A feature freeze, not a formal ban
On 29 June 2026, WhatsApp began a global rollout of usernames — letting people message each other without exchanging phone numbers. Within days, India's Ministry of Electronics and Information Technology (MeitY) sent WhatsApp a notice, dated 1 July, demanding an explanation within three days and directing the company not to launch the feature in India "until consultations conclude to the Government's satisfaction" (The Register). MeitY then widened the inquiry to Telegram and Signal, which already run username-based contact discovery, and set a consolidated deadline of 9 July for all three platforms to respond (Rest of World). WhatsApp filed its response on schedule; MeitY says it is still "examining" it.
The government's case deserves a fair hearing
MeitY's underlying concern is not fanciful. India has one of the world's highest exposures to "digital arrest" scams and UPI-linked fraud, and much of it is engineered through impersonation — fraudsters posing as police, tax officials, or bank representatives over chat and voice calls. A username system that lets a stranger message you without ever revealing a phone number does remove one of the few low-friction verification signals ordinary users currently rely on: a mobile number tied, however loosely, to a real SIM registration. If usernames closely mimicking government agencies, public figures, or financial institutions remain easy to claim, that is a legitimate design flaw worth pressing on — regulators pushing platforms to close impersonation gaps before launch, rather than after victims lose money, is a defensible instinct, not reflexive control-seeking.
But the legal basis for a pre-launch veto is thin
The problem is what MeitY is actually claiming the power to do: block a privacy feature from shipping in India at all, pending its approval. The notice invokes the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (The Register). Neither does the work MeitY needs it to. Section 79 of the IT Act is a safe-harbour provision — it sets conditions under which an intermediary is shielded from liability for third-party content; it says nothing about pre-clearing product features (Section 79, IT Act 2000). The Internet Freedom Foundation, which published a formal legal challenge the same day as MeitY's notice, put it directly: "the notice has no clear basis in law. It is an attempt by the executive to decide what a company may build and ship, which no statute permits" — and separately, that Sections 66C and 66D of the IT Act, which criminalise identity theft and impersonation, are "aimed at the person who steals an identity, not at the maker of a tool that a third party misuses" (Internet Freedom Foundation). IFF calls the broader posture "a licence raj for software features" — a characterisation Medianama founder Nikhil Pahwa echoed, arguing "there is no reason why any company should consult a government before rolling out a feature, let alone one that protects privacy" and "we're not in a licence raj" (Medianama).
Why the precedent problem outweighs the fraud problem
This is where the fraud rationale, however real, stops justifying the remedy. There is no evidence cited in MeitY's notice of actual harm from India users on WhatsApp's new usernames — the objection is anticipatory, based on the theoretical possibility of impersonation, not a measured fraud rate. That distinction matters because the tool MeitY is reaching for — an informal executive letter demanding a company withhold a global product feature from one market, backed by no statutory pre-clearance regime — is infinitely reusable. Today it's usernames; tomorrow it could be any feature a ministry decides looks risky, with no legislative debate, no published rule, no judicial review standard, just a letter and a deadline. Namrata Maheshwari, senior policy counsel and encryption lead at Access Now, framed the stakes precisely: "It's a slippery slope because the moment you concede something in one jurisdiction and make it known as something that is possible to do technically, other countries will follow suit" (Rest of World). If Meta ships a stripped-down, India-only version of usernames to satisfy MeitY, it hands every government a template: feature-level design changes are negotiable, pre-launch, if you write a strongly worded letter and cite a statute loosely enough.
The better path
India does not lack legislative tools to address impersonation fraud — it has a functioning IT Act, cybercrime provisions, and an active rulemaking process under the Digital Personal Data Protection Act. If MeitY believes platforms need a standing obligation to vet feature launches for fraud risk, that requires a rule made through consultation and published for comment — not a three-day-turnaround letter to three companies simultaneously. Proportionate regulation means matching the tool to the harm and the process to the power being exercised. An anticipatory feature freeze, backed by statutes that were never written for this purpose, fails both tests — even when the underlying worry about scam-driven impersonation is one every platform, and every regulator, should be taking seriously.