Why India Is Blocking WhatsApp Usernames—and Why It Matters
Why India Is Blocking WhatsApp Usernames—and Why It Matters (A representative image)
By P. SESH KUMAR
India’s decision to freeze WhatsApp’s new @username feature has sparked a debate over privacy, fraud prevention and whether the government can dictate software features without explicit legal authority. Here’s what is at stake.
New Delhi, July 3, 2026 — On 29 June 2026, WhatsApp announced that Indians could soon shed their phone numbers as their public identity and adopt an @-handle instead. Within forty-eight hours, New Delhi swung a hammer: the Ministry of Electronics and Information Technology (MeitY) served Meta a formal notice, ordered the rollout frozen, and gave the company three days to explain why regulatory action should not follow.
The stated fear is impersonation-fraudsters wearing a stranger’s face to run “digital arrest” scams and phishing rackets on a market of over 500 million users. But beneath the anti-fraud framing lies a harder question that has little to do with usernames and everything to do with power: can a government, by letter and on a three-day clock, tell a private company which lawful features it may ship?
The story begins, as these stories increasingly do, with a privacy upgrade that arrived looking like a gift and was received like a Trojan horse. For its entire existence, WhatsApp has tethered our identity to a single unforgeable string: our phone number. It is who we are on the platform—the primary key that tells the person on the other end that the “us” they’re talking to is the “us” they know.
On 29 June 2026, Meta announced it would cut that cord. Users could reserve a unique alphanumeric handle beginning with @—say, @Name123—and eventually let others message or call them without ever exposing their number. Meta wrapped it in a genuinely appealing pitch: fewer numbers harvested from group chats, fewer SIM-swap attacks, less exposure for the classmate, the neighbour, the parent in the kids’ cricket-team chat who would rather not hand a stranger a permanent line into their pocket.
There is even an optional “username key,” a second gate a stranger must clear before a first message lands. The feature is not yet live in India; only reservations had opened. And that was precisely the window New Delhi moved to slam shut.
The government’s anxiety is not abstract, and to its credit it is not entirely manufactured. The single loudest word in MeitY’s notice is impersonation, and the single sharpest fear is the “digital arrest” scam — a peculiarly Indian epidemic in which criminals pose as CBI officers, judges, customs officials, or bank functionaries, terrorise a frightened citizen over video call into believing they face imminent arrest, and extort lakhs before the victim’s pulse settles.
Strip away the phone number as the fixed point of identity, MeitY argues, and you hand these predators a costume rack. A username that reads @SBI_Support_Official or @IncomeTaxDept_Help costs nothing to conjure and, to a panicked or elderly user, is indistinguishable from the real thing. The ministry’s notice warns, in as many words as possible, that the feature could “materially increase” online fraud, phishing, digital arrest scams, and impersonation by letting bad actors solicit victims without ever surfacing a traceable number and by permitting handles that closely mimic genuine individuals, public authorities, financial institutions, and government agencies.
Here is the misuse in the plainest possible terms. Today, if a scammer wants to pose as your bank, they must call from some number—and that number is a thread investigators can pull: which SIM, which name, which city, which country. It is a fingerprint. The username feature does not abolish the number (WhatsApp still requires one to open an account), but it removes it from first contact.
The stranger reaches you as a handle. To you, the victim, the phone number—your one reliable tell that this is a foreigner running a boiler-room, not your neighbourhood branch manager—has vanished from view. Impersonation, in short, gets a fresh coat of paint and a cleaner alibi. MeitY layers a second, subtler worry on top: traceability.
If the number is no longer the identifier of first contact, law enforcement loses its most dependable early signal of whether a suspect is sitting in Noida or in a scam compound in Southeast Asia.
So much for the fear. Now the friction — because the government’s case, however emotionally resonant, is legally contested at its foundations, and this is where the note turns sharp.
WhatsApp’s likely response is already visible in outline, and it will be a study in polite immovability. Meta has not defied the notice; it has instead paraded its safeguards. It reserves handles resembling public figures, government entities, and verified accounts, so that only legitimate owners can claim something like @narendramodi_official.
It carries over Instagram and Facebook username ownership, so squatters cannot grab your existing identity. Its automated systems monitor for suspicious behaviour, and its first-contact interface flags whether a new message comes from an unknown account, a contact, someone in a shared group, or — crucially — someone dialling in from another country.
Expect Meta to file a detailed compliance memo inside the three-day window, emphasise that the feature is not even live, note pointedly that Telegram and Signal have offered username access for years without triggering a national emergency, and argue that first-contact friction plus the optional username key already blunt the impersonation vector far more than a phone number ever did.
The subtext of Meta’s posture is unmistakable: we have addressed the harm; what you are really asking for is a veto over our product roadmap.
Which brings us to the government’s actual arsenal — and its curiously empty chambers. New Delhi has three broad avenues to enforce its will. The first is persuasion under pressure: the notice-and-consultation route it has already chosen, in which MeitY and the Ministry of Home Affairs summon messaging platforms to a room and extract “voluntary” deferral.
The second is intermediary liability: threatening WhatsApp’s safe-harbour protection under Section 79 of the IT Act, the shield that spares platforms from liability for what users do, so long as they observe due diligence.
The third — the only genuine blocking power in the statute book — is Section 69A, which lets the government order specific online information taken down through a prescribed, reasoned procedure. The trouble is that each of these tools was forged for a different job. Section 79 decides when a platform can be held liable; it is not a licensing counter at which features must queue for approval.
Sections 66C and 66D punish the individual who steals an identity or cheats by personation; they are aimed at the con artist, not the toolmaker. And Section 69A blocks content, not design choices. The government’s dilemma is that it possesses a hammer for nails and is confronting a screw.
This is exactly the gap that a legal challenge would exploit, and the challenge is already being rehearsed in public by the Internet Freedom Foundation, which obtained and circulated the notice. Its argument is bracingly simple and, on the current text of the law, difficult to answer.
The IFF contends the notice has no clear basis in law — that it is the executive deciding, in private and by letter, what a company may build and ship, a power no statute confers. On its logic, it says, a telecom operator could just as well be forbidden from selling SIM cards, since SIMs feature in nearly every online fraud.
It invokes the settled principle from Ajoy Kumar Banerjee v. Union of India that subordinate rules cannot travel beyond their parent Act — and adds the pointed corollary that if a rule cannot exceed the statute, a mere letter certainly cannot. It notes that MeitY’s traceability card, Rule 4(2) on identifying the “first originator,” is itself under challenge before the Delhi High Court as exceeding its parent provision — so leaning on it against a feature designed to share fewer identifiers is awkward at best.
And it recalls the precedent that should worry the ministry most: in March 2024, MeitY told large tech and AI companies to seek its permission before deploying under-tested models, was pilloried for inventing a licensing regime with no statutory hook, and quietly withdrew the demand within a fortnight. Commentators from Takshashila and MediaNama have piled on, warning against a “licence raj” for software features and noting that WhatsApp’s real offence is its scale, not its novelty.
Should Meta choose litigation over accommodation, a writ petition arguing executive overreach and absence of statutory authority would stand on firm ground — though the government will counter with a Delhi High Court observation from the Telegram matter that username-based access can make it easier to conceal identity and spread illicit content, and with the plain political argument that a sovereign is entitled to satisfy itself that a feature is safe before it reaches 500 million citizens.
Beyond Mars: The Governance Risks Hidden Inside the SpaceX IPO
Why Only India Flinched
Here lingers the most awkward question of all: if usernames are so combustible, why is India the only house on the street that called the fire brigade? WhatsApp flipped the switch for some three billion users across more than 180 countries, and in Washington, Brussels and London the announcement landed as a privacy upgrade — not a national-security klaxon.
The reasons are structural, not sentimental. Telegram and Signal have offered handle-based access for years without a Western capital blinking; the European Union’s instinct, hard-wired into the GDPR and the Digital Services Act, is to reward data-minimisation, so a feature that shares fewer identifiers reads as compliance, not menace; and the United States, allergic to anything resembling prior restraint on a lawful product, prefers to hunt the fraudster through criminal law rather than licence the tool.
India is the outlier because India is the perfect storm. It is the single largest WhatsApp market on earth, so every feature detonates at a scale no other country experiences. It runs UPI, the planet’s biggest real-time payments rail — instant, irreversible, and wired into a freshly-online Tier-2 and Tier-3 population with thin fraud literacy, where a scam that a slower banking system would reverse becomes a clean, final theft.
It has birthed a homegrown horror genre, the “digital arrest,” that exists almost nowhere else. And in 2025 alone it bled an estimated ₹22,495 crore — roughly US$2.7 billion — to cyber fraud, with the lion’s share routed through WhatsApp and Telegram “investment tip” groups and impersonation rackets. So where the West sees a harmless handle, New Delhi sees a fresh mask handed to a scam economy already humming at industrial scale — and the phone number, which its own traceability regime treats as a load-bearing pillar of law enforcement, quietly slipping out of view.
Lessons and the Way Forward
For users, the lesson is bracing and immediate: the phone number was never a perfect shield, but its disappearance from first contact removes a familiar tell. The defensive posture does not change with the technology. Treat any unsolicited “official” contact — handle or number — as guilty until verified through an independent channel. No genuine agency conducts arrests over WhatsApp. The username era rewards the sceptic and punishes the panicked, and users who internalise that a handle is a costume, not a credential, will be the hardest to con.
For platforms, the lesson is that in India, scale is a form of jurisdiction. A feature Signal and Telegram shipped in obscurity becomes a national-security event the moment WhatsApp attaches it to 500 million accounts. The prudent path is not pre-clearance — that way lies the licence raj — but conspicuous, verifiable harm-mitigation designed before launch and disclosed transparently: aggressive reservation of official and institutional handles, friction on first contact, rapid impersonation takedown, and an evidentiary trail robust enough to give law enforcement what the phone number used to.
For the government, the lesson is the sharpest. The instinct to protect citizens from a fraud epidemic is legitimate; the method is where the enterprise wobbles. Governing by letter, on a three-day clock, naming one company and asserting a veto that appears nowhere in the Act, sets a precedent that can be turned on any platform and any feature tomorrow — a browser’s default privacy setting, a payments app’s login method — each frozen until the ministry is “satisfied.” Rules made case by case, in private, are precisely the rules that responsible operators cannot plan around and that courts are least inclined to bless. The durable answer is not a notice but a norm: if impersonation via handles is the harm, then legislate a clear, narrowly-tailored obligation—mandatory verification of institutional accounts, statutory takedown timelines, penalties for platforms that ignore documented impersonation—through an open process, with a stated legal basis, applied to all comers alike.
Impersonation and fraud are real; the remedy is to enforce the criminal law against the fraudster and to build clear obligations in daylight, not to convert a safe-harbor clause into a licensing gate by administrative fiat.
The username row, in the end, is not really about usernames. It is about whether India’s digital governance will mature into rule of law — transparent, statutory, evenly applied — or settle into rule by letter, where the state’s convenience becomes the citizen’s constitution. WhatsApp will survive whichever way this breaks. The precedent will outlive the feature.
“WhatsApp will survive whichever way this breaks. The precedent will outlive the feature.”
(This is an opinion piece. Views expressed are the author’s own.)
India’s Grassroots Audit Crisis: Why the CAG Must Reclaim Oversight
Follow The Raisina Hills on WhatsApp, Instagram, YouTube, Facebook, and LinkedIn