The WhatsApp Username Saga

Authors

Last week, WhatsApp announced that users would soon be able to reserve a unique username and use it instead of their phone number to start conversations. The core protections stay intact: people still need a phone number to use WhatsApp at all, unknown senders trigger warning labels, there’s no public directory of usernames, and existing block-and-report tools. Meta has also pre-reserved usernames for public figures, government bodies, and verified accounts on Facebook and Instagram so they can’t be squatted by impersonators, and only trusted contacts can use the username to reach them directly.

Soon after, MeitY directed Meta to not roll this feature out in India until government consultations were complete and gave it three days for an explanation. The ministry’s stated worry is that removing the phone number as a fixed identity anchor could exacerbate phishing, digital-arrest scams, and impersonation of banks or officials.

This move follows a pattern of increasing state control over messaging platforms, from SIM-binding mandates that require messaging apps to link accounts to verified Indian numbers, the temporary ban on Telegram after leaked NEET exam papers circulated on the app, to a rising frequency of takedown orders issued to platforms.

The Internet Freedom Foundation argues that MeitY is stretching the safe-harbour provision under the IT Act and that Rules 3 and 4 of the IT Rules, 2021 “cannot be converted into a licensing scheme.” India’s takedown and blocking powers under the IT Act are built to act against specific content or accounts after the fact, not to pre-emptively veto a feature. In March 2024, a similar MeitY advisory demanding pre-approval for AI model releases was withdrawn within a fortnight under criticism. The broader point is that a government cannot lawfully order a company to withhold a software feature. Fraud and impersonation are already criminal offences and the fix is enforcement against offenders.

Signal and Telegram both already offer optional usernames, and Telegram in particular has faced similar criticism from Indian regulators that WhatsApp is now facing. Neither app, however, ties its usernames to multiple online platforms the way Meta’s ecosystem does. Taking into account the DPDPA, it can also be argued that this feature contradicts purpose limitation requirements due to this cross-platform linkage.

By linking a WhatsApp account to Instagram or Facebook, the system can verify the ownership of that username, allowing one to have the same username across all three platforms.

Furthermore, on the question of privacy, does the cross-platform linkage expand Meta’s ability to correlate identity across its apps, even as it protects the phone number itself? And does shifting to usernames without a public directory just relocate spam?

None of this makes MeitY’s intervention obviously wrong, or WhatsApp’s feature obviously safe. Impersonation and scam risks are real, but there’s a difference between regulating fraud and regulating features. The more durable fix is building capabilities to prosecute fraud under existing law.