India has directed WhatsApp to suspend the rollout of its upcoming username-based messaging feature, citing concerns that it could make it easier for cybercriminals to carry out fraud, phishing, and impersonation scams.
The feature, which would allow users to communicate using unique usernames instead of sharing their phone numbers, is expected to be introduced to WhatsApp’s three billion users worldwide in the coming months.
In a formal notice, the Indian government asked WhatsApp to justify why regulatory action should not be taken under Indian law for introducing a feature that authorities believe could contribute to an increase in cybercrime.
Responding to the concerns, WhatsApp said the feature has not yet been launched and emphasized that it includes several safety measures. These include reserving usernames associated with public figures and implementing systems designed to detect impersonation attempts and fraudulent activity.
India, home to more than 850 million WhatsApp users, represents the platform’s largest market. The company is owned by Meta, led by CEO Mark Zuckerberg.
The government’s intervention reflects a broader trend of increased scrutiny by Indian regulators over how major global technology companies develop and deploy their products within the country.
According to the notice issued on Wednesday by the Ministry of Electronics and Information Technology, officials reviewed WhatsApp’s recent announcement allowing users to reserve unique usernames and, eventually, connect with others by exchanging usernames rather than phone numbers.
The ministry warned that the change could significantly raise the risk of online fraud, phishing schemes, digital arrest scams, and identity impersonation by enabling bad actors to contact potential victims without revealing their phone numbers.
The Indian government also cautioned that the proposed feature could enable impersonation and identity spoofing by allowing usernames that closely resemble those of real individuals, government bodies, financial institutions, and public agencies.
According to a notice reviewed by the BBC, authorities instructed WhatsApp not to proceed with the rollout until consultations with the government are completed and its concerns have been adequately addressed.
The notice references provisions of India’s Information Technology Act as well as regulations related to intermediary responsibilities, identity theft, and impersonation offenses.
The warning comes amid growing concerns over cybercrime and digital fraud in India, where millions of people rely on digital platforms and online payment systems daily, often with limited awareness of cybersecurity risks.
Official data shows that nearly 102,000 cybercrime cases were reported in 2024, an increase of 18% compared with the previous year. Online fraud accounted for almost three-quarters of those incidents.
A Meta spokesperson said the username feature is scheduled for a phased rollout later this year and stressed that several protective measures have been built into the system.
“To prevent impersonation, we have reserved the most prominent names—including those of public figures, government organizations, celebrities, and verified Meta accounts—so they can only be claimed by their legitimate owners. Similar-looking variations of those names are also being restricted,” the spokesperson said.
Meta further noted that users will still be required to register with a phone number to create a WhatsApp account. The company added that multiple security safeguards have been incorporated into the feature to provide additional protection against scams and fraudulent activity.
WhatsApp said additional safeguards have been built into the username feature to reduce the risk of misuse. According to a company spokesperson, users will need to know a person’s exact username before they can initiate contact. The platform will also limit the number of new people an account can message, restrict repeated attempts to guess usernames, and use automated systems to identify and remove behavior associated with impersonation and other forms of abuse.
The company added that users receiving messages from first-time contacts will be provided with contextual information, such as whether the sender’s account is newly created, already saved in their contacts, shares mutual groups, or is located in another country. These indicators are intended to help users assess whether a message is trustworthy before responding.
Meanwhile, the Internet Freedom Foundation (IFF), a digital rights advocacy group, has challenged the government’s position, arguing that the notice lacks a clear legal foundation.
In a statement, the organization said the government was effectively attempting to determine which software features private companies are allowed to introduce, despite the laws cited in the notice not granting such authority.
“The power to require prior approval for a product feature does not exist in the Information Technology Act or its associated rules and cannot be established through a notice,” the group said.
The dispute comes as India continues to expand regulatory oversight of major technology platforms. Earlier this year, the government revised its rules to require social media companies to remove unlawful content within three hours of receiving a notice, significantly reducing the previous 36-hour compliance window.
Last month, authorities also temporarily restricted access to Telegram during the re-examination process for a nationwide medical entrance test, reflecting the government’s increasingly active role in regulating digital platforms.
The government contended that features allowing users to communicate through usernames while hiding their phone numbers could hinder law enforcement investigations. The platform challenged this view in court, but its legal effort was unsuccessful.
Read more tech updates here