email addresses will begin at a later date announced by TRAI. However, enterprises are encouraged to start whitelisting these CTAs proactively to avoid any last-minute disruptions. Once the enforcement date for callback numbers is announced, non-compliance will lead to blocked SMS communications containing non-whitelisted numbers.

‍

13. Are there differences in whitelisting processes for URLs, APKs, OTT links, and callback numbers?

‍

The whitelisting process for all CTA elements, including URLs, APKs, OTT links, and callback numbers, follows a similar registration process via the Distributed Ledger Technology (DLT) platform. However, each element must be whitelisted separately. While the process for URLs and APKs is already enforceable by October 1, 2024, callback numbers will follow a separate timeline announced by TRAI.

‍

14. Can enterprises use third-party URL shortening services?

‍

Yes, but:

1. The shortened domain must be whitelisted on the Vi DLT platform.

2. The URL must follow the new format, including the SMS header.

3. Coordination with third-party service providers is essential to ensure compliance.

‍

15. How does the Vi DLT platform ensure data security during the whitelisting process?

‍

The platform employs robust security measures:

1. Encryption of communications and registrations.

2. Use of blockchain technology for data decentralisation and tamper-proofing.

3. Access to sensitive data is restricted to authorised personnel.

‍

16. What should enterprises do if they have multiple SMS headers or manage multiple brands?

‍

Enterprises can:

1. Choose any of their active SMS headers when whitelisting CTAs.

2. The header used in the URL is for entity identification and does not need to match the SMS message header.

3. This allows flexibility for managing multiple brands or headers.

‍

17. Are there limitations on the number of variables in an SMS template under the new regulation?

‍

While there's no specified limit on variables, enterprises must:

1. Ensure that variables do not interfere with compliance requirements.

2. Avoid including non-whitelisted CTAs within variables.

3. Be cautious to prevent misuse or non-compliance.

‍

18. How can enterprises handle use cases involving dynamic CTAs, like unique survey links or agent contact numbers?

‍

1. For dynamic URLs: Whitelist the static part up to the query string and use dynamic parameters after (?).

2. For dynamic contact numbers or emails: Currently, these are not being scrubbed, but enterprises should plan to whitelist them for future compliance.

‍

19. Is support available for enterprises during this transition?

‍

Yes, enterprises can:

1. Reach out to the support team via email at support@vilpower.com.

2. Access video tutorials and documentation provided by Vi.

3. Participate in webinars and training sessions for guidance.

‍

20. What are the consequences of non-compliance with the new TRAI regulation?

‍

Consequences include:

1. Blocking of SMS messages containing non-whitelisted CTAs.

2. Disruption in communication channels with customers.

3. Potential loss of trust and reputational damage.

4. Possible financial losses due to communication failures.

‍

21. How does this regulation benefit enterprises in the long run?

‍

Benefits include:

1. Enhanced customer trust through secure and verified communications.

2. Protection against brand misuse and fraudulent activities.

3. Improved message deliverability and engagement rates.

4. Alignment with regulatory standards promoting a safer communication environment.

‍

22. What measures should enterprises take immediately to comply with the new regulation?

‍

Enterprises should:

1. Audit all current SMS templates for CTAs.

2. Whitelist all URLs, APKs, OTT links, callback numbers, and email addresses on the Vi DLT platform.

3. Modify SMS templates to include whitelisted CTAs.

4. Test messages to ensure compliance and deliverability before October 1, 2024.

‍

23. Are there any exceptions or grace periods for certain sectors or types of messages?

‍

No, the regulation applies to all sectors and types of commercial messages. There are no exemptions, and all organisations must comply by the specified deadline.

‍

24. How does the integration with other telecom operators work?

‍

1. Once CTAs are whitelisted on the Vi DLT platform, the information is propagated across all telecom operators via blockchain.

2. This ensures that messages are compliant regardless of the recipient's network provider.

‍

25. Can enterprises continue using generic shortened URLs or third-party links without modifications?

‍

No, enterprises must:

1. Ensure all shortened URLs are whitelisted.

2. Modify the URLs to include the SMS header as per the new format.

3. Coordinate with third-party providers to meet compliance requirements.

‍

26. How can enterprises monitor the performance of their SMS campaigns under the new regulation?

‍

The Vi DLT platform provides:

1. Comprehensive reporting features, including click rates and engagement metrics.

2. Webhook configurations to retrieve click data for shortened URLs.

3. Analytics to help fine-tune campaigns and improve effectiveness.

‍