India asks WhatsApp to pause username feature rollout over fraud concerns

India, WhatsApp’s largest single market with more than 850 million active users, has ordered the Meta-owned messaging platform to pause the rollout of its highly anticipated username-based chat feature, citing growing concerns that the update could fuel a surge in cybercrime and malicious online activity.

The new function, which was set to roll out gradually to WhatsApp’s 3 billion global users over the coming months, allows users to connect with other accounts without sharing their personal phone numbers, a long-requested privacy upgrade for the platform. Users were already able to reserve their preferred unique usernames ahead of the full launch when Indian regulators stepped in.

In an official notice dated Wednesday, India’s Ministry of Electronics and Information Technology (MeitY) demanded WhatsApp halt deployment immediately and explain why regulatory action should not be taken against the company under existing Indian cyber law for moving forward with a feature it argues poses unacceptable public risk. The ministry outlined that by allowing bad actors to contact potential victims without revealing their phone numbers, the update could materially increase rates of online fraud, phishing schemes, digital extortion scams, and impersonation attacks. Regulators also warned that the username system could enable bad actors to create lookalike accounts mimicking government officials, financial institutions, public agencies, and private individuals to carry out deception.

MeitY’s notice, a copy of which has been obtained by the BBC, cites provisions of India’s Information Technology Act and national rules governing intermediary due diligence, identity theft, and impersonation offenses. The regulator has ordered WhatsApp not to proceed with launch until it completes a government consultation that addresses official concerns to the authorities’ satisfaction.

In response to the order, Meta confirmed that the feature has not yet been activated for general users and that it has built a multi-layered framework of safeguards to prevent misuse. To combat impersonation, the platform has pre-reserved all high-profile usernames associated with public figures, government entities, celebrities, and already verified Meta accounts, ensuring these can only be claimed by their legitimate owners. It has also locked lookalike derivatives of prominent official and public figure usernames to block spoofing attempts.

WhatsApp also emphasized that users will still require a verified phone number to create an account, even with the new username feature active. Additional protective measures include requiring any user to know an exact username to initiate contact, limiting the number of new users a single account can reach out to, blocking repeated automated attempts to guess usernames, and maintaining automated systems to detect and remove activity matching known patterns of impersonation and abuse. For first-time messages from unknown contacts, the platform will also display contextual information to help recipients assess risk, including whether the account is new, shares a common group with the recipient, is already saved in the user’s contacts, or is based in a foreign country.

Cybercrime has become an increasingly urgent policy challenge for India, as hundreds of millions of first-time internet users adopt digital platforms and mobile payment services every year, many without formal training on digital safety practices. According to the most recent published federal data, India registered nearly 102,000 cybercrime cases in 2024, representing an 18% increase from the prior year, with online fraud accounting for nearly three-quarters of all reported cases.

The Indian government’s order has drawn criticism from digital rights advocates, who argue the regulatory move lacks a clear legal foundation. The Internet Freedom Foundation, an Indian digital rights non-profit, stated that the notice overreaches by attempting to grant the government power to approve or reject individual software features, a authority not outlined in the laws MeitY cited. “The power to require prior permission for a feature is not in the [Information Technology] Act, not in the Rules, and cannot be created by a notice,” the organization said in a public statement.

This latest regulatory action is part of a broader ongoing trend of Indian authorities tightening oversight of global technology platforms operating in the country. Earlier this year in February, New Delhi amended its digital rules to require social media platforms to remove unlawful content within just three hours of receiving a government takedown notice, cutting the previous compliance deadline of 36 hours dramatically. Just last month, Indian authorities temporarily banned the messaging platform Telegram ahead of a retest for the country’s national medical entrance examination, over concerns that its username-based interaction and hidden phone number features made it easier for exam cheaters to coordinate. The government’s position was upheld in court after Telegram unsuccessfully challenged the ban.

For Meta, the regulatory clash in India carries particular weight: as WhatsApp’s largest market by user count, any changes to product rollout or design in the country will have a major impact on the platform’s global rollout plans and long-term growth strategy.