India encryption policy / platform regulation

India's WhatsApp Username Freeze Rests on Statutes That Don't Authorize It

MeitY froze WhatsApp's usernames feature over fraud fears, but cites no law giving it power to pre-approve app features.

India's Username Standoff, By the Numbers People of Internet Research · India Jun 29, 2026 Global rollout begins WhatsApp starts rolling out userna… Jul 1, 2026 MeitY notice issued Government demands explanation wit… 3 Platforms under notice WhatsApp, Telegram and Signal all … 2 Statutes cited by MeitY IT Act 2000 and IT Rules 2021 — ne… peopleofinternet.com
India's Username Standoff, By the Numb… People of Internet Research · India Jun 29, 2026 Global rollout begins Jul 1, 2026 MeitY notice issued 3 Platforms under notice 2 Statutes cited by MeitY peopleofinternet.com

Key Takeaways

A feature freeze, not a formal ban

On 29 June 2026, WhatsApp began a global rollout of usernames — letting people message each other without exchanging phone numbers. Within days, India's Ministry of Electronics and Information Technology (MeitY) sent WhatsApp a notice, dated 1 July, demanding an explanation within three days and directing the company not to launch the feature in India "until consultations conclude to the Government's satisfaction" (The Register). MeitY then widened the inquiry to Telegram and Signal, which already run username-based contact discovery, and set a consolidated deadline of 9 July for all three platforms to respond (Rest of World). WhatsApp filed its response on schedule; MeitY says it is still "examining" it.

The government's case deserves a fair hearing

MeitY's underlying concern is not fanciful. India has one of the world's highest exposures to "digital arrest" scams and UPI-linked fraud, and much of it is engineered through impersonation — fraudsters posing as police, tax officials, or bank representatives over chat and voice calls. A username system that lets a stranger message you without ever revealing a phone number does remove one of the few low-friction verification signals ordinary users currently rely on: a mobile number tied, however loosely, to a real SIM registration. If usernames closely mimicking government agencies, public figures, or financial institutions remain easy to claim, that is a legitimate design flaw worth pressing on — regulators pushing platforms to close impersonation gaps before launch, rather than after victims lose money, is a defensible instinct, not reflexive control-seeking.

But the legal basis for a pre-launch veto is thin

The problem is what MeitY is actually claiming the power to do: block a privacy feature from shipping in India at all, pending its approval. The notice invokes the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (The Register). Neither does the work MeitY needs it to. Section 79 of the IT Act is a safe-harbour provision — it sets conditions under which an intermediary is shielded from liability for third-party content; it says nothing about pre-clearing product features (Section 79, IT Act 2000). The Internet Freedom Foundation, which published a formal legal challenge the same day as MeitY's notice, put it directly: "the notice has no clear basis in law. It is an attempt by the executive to decide what a company may build and ship, which no statute permits" — and separately, that Sections 66C and 66D of the IT Act, which criminalise identity theft and impersonation, are "aimed at the person who steals an identity, not at the maker of a tool that a third party misuses" (Internet Freedom Foundation). IFF calls the broader posture "a licence raj for software features" — a characterisation Medianama founder Nikhil Pahwa echoed, arguing "there is no reason why any company should consult a government before rolling out a feature, let alone one that protects privacy" and "we're not in a licence raj" (Medianama).

Why the precedent problem outweighs the fraud problem

This is where the fraud rationale, however real, stops justifying the remedy. There is no evidence cited in MeitY's notice of actual harm from India users on WhatsApp's new usernames — the objection is anticipatory, based on the theoretical possibility of impersonation, not a measured fraud rate. That distinction matters because the tool MeitY is reaching for — an informal executive letter demanding a company withhold a global product feature from one market, backed by no statutory pre-clearance regime — is infinitely reusable. Today it's usernames; tomorrow it could be any feature a ministry decides looks risky, with no legislative debate, no published rule, no judicial review standard, just a letter and a deadline. Namrata Maheshwari, senior policy counsel and encryption lead at Access Now, framed the stakes precisely: "It's a slippery slope because the moment you concede something in one jurisdiction and make it known as something that is possible to do technically, other countries will follow suit" (Rest of World). If Meta ships a stripped-down, India-only version of usernames to satisfy MeitY, it hands every government a template: feature-level design changes are negotiable, pre-launch, if you write a strongly worded letter and cite a statute loosely enough.

The better path

India does not lack legislative tools to address impersonation fraud — it has a functioning IT Act, cybercrime provisions, and an active rulemaking process under the Digital Personal Data Protection Act. If MeitY believes platforms need a standing obligation to vet feature launches for fraud risk, that requires a rule made through consultation and published for comment — not a three-day-turnaround letter to three companies simultaneously. Proportionate regulation means matching the tool to the harm and the process to the power being exercised. An anticipatory feature freeze, backed by statutes that were never written for this purpose, fails both tests — even when the underlying worry about scam-driven impersonation is one every platform, and every regulator, should be taking seriously.

Sources & Citations

  1. Internet Freedom Foundation statement
  2. Section 79, IT Act 2000 (Indian Kanoon)
  3. Rest of World
  4. The Register
  5. The Wire
  6. Medianama