India gives WhatsApp three days to defend username rollout amid security fears

Government of the messenger's largest market demands a pause while Meta explains how it plans to stop impersonators

India has asked WhatsApp to explain why it should not face regulatory action after it announced the global rollout of a new usernames feature amid fears that the new feature could lead to increased cyberattacks.The country's Ministry of Electronics and Information Technology (MeitY) gave the Meta owned platform three days to respond to its July 1 letter and to halt the rollout of usernames until the government gives its approval.WhatsApp announced on June 29 that it was allowing users to reserve usernames that could be used instead of phone numbers on the platform when the feature launches later this year.

It said that people want to chat with others without exposing their personal phone number, whether to a classmate, neighbor, professional contact, or the group chat for their child's sports team. Meta also owns Facebook or Instagram, and is not allowing users to create usernames that already exist on those other platforms – unless they themselves control the other accounts.

However, the government of India, WhatsApp's largest market fears that allowing first contact without displaying a phone number "may increase cybercrimes," including phishing and digital arrest scams.MeitY is specifically concerned about the opportunities for impersonation, with attackers posing as public authorities, financial institutions, or government departments.The department cited India's Information Technology Act 2000 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 as the legal basis for its concerns about the feature.The Internet Freedom Foundation, which shared a copy of MeitY's letter to WhatsApp's chief compliance officer in India, said that the department has no clear legal basis for halting WhatsApp's usernames rollout. It said neither legal framework was applicable in the context in which they were being invoked and called its letter the latest example of attempted regulatory overreach.The IFF pointed to a separate advisory issued in March 2024 when MeitY tried to stop AI companies from rolling out their models to the public before the Indian government had a chance to approve them."That was criticized as an overreach that sought to build a licensing mechanism with no empowering provision in the IT Act, and within a fortnight MeitY withdrew it and dropped the permission requirement," the IFF stated. "This notice repeats the move for a single feature and goes further, because it names one company, sets a three-day clock, and bars the launch until MeitY is satisfied."