Ministry of Information and Technology’s notice to WhatsApp ordering it to pause its planned username feature for Indian users looked like a classic show‑cause on cyber‑fraud risk. It warned that allowing users to connect via usernames instead of phone numbers could “materially increase” digital‑arrest scams, phishing and impersonation, and gave Meta three days to defend the rollout. The notice leaned on Section 79 of the IT Act, the 2021 Intermediary Rules, and identity‑theft offences under Sections 66C and 66D.
Formally, nothing in the IT Act requires an intermediary to obtain prior government approval before launching a feature like WhatsApp’s usernames. Once a feature goes live, it clearly falls within the IT Act and the 2021 Rules; non‑compliance can cost an intermediary its Section 79 safe harbour and expose it to prosecution. But using that post‑facto framework to halt a feature which is yet to roll out, is a different move altogether.
Civil‑society groups such as the Internet Freedom Foundation and SFLC.in have already argued that while the notice cites Section 79 and Rules 3 and 4 of the IT Rules, 2021, it does not identify any specific statutory provision that empowers MeitY to pre‑approve or veto product features before release. Although some media reports reveal that MeitY is also working on common standards for messaging platforms operating in India
“The notice is revealing precisely because of the provisions it had to reach for i.e., Section 79 of the IT Act and Rules 3(1)(b), 3(2) and 4 of the 2021 Rules, read with Sections 66C and 66D on identity theft and personation,” says Naqeeb Ahmed Kazia, partner at CMS Induslaw. “None of these actually confer a power to halt or pre‑clear a feature. Section 79 is a conditional safe‑harbour and liability shield, while 66C and 66D criminalise individual fraudsters, not a platform’s design choices. The concern is that by directing WhatsApp not to launch until the Government is satisfied, MeitY is asserting a product‑approval power no statute grants, echoing its March 2024 AI advisory that was withdrawn within a fortnight.”
That AI advisory, issued on 1 March 2024, had indeed tried to require “significant platforms” to seek explicit government permission before deploying “under‑tested or unreliable” AI models, only for MeitY to walk it back two weeks later and replace it with a labelling‑and‑warnings regime after a storm of criticism over its legal basis.
Alay Razvi, managing partner at Accord Juris said, “Under the current IT Act and the IT Rules, MeitY has substantial leverage through intermediary obligations, takedown directions, and the possibility of safe‑harbour consequences if compliance fails. But that is not the same as a clear power to pre‑approve or veto a lawful product feature before launch,” he says. “Without fresh legislation, the government can regulate conduct aggressively, but converting the framework into a feature‑by‑feature licensing regime would be legally vulnerable.”
Officials have argued that hiding phone numbers behind usernames will make it harder to trace scammers and impersonators in real time, especially against a backdrop of rising “digital arrest” frauds and phishing in India, and have sent similar notices to Telegram and Signal seeking details of their username systems and safeguards.
Ajay Sahni & Associates partner Ankit Sahni said, “A username may conceal a telephone number from another user, but it does not necessarily render the account untraceable to the platform or law‑enforcement agencies acting under lawful process. The appropriate response would ordinarily be to require proportionate safeguards such as verified account registration, limits on unsolicited contact, prominent impersonation warnings, effective reporting mechanisms and preservation of legally permissible account‑level information. A blanket restriction should be the last resort and must be shown to be necessary, effective and the least restrictive means available.”
“In many cases, it appears that certain platforms either do not provide or are not prompt enough in providing the underlying Basic Subscriber Information (BSI), including linked mobile numbers, to law enforcement agencies,” said Ravi Goyal, partner at Scriboard. “In the case of such non-compliant platforms, where BSI is not routinely provided, the Government’s justification for regulating anonymity is likely to carry greater weight if such actions are subjected to judicial scrutiny.”
B. Shravanth Shanker, managing partner at B. Shanker Advocates LLP said “Attempting to regulate structural privacy features like usernames on end‑to‑end encrypted platforms, as a proxy for content control, fails the test of proportionality. Mandating that platforms scrap an architectural security layer simply because it might be exploited by malicious actors effectively treats the entire citizenry as a collective threat, violating the principle of the least restrictive means.”
Building a new architecture without a new law
All of this is happening against a fast‑moving backdrop of rules, advisories and show‑cause practice. The 2026 amendments to the Intermediary Rules brought synthetic media, “synthetically generated information” under formal regulation for the first time, requiring platforms to label AI‑generated audio‑visual content, embed provenance metadata or fingerprints, and execute takedowns of certain deepfakes and unlawful content within as little as two to three hours.
Viewed together with AI advisories, username freezes and blocking orders, most of the legal experts forecast a new legal regime in formation.
“Reading alongside the Telegram block, the withdrawn March 2024 AI advisory and now the WhatsApp notice, this does look like an attempt to build an ex‑ante, design‑stage regime spanning messaging, social media and AI,” says Kazia. “The common thread is regulation by case‑by‑case notice rather than published rules, which hands the executive broad and largely unchecked discretion over what platforms may ship.”
“The Government has indeed been moving in this direction over the past few years,” says Goyal. “The slew of amendments to the IT Rules 2021, including the recent, operationally challenging, three‑hour takedown requirement; the several notices issued to intermediaries; and the recent temporary blocking of Telegram and its edit feature, all point in that direction.”
Tushar Agarwal, founder & managing Partner, C.L.A.P. JURIS, Advocates & Solicitors calls it “a transition from regulating isolated incidents to regulating digital infrastructure itself,” where “the regulatory focus is no longer confined to unlawful content after publication; it increasingly extends to platform architecture, product design, algorithmic accountability, crisis response mechanisms and systemic risk management.”
Verma, partner at SKV Law Offices said, “India appears to be edging towards a form of ‘design‑by‑regulation’. Whether that model is sustainable will depend upon whether it is ultimately grounded in clear legislation and transparent standards, rather than treating every new technological feature as a regulated product requiring informal prior clearance.”


