WhatsApp username row in India isn’t about privacy vs security, but authentication
Experts say WhatsApp username fight is really about authentication
MeitY paused, not banned, the feature pending government consultation
Calibrated rollout with safeguards is the most likely outcome
As usual, this whole debate around WhatsApp usernames feature rollout in India has entered familiar territory, where it seems to be a binary choice between privacy vs security. WhatsApp’s argument for a privacy-enhancing feature has made the Indian government seriously nervous about all the ways it can be misused in a country where everyone and their grandmother is on WhatsApp.
SurveyAccording to legal and cyber experts in India, the choice need not just be between shipping the WhatsApp username feature or shelving it permanently because of government demand.
The more pertinent question isn’t if the WhatsApp username feature is safe or dangerous, but whether Meta and the Indian government will address the central issue of authentication. And so far, neither side is talking about it seriously.
Start with what the government has actually done, where MeitY has directed WhatsApp not to roll out the feature “until the consultation on this point is achieved to the satisfaction of the government.” This shows the government isn’t keen on banning WhatsApp outright. As far as possible, the government’s conditions can be met based on a set of technical safeguards that already exist in principle.
This is where the legal picture gets genuinely contested, and experts try to comment on everything from the fundamental basis of this block on WhatsApp username to possible remedial measures.
Sonam Chandwani, Managing Partner at KS Legal & Associates, is clear that the Indian government’s concerns have statutory grounding. “The Government’s concerns are not without legal basis,” she says, pointing to the due-diligence obligations intermediaries carry under the IT Act and the 2021 Rules.

On the other hand, the same feature WhatsApp is trying to implement has shipped elsewhere without incident – messaging apps Telegram and Signal already offer similar functionality. This is where digital rights advocates argue that the MeitY notice itself lacks a statutory hook. The Internet Freedom Foundation has said the notice “has no clear basis in law” and represents “an attempt by the executive to decide what a company may build and ship, which no statute permits,” noting that Section 79 is a safe-harbour provision governing platform liability, not something to be invoked for any particular feature additions – which is what WhatsApp username technically is.
Both of these can be true. Reading the dispute as pure overreach or pure diligence misses that the disagreement is really about ‘how’ of it all, not ‘if’ or ‘whether’. And on the ‘how,’ the experts I spoke with converge on authentication as one of the strongest possible solutions.
Advocate Dr. Chinmay Bhosale, co-founder of NYAI, believes that any possible safeguards built into WhatsApp usernames should include “tagging the right KYC documents to each account, thereby ensuring that the identity of the account holder can be authenticated.” His worry isn’t the feature itself, but a feature deployed without a verification layer underneath it.
Also read: Why India is right to halt WhatsApp’s username feature
“Proper safeguards should be in place in case the rollout has to take place,” Bhosale said, warning that without them, “corporate governance, service messages, financial institutions’ support via WhatsApp, and several other forms of official communication could also come under threat.”
Advocate Dr. Prashant Mali takes the same central idea to reframe the entire debate. “The ideal outcome is privacy with verifiable authenticity, not privacy versus security,” he said. That single line is arguably the most important thing anyone has said in this saga. Meta’s defenders and the Indian government advocates seem to suggest that there has to be a trade-off between either privacy or verification, and Mali is simply saying there doesn’t need to be.
As far as authentication is concerned, WhatsApp is already partway there – it just isn’t framing its measures as an authentication regime. Meta has said WhatsApp usernames are optional, not searchable, and that it has already reserved handles belonging to public figures, celebrities, government entities and Meta Verified accounts so they can only be claimed by legitimate owners – so the question of stealing identities doesn’t arise at all. Additionally, Meta says WhatsApp will limit how many new people an account can contact, and even block repeated guessing attempts in order to prevent unsolicited or fraudulent messages.

Also read: WhatsApp vs Indian govt: A brief history of disagreements
It all depends on how you read these measures, right? I mean, in principle, WhatsApp seems to have a meaningful anti-abuse stack. But given Meta’s track record on protecting user privacy, should we take them on their word? With no KYC anchor of the kind Bhosale suggests, the Indian government’s position becomes relatable to some extent – even if it’s singling out WhatsApp for cracking the whip.
So the authentication alternative becomes key, and it’s the outcome Chandwani thinks is most likely anyway. “Neither an unconditional approval nor a blanket prohibition,” she says, but a feature “introduced in a calibrated manner, subject to additional compliance obligations and periodic review.” In practice, it likely means verified-identity signals for business and institutional accounts, a KYC-tagged authentication layer made mandatory, rapid takedown protocols for deepfake or impersonation fraud, and a traceability mechanism for first contact via username that satisfies law enforcement requirement without collapsing user privacy for ordinary users.
Meta can keep insisting the feature is optional and defended. The Indian government can keep insisting it’s dangerous and unauthorised. Or the two can build the thing the experts have been describing all along: privacy with verifiable authenticity. In the present form, the odds favour the calibrated compromise.
Executive Editor at Digit. Technology journalist since Jan 2008, with stints at Indiatimes.com and PCWorld.in. Enthusiastic dad, reluctant traveler, weekend gamer, LOTR nerd, pseudo bon vivant. View Full Profile
