After WhatsApp, MeitY has reportedly sent notices to Telegram and Signal over their username features, raising serious questions about privacy, executive overreach, and constitutional safeguards.
Watch to understand what's happening and why it matters.
first whatsapp.
then telegram.
now signal.
what's next? discord? matrix?
and yes, they even reportedly tried to ban matrix before, a decentralized protocol. yes, they tried to ban a DECENTRALIZED PROTOCOL.
The way this opportunity was seized by the state betrays its intention. And the continuity of it's disastrous stance on encryption serves a constant reminder that it loves snooping.
The way the Modi govt is going, we need more organisations like the @internetfreedom - and till we have more of them @internetfreedom needs our fullest support. These techno-legal issues need special expertise to fight and counter, not merely good intentions.
Statement on MeitY's notices widen an unconstitutional dragnet over privacy features
New Delhi, 2 July 2026
A day after its notice to WhatsApp on the usernames feature, as per press reports MeitY has today evening sent the same kind of notice to Telegram and Signal, asking each to explain a username feature and its safeguards against impersonation and misuse. In two days the Ministry has gone from one platform to three, and from acting on content to policing the design of products. This is a dragnet, it is widening, and it has no basis in law. As we warned in our first statement it is a digital license raj that is expanding arbitrary executive power.
We know of these notices only through press reports, and the notices themselves have not been published. Where that reporting is sourced from within the Government, MeitY is left free to shape the coverage by choosing what to hand out and to whom. Releasing a document selectively, is not the same as disclosing it to the public, and it is the opposite of transparency. The public is told that platforms are being made to answer for "misuse", while the notice that would show the demand has no basis in law stays out of sight.
We again highlight that the core defect is constitutional. The executive is restraining lawful features, and with them the private communication those features protect, without the authority of law. We agree there can be regulatory authority for such features however it requires a clear articulation of policy intent that is rooted in legislation. This simply does not exist at present. No provision of the IT Act permits it as we have explained in our statement yesterday. A restraint on how a platform may operate cuts into its freedom to carry on its work under Article 19(1)(g), and a restraint on private messaging cuts into the users' freedom of speech under Article 19(1)(a). A restriction on either must fall within Article 19(2) or 19(6) and must rest on a law, and here there is no law at all.
The sweep is also indiscriminate, which is a vice of its own. The three features are not the same. Here, the inclusion of Signal is the sharpest sign of what this is really about. Signal is a non-profit. It is encrypted by default, it collects almost no data, and its username feature exists for the single purpose of letting people communicate without handing over a phone number. Signal's is a private contact tokens with no public directory, which reduces what a user reveals rather than expose it. Signal in particular keeps almost nothing, has refused to build the searchable directory an identification order would need, and is the tool journalists, activists and many at risk people and their contacts rely on, so a notice aimed at it strikes straight at protected speech.
Beneath all three notices sits the demand for traceability under Rule 4(2) of the IT Rules, 2021, which cannot be met on an encrypted service without breaking the encryption that protects every user, and which is already under challenge before the Delhi High Court as exceeding the Act.
Each notice is a step here makes the next look ordinary and needs to clearly and unequivocally condemned for the widespread digital authoritarianism. First pieces of content are blocked in thousands, even entire accounts sometimes just for parody posts, then a whole platform is blocked for a week, and now companies are told to account for the features that keep their users safe. This is how executive power grows past the limits of our constitution.
We call on MeitY to withdraw the notices to WhatsApp, Telegram and Signal, to publish them, and to state the provision of law under which it claims to act. Privacy protective design is not a wrong to be explained away, and the Constitution does not permit a widening dragnet over the means by which people speak.
Statement on MeitY's notices widen an unconstitutional dragnet over privacy features
New Delhi, 2 July 2026
A day after its notice to WhatsApp on the usernames feature, as per press reports MeitY has today evening sent the same kind of notice to Telegram and Signal, asking each to explain a username feature and its safeguards against impersonation and misuse. In two days the Ministry has gone from one platform to three, and from acting on content to policing the design of products. This is a dragnet, it is widening, and it has no basis in law. As we warned in our first statement it is a digital license raj that is expanding arbitrary executive power.
We know of these notices only through press reports, and the notices themselves have not been published. Where that reporting is sourced from within the Government, MeitY is left free to shape the coverage by choosing what to hand out and to whom. Releasing a document selectively, is not the same as disclosing it to the public, and it is the opposite of transparency. The public is told that platforms are being made to answer for "misuse", while the notice that would show the demand has no basis in law stays out of sight.
We again highlight that the core defect is constitutional. The executive is restraining lawful features, and with them the private communication those features protect, without the authority of law. We agree there can be regulatory authority for such features however it requires a clear articulation of policy intent that is rooted in legislation. This simply does not exist at present. No provision of the IT Act permits it as we have explained in our statement yesterday. A restraint on how a platform may operate cuts into its freedom to carry on its work under Article 19(1)(g), and a restraint on private messaging cuts into the users' freedom of speech under Article 19(1)(a). A restriction on either must fall within Article 19(2) or 19(6) and must rest on a law, and here there is no law at all.
The sweep is also indiscriminate, which is a vice of its own. The three features are not the same. Here, the inclusion of Signal is the sharpest sign of what this is really about. Signal is a non-profit. It is encrypted by default, it collects almost no data, and its username feature exists for the single purpose of letting people communicate without handing over a phone number. Signal's is a private contact tokens with no public directory, which reduces what a user reveals rather than expose it. Signal in particular keeps almost nothing, has refused to build the searchable directory an identification order would need, and is the tool journalists, activists and many at risk people and their contacts rely on, so a notice aimed at it strikes straight at protected speech.
Beneath all three notices sits the demand for traceability under Rule 4(2) of the IT Rules, 2021, which cannot be met on an encrypted service without breaking the encryption that protects every user, and which is already under challenge before the Delhi High Court as exceeding the Act.
Each notice is a step here makes the next look ordinary and needs to clearly and unequivocally condemned for the widespread digital authoritarianism. First pieces of content are blocked in thousands, even entire accounts sometimes just for parody posts, then a whole platform is blocked for a week, and now companies are told to account for the features that keep their users safe. This is how executive power grows past the limits of our constitution.
We call on MeitY to withdraw the notices to WhatsApp, Telegram and Signal, to publish them, and to state the provision of law under which it claims to act. Privacy protective design is not a wrong to be explained away, and the Constitution does not permit a widening dragnet over the means by which people speak.
Statement on MeitY's notice to WhatsApp over the "usernames" feature
The Ministry of Electronics and Information Technology (MeitY) has sent WhatsApp a notice about the usernames feature it announced on 29 June 2026. The notice asks the company to explain, within three days, why regulatory action should not be taken against it "for launching a feature that may increase cybercrimes", and it directs the company "not to roll out this feature until the consultation on this point is achieved to the satisfaction of the Government". The Internet Freedom Foundation is concerned that the notice has no clear basis in law. It is an attempt by the executive to decide what a company may build and ship, which no statute permits.
The notice treats the launch of a lawful feature as a wrong the company must justify. That reverses the ordinary position especially given the absence of any clear legal power that exists. MeitY does not name any provision that lets it approve a product feature before release or order one withdrawn, because there is none, and the provisions it does cite do not supply that power.
Section 79 of the IT Act, 2000 is a safe harbour that protects an intermediary from liability for what its users post, so long as it observes due diligence. It decides when a platform can be held liable. It is not a power for MeitY to decide what features the platform may offer. Sections 66C and 66D punish identity theft and cheating by personation. They are criminal offences, tried by courts, aimed at the person who steals an identity, not at the maker of a tool that a third party misuses. Also, on MeitY's logic, a telecom operator could be told not to sell SIM cards because SIM cards are used in almost every online fraud.
Rule 3(1)(b), Rule 3(2) and Rule 4 of the IT Rules, 2021 are due diligence and grievance obligations and cannot be converted into a licensing scheme. Section 69A, the one provision that lets MeitY control what appears online, permits the blocking of specific information through a set procedure. It says nothing about which features a company may build. Further the IT Rules, 2021 are subordinate legislation made under Sections 79 and 87 of the IT Act, and subordinate rules cannot travel beyond the parent statute (Ajoy Kumar Banerjee v. Union of India). If a rule cannot exceed the Act, a letter certainly cannot. The power to require prior permission for a feature is not in the Act, not in the Rules, and cannot be created by a notice.
MeitY has tried this before. In March 2024 it told the same large intermediaries, among them AI Companies, to obtain its explicit permission before deploying under-tested AI models. That was criticised as an overreach that sought to build a licensing mechanism with no empowering provision in the IT Act, and within a fortnight MeitY withdrew it and dropped the permission requirement. This notice repeats the move for a single feature and goes further, because it names one company, sets a three-day clock, and bars the launch until MeitY is satisfied.
This matters beyond WhatsApp. A power asserted against one company by letter can be turned on any company and any feature. On this reasoning MeitY could tell a browser not to switch on a privacy setting by default, or a payments app not to add a login method, each time until it was content. The notice also invokes traceability, through Rule 4(2) of the IT Rules, 2021 and the identification of the "first originator" of a message. Rule 4(2) has been challenged as exceeding its parent provision and resting on no law made by Parliament, and that challenge is pending before the Delhi High Court. Raising it against a feature meant to share fewer identifiers fits a pattern.
We ask MeitY to state the exact provision of law under which this notice, and the direction to halt the roll-out, has been issued, and to withdraw that direction. It should stop using Section 79 and the contested traceability rule as leverage to control product design and to reverse features that improve privacy. Impersonation and fraud are real risks, but they are met by enforcing the criminal law against those who commit them, and by open processes that rest on identified legal powers. They are not met by MeitY deciding, in private and by letter, what features Indians may use. That is a licence raj for software features.
New Delhi, 1 July 2026
The reel featured ground reporting by
@shamsheeryousaf and co-author, Monica Jha, in collaboration with the @ercinvestigates on Google's proposed data centre project in Andhra Pradesh's Visakhapatnam district.
#HearingUpdate: Shamsheer Yousaf & Anr. vs UOI & Ors. W.P.(C) No. 8565/2026, was listed today before the Hon'ble High Court of Delhi. The petition challenges a blocking u/s 79(3)(b) of the IT Act, 2000, of a 2:01-min reel on Google's proposed data centre project in Visakhapatnam.
I'll leave the legal side of the interpretations to Apar & the IFF team...
But linking WhatsApp identity to Meta Accounts Manager is the sole reason for them pushing this username update.
As mobile OSes & all browsers have gotten better at halting tracking - Meta needs to be able to track a user within its walls to be able to deliver ads better.
Once you link WhatsApp to Meta Accounts Manager - the fingerprinting is easy peasy.
Deliver ads. User buys something often from within an embedded browser in a Meta product. Confirmation is sent to WhatsApp. Email is already useless. All communication from business WA to user is unencrypted. Meta Ads keeps printing - brands have to pay Meta AI to reach 'usernames' on WhatsApp.
@DeeEternalOpt Nope. But it's prompted! Also, if you have the same number linked on Instagram and WhatsApp it may just link both meta-data streams at the back end due to the changes in the Privacy Policy in 2021.
@_zenman It’s a limited shield of confidentiality of mobile numbers so there is a sliver of privacy but impersonation is a real risk and claiming someone’s name which is personal information is also a privacy harm. Also no real privacy in the sense of META’s own profiling.
Statement on MeitY's notice to WhatsApp over the "usernames" feature
The Ministry of Electronics and Information Technology (MeitY) has sent WhatsApp a notice about the usernames feature it announced on 29 June 2026. The notice asks the company to explain, within three days, why regulatory action should not be taken against it "for launching a feature that may increase cybercrimes", and it directs the company "not to roll out this feature until the consultation on this point is achieved to the satisfaction of the Government". The Internet Freedom Foundation is concerned that the notice has no clear basis in law. It is an attempt by the executive to decide what a company may build and ship, which no statute permits.
The notice treats the launch of a lawful feature as a wrong the company must justify. That reverses the ordinary position especially given the absence of any clear legal power that exists. MeitY does not name any provision that lets it approve a product feature before release or order one withdrawn, because there is none, and the provisions it does cite do not supply that power.
Section 79 of the IT Act, 2000 is a safe harbour that protects an intermediary from liability for what its users post, so long as it observes due diligence. It decides when a platform can be held liable. It is not a power for MeitY to decide what features the platform may offer. Sections 66C and 66D punish identity theft and cheating by personation. They are criminal offences, tried by courts, aimed at the person who steals an identity, not at the maker of a tool that a third party misuses. Also, on MeitY's logic, a telecom operator could be told not to sell SIM cards because SIM cards are used in almost every online fraud.
Rule 3(1)(b), Rule 3(2) and Rule 4 of the IT Rules, 2021 are due diligence and grievance obligations and cannot be converted into a licensing scheme. Section 69A, the one provision that lets MeitY control what appears online, permits the blocking of specific information through a set procedure. It says nothing about which features a company may build. Further the IT Rules, 2021 are subordinate legislation made under Sections 79 and 87 of the IT Act, and subordinate rules cannot travel beyond the parent statute (Ajoy Kumar Banerjee v. Union of India). If a rule cannot exceed the Act, a letter certainly cannot. The power to require prior permission for a feature is not in the Act, not in the Rules, and cannot be created by a notice.
MeitY has tried this before. In March 2024 it told the same large intermediaries, among them AI Companies, to obtain its explicit permission before deploying under-tested AI models. That was criticised as an overreach that sought to build a licensing mechanism with no empowering provision in the IT Act, and within a fortnight MeitY withdrew it and dropped the permission requirement. This notice repeats the move for a single feature and goes further, because it names one company, sets a three-day clock, and bars the launch until MeitY is satisfied.
This matters beyond WhatsApp. A power asserted against one company by letter can be turned on any company and any feature. On this reasoning MeitY could tell a browser not to switch on a privacy setting by default, or a payments app not to add a login method, each time until it was content. The notice also invokes traceability, through Rule 4(2) of the IT Rules, 2021 and the identification of the "first originator" of a message. Rule 4(2) has been challenged as exceeding its parent provision and resting on no law made by Parliament, and that challenge is pending before the Delhi High Court. Raising it against a feature meant to share fewer identifiers fits a pattern.
We ask MeitY to state the exact provision of law under which this notice, and the direction to halt the roll-out, has been issued, and to withdraw that direction. It should stop using Section 79 and the contested traceability rule as leverage to control product design and to reverse features that improve privacy. Impersonation and fraud are real risks, but they are met by enforcing the criminal law against those who commit them, and by open processes that rest on identified legal powers. They are not met by MeitY deciding, in private and by letter, what features Indians may use. That is a licence raj for software features.
New Delhi, 1 July 2026
The tiresome part of being on this platform is that otherwise well-meaning people are unable to hold two truths at once.
Fraud fears around WhatsApp usernames are legitimate. Meta's own safeguards (reserved handles, contact-limits, impersonation detection) admit the risk exists.
Also true is the fact that the government has zero legal basis to unilaterally halt a product feature. This isn't a court order, it's a "notice" with a three-day ultimatum. It has been precedent-shopped from the Telegram ban, if you will.
Every time you let the "greater good" justify a workaround of due process, you just move the line on what government gets to touch next. Today it's a username field. It never stops at just that.
But @internetfreedom & a few other public watchdogs- people would never know that GoI routinely issues unlawful orders.
Also, questioning @GoI_MeitY is not an endorsement of WA’s feature; about which most are suspect. Even IFF has flagged concerns.
Hi Surabhi,
Thank you for your query.
We have asked several critical questions in press interactions from WhatsApp. These are covered most fully in a video interview with @sanket in an interview at @TheFederal_News. A few (2-3) press responses have been given and should also available with a Google news search.
In the same interview, @apar1984 (which predates this illegal notice) clearly indicates a legislative vaccum and the need for a digital competition act and other statutory instruments for digital regulation of digital platforms. Instead MeitY has avoided any legislative or regulatory approach and instead expanded its own powers by regular illegal amendments to the IT Rules. 2021.
Now that we have addressed you concern on our lack of any criticism of WhatsApp’s new feature, we can now inquire as to your opinion which terms our statement, “unbelievable”? We would benefit from any help how we can improve our work and if any sentence in the statement indicates support for this feature update or WhatsApp as an entity. Please do point it out and we are always happy to correct ourselves!
Over the past 7-6 years IFF have litigated against WhatsApp (on the 2021 privacy policy and we continue participating actively in the Supreme Court to support the CCI) and also filed a Shareholder’s resolution against META for a human rights audits in India. Even today will be litigating a case in the Delhi High Court on web censorship of a journalists post on Meta platforms. All of this is public record.
Our present statement focuses on the legality of MEITY issuing the present notice in which IT Rules, 2021 have been illegally used. We have been consistently highlighting its unconstitutional and authoritarian expansion and will continue to do so. Beyond the lack of legality we are deeply concerned with the reference to the traceability mandate. This is all present in the OP and while it is like reallly long, we request those who read this reply to go through the statement itself :)
Finally, if you do wish for comment you are as always free to reach out and we are happy to always respond to journalists within our capacity. With 7 full time staff (4 contractors) and an entire monthly spend is about 8-9 lakhs which includes not only statements but public advocacy, clinical assistance and strategic litigation we often don’t have capacity but try our best to be helpful.
Do reach out as you have in the past! We are at [email protected].
Have a good day!
Hey, where’s your “critical” statement on the WhatsApp move to usernames? I cant find it anywhere. Usernames clearly pose a massive risk of impersonation and cybercrime. It’s unbelievable that IFF is criticising the govt instead of asking Whatsapp some tough questions! And its not just a “feature”, it impacts 500 million Indians!
Worth holding onto IFF’s framing: this isn’t about defending WhatsApp, which collects your contact graph and metadata and hands it over on lawful request, unlike Signal. It’s about whether the power to halt a feature exists at all. And usernames change one narrow thing: your number is hidden from a first-time contact, not from Meta and not from law enforcement.
The stated fear is impersonation and lost traceability, but the state’s actual trace, through Meta’s records, is untouched. A scammer using a username is still fully resolvable on lawful process. So the concern is answered by enforcing the law against offenders, not by asserting a power to vet a feature before it ships.
@internetfreedom