WhatsApp Usernames, Cybercrime and Privacy: Understanding India’s Intermediary Liability Framework
Why is it in News?
The Ministry of Electronics and Information Technology has raised concerns over a proposed username-based feature for WhatsApp. The feature could allow users to communicate through unique usernames without necessarily revealing their mobile numbers to people they contact.
The government’s concern is that while hiding phone numbers may improve privacy, it could also make it more difficult for ordinary users to identify unknown senders and may create new opportunities for:
- Online impersonation
- Investment fraud
- Phishing
- Digital arrest scams
- Identity concealment
- Cross-border cybercrime
The controversy highlights a larger policy dilemma:
How can India protect user privacy without weakening online accountability and cybercrime prevention?
For UPSC aspirants, the issue is important under Cyber Security, Social Media Regulation, Information Technology Act, Intermediary Liability, Privacy, Digital Governance and Artificial Intelligence.
What is the Proposed WhatsApp Username Feature?
At present, WhatsApp accounts are primarily linked to mobile phone numbers.
The proposed username system would allow a user to create a unique digital identity similar to those used on many other online platforms.
Instead of sharing a personal phone number, a person could potentially be contacted through a username.
For example:
Current System: Communication based mainly on mobile number
Proposed System: Communication possible through a unique username
The basic purpose is to improve privacy by preventing users from having to reveal their phone numbers to every person or organization they contact.
Why Can a Username Improve Privacy?
A mobile number is more than a communication tool.
It may be linked with:
- Bank accounts
- UPI services
- Government services
- Business records
- Social media accounts
- Personal identity databases
Sharing a mobile number with strangers can therefore expose users to:
- Spam calls
- Unwanted messages
- Data harvesting
- Profiling
- Social engineering attacks
A username can create a privacy layer between a person’s public digital identity and their private mobile number.
Why is the Government Concerned?
The central concern is not simply the use of usernames.
The concern is whether greater anonymity could make online fraud easier.
Suppose an unknown person contacts a user using only a username.
The receiver may find it more difficult to determine:
- Where the sender is located
- Whether the account is genuine
- Whether the sender is using multiple identities
- Whether the account is linked to previous fraud
Cybercriminals could potentially exploit this uncertainty to impersonate:
- Police officers
- Government agencies
- Bank officials
- Investment advisers
- Company representatives
This creates a classic digital governance dilemma.
Privacy requires limiting unnecessary identity exposure.
But:
Cyber security requires sufficient traceability and accountability.
Understanding Social Media Intermediaries
The controversy must be understood within India’s broader system of intermediary regulation.
An intermediary is an entity that receives, stores, transmits or provides services related to information created by someone else.
Examples may include:
- Social media platforms
- Messaging services
- Internet service providers
- Search engines
- Online marketplaces
- Web-hosting services
The intermediary generally provides the infrastructure through which users communicate or publish content.
What is Intermediary Liability?
Intermediary liability refers to the legal responsibility of an online platform for content created or transmitted by its users.
Consider a simple example.
A user posts unlawful content on a social media platform.
The legal question is:
Should only the user be responsible?
or
Should the platform also be held responsible?
Indian law attempts to answer this through the principle of:
Safe Harbour
Section 79 of the IT Act, 2000
The legal foundation of intermediary protection is:
Section 79 of the Information Technology Act, 2000
Section 79 provides conditional legal immunity to intermediaries for third-party information hosted or transmitted through their services.
This protection is commonly known as:
Safe Harbour
What is Safe Harbour?
Safe harbour means that an intermediary is generally not automatically responsible for unlawful content created by its users.
Consider a simple example.
If a user sends an illegal message through an online platform, the platform does not automatically become the author or publisher of that message.
However, this protection is:
Conditional, Not Absolute
The intermediary must follow the due diligence requirements prescribed by law.
When Does Safe Harbour Apply?
Broadly, the protection is available when the intermediary acts as a neutral technological facilitator.
The intermediary should not:
- Initiate the transmission.
- Select the receiver of the transmission.
- Select or modify the information contained in the transmission.
The basic principle is:
Neutral Conduit = Greater Legal Protection
When Can an Intermediary Lose Safe Harbour?
An intermediary may lose its legal protection if it fails to comply with statutory obligations.
This may happen when it:
- Violates prescribed due diligence requirements.
- Fails to comply with a valid legal order.
- Participates in unlawful activity.
- Aids or induces the commission of an unlawful act.
Loss of safe harbour can expose the intermediary to liability under applicable Indian laws.
The Meaning of “Actual Knowledge”
A major controversy surrounding intermediary liability concerned the meaning of:
Actual Knowledge
Should a platform remove content whenever a private person claims that the content is illegal?
The Supreme Court addressed this question in the landmark:
Shreya Singhal v. Union of India
What Did the Supreme Court Decide?
The Court restricted the meaning of “actual knowledge” to protect online free speech.
An intermediary cannot generally be expected to decide the legality of every disputed piece of content merely because a private complaint has been made.
For the relevant takedown obligation, legal action is generally triggered by:
- A court order, or
- A valid notification from the appropriate government or authorised agency under the law.
This prevents private complaints from automatically becoming instruments of censorship.
Why Was the Shreya Singhal Judgment Important?
Without such protection, platforms might remove lawful content whenever they receive a complaint.
This could lead to:
Over-Censorship
Platforms may remove content simply to avoid legal risks.
The judgment therefore sought to balance:
- Freedom of speech
- Government regulation
- Platform responsibility
- Online safety
Special Protection Against Intimate and Sexually Explicit Content
The IT Rules provide a faster grievance mechanism for certain highly harmful content involving an individual.
This includes content that:
- Exposes private areas.
- Depicts nudity or sexual acts.
- Involves impersonation, including certain artificially morphed content.
After receiving a qualifying complaint from the affected individual or an authorised person, the intermediary must act within the prescribed short timeline.
The purpose is to protect victims from:
- Non-consensual intimate imagery
- Sexual privacy violations
- Image-based abuse
- Harmful manipulated content
What are Social Media Intermediaries?
The IT Rules distinguish between different categories of online platforms.
Social Media Intermediary (SMI)
A social media intermediary primarily enables online interaction between users and allows them to:
- Create information
- Upload content
- Share information
- Modify content
- Disseminate information
What is a Significant Social Media Intermediary (SSMI)?
A large social media platform with:
50 Lakh or More Registered Users in India
is classified as a:
Significant Social Media Intermediary
Because these platforms can influence millions of people and shape public discourse, they face additional compliance requirements.
Why are SSMIs Regulated More Strictly?
Large digital platforms can influence:
- Elections
- Public opinion
- Social stability
- Financial behaviour
- National security
Their massive scale can also amplify:
- Misinformation
- Hate speech
- Cyber fraud
- Deepfakes
- Coordinated manipulation
Therefore, the law imposes additional responsibilities on them.
Additional Due Diligence for SSMIs
Chief Compliance Officer
The platform must appoint a:
Chief Compliance Officer (CCO)
The officer is responsible for ensuring compliance with the IT Act and relevant rules.
The person must be a key managerial personnel or senior employee and must be resident in India.
Nodal Contact Person
The platform must appoint a:
Nodal Contact Person
This person facilitates coordination with:
- Law enforcement agencies
- Government authorities
The role requires round-the-clock coordination capability.
Resident Grievance Officer
The platform must also appoint a:
Resident Grievance Officer
The officer handles:
- User complaints
- Grievance redressal
- Compliance with complaint timelines
The officer must be resident in India.
Other Important Obligations
Significant platforms may also have to follow requirements relating to:
- Grievance redressal
- Compliance reports
- Preservation of information
- Cooperation with lawful investigations
- Transparency in platform governance
The objective is to make large digital platforms more accountable.
The WhatsApp Username Dilemma
The controversy can be understood as a conflict between two legitimate objectives.
| Privacy Benefits | Security Concerns |
|---|---|
| Hides personal mobile numbers | May reduce visible identity signals |
| Reduces unwanted number sharing | Could help impersonators |
| Protects personal contact details | May complicate fraud detection |
| Creates a privacy layer | Could increase trust problems with unknown users |
The policy challenge is therefore not simply:
Privacy vs Security
The real challenge is:
How to achieve both privacy and security simultaneously?
Why Could Usernames Help Users?
Username-based communication can be useful when people interact with:
- Online sellers
- Delivery agents
- Public groups
- Customer support services
- Unknown business contacts
A user may not want to reveal a permanent mobile number in every such interaction.
From a privacy perspective, this is a genuine benefit.
Why Could Usernames Create Cybercrime Risks?
Cyber fraud often depends on:
Identity Manipulation
Fraudsters create a false sense of authority or trust.
A username-only environment may potentially make it easier to create deceptive identities that resemble:
- Government agencies
- Banks
- Police officers
- Companies
- Famous personalities
The risk becomes greater when users cannot easily identify the geographical origin or authenticity of an unknown account.
Digital Arrest Scams and Identity Deception
India has witnessed growing concern over so-called:
Digital Arrest Scams
In such frauds, criminals may impersonate:
- Police officers
- Investigation agencies
- Customs officials
- Financial regulators
Victims are threatened through calls or video communication and pressured into transferring money.
The debate over usernames therefore forms part of the wider challenge of preventing identity-based cyber fraud.
Encryption and Traceability
Messaging platforms also raise another important issue:
End-to-End Encryption
Under end-to-end encryption, the contents of a message are intended to be accessible only to the sender and receiver.
This protects:
- Personal privacy
- Confidential communication
- Financial information
However, law enforcement agencies often raise concerns about investigating serious crimes committed through encrypted platforms.
This creates another difficult balance between:
Privacy
and
Lawful Investigation
Way Forward
Cooperative Regulation
Governments and technology platforms should work together instead of treating privacy and security as mutually exclusive.
Technical solutions should be explored before imposing outright restrictions.
Stronger Verification for Sensitive Accounts
Additional safeguards may be considered for accounts claiming to represent:
- Government institutions
- Banks
- Public authorities
- Major businesses
This can reduce impersonation.
Better Warnings for Unknown Users
Platforms can prominently warn users when:
- The sender is not in their contacts.
- The account is newly created.
- The account shows suspicious behaviour.
Strong Anti-Impersonation Systems
Platforms should rapidly identify and act against accounts falsely claiming to represent public institutions.
User-Controlled Privacy
Users should be able to protect their mobile numbers while retaining access to safety tools.
Cyber Awareness Campaigns
Citizens should be educated about:
- Digital arrest scams
- Phishing
- Fake investment schemes
- OTP fraud
- Malicious links
- Impersonation
Technology alone cannot prevent cybercrime without informed users.
Conclusion
The debate over WhatsApp usernames reflects one of the most important challenges of the digital age: balancing privacy with accountability.
Protecting mobile numbers can reduce unnecessary exposure of personal information. At the same time, digital platforms must prevent anonymity features from becoming tools for impersonation, fraud and cybercrime.
India’s intermediary liability framework attempts to address this wider challenge through conditional safe harbour, due diligence obligations and additional responsibilities for large social media platforms.
The future of digital governance will depend not on choosing between privacy and security, but on designing systems that protect both.
UPSC Prelims Focus
| Feature | Details |
|---|---|
| Safe Harbour Provision | Section 79 of the IT Act, 2000 |
| Major Rules | IT Rules, 2021 |
| SSMI Threshold | 50 lakh registered users in India |
| Landmark Case | Shreya Singhal v. Union of India |
| Key Officers | CCO, Nodal Contact Person and Resident Grievance Officer |
| Nodal Ministry | Ministry of Electronics and Information Technology |
Previous Year Question
UPSC Prelims 2021
In India, it is mandatory for which of the following to report cyber security incidents?
- Service providers
- Data centres
- Body corporate
Select the correct answer:
(a) 1 only
(b) 1 and 2 only
(c) 3 only
(d) 1, 2 and 3
Correct Answer:
(d) 1, 2 and 3
UPSC Mains Previous Year Question
UPSC Mains 2020
What are social networking sites and what security implications do these sites present? What policy framework is needed to check the misuse of these sites?
UPSC Syllabus Mapping
GS Paper II: Government Policies, Governance, Regulation and Fundamental Rights
GS Paper III: Cyber Security, Communication Networks, Internal Security and Information Technology
GS Paper IV: Ethics of Technology, Privacy, Accountability and Corporate Responsibility
WhatsApp Usernames, Cybercrime and Privacy: Understanding India’s Intermediary Liability Framework
Why is it in News?
The Ministry of Electronics and Information Technology has raised concerns over a proposed username-based feature for WhatsApp. The feature could allow users to communicate through unique usernames without necessarily revealing their mobile numbers to people they contact.
The government’s concern is that while hiding phone numbers may improve privacy, it could also make it more difficult for ordinary users to identify unknown senders and may create new opportunities for:
- Online impersonation
- Investment fraud
- Phishing
- Digital arrest scams
- Identity concealment
- Cross-border cybercrime
The controversy highlights a larger policy dilemma:
How can India protect user privacy without weakening online accountability and cybercrime prevention?
For UPSC aspirants, the issue is important under Cyber Security, Social Media Regulation, Information Technology Act, Intermediary Liability, Privacy, Digital Governance and Artificial Intelligence.
What is the Proposed WhatsApp Username Feature?
At present, WhatsApp accounts are primarily linked to mobile phone numbers.
The proposed username system would allow a user to create a unique digital identity similar to those used on many other online platforms.
Instead of sharing a personal phone number, a person could potentially be contacted through a username.
For example:
Current System: Communication based mainly on mobile number
Proposed System: Communication possible through a unique username
The basic purpose is to improve privacy by preventing users from having to reveal their phone numbers to every person or organization they contact.
Why Can a Username Improve Privacy?
A mobile number is more than a communication tool.
It may be linked with:
- Bank accounts
- UPI services
- Government services
- Business records
- Social media accounts
- Personal identity databases
Sharing a mobile number with strangers can therefore expose users to:
- Spam calls
- Unwanted messages
- Data harvesting
- Profiling
- Social engineering attacks
A username can create a privacy layer between a person’s public digital identity and their private mobile number.
Why is the Government Concerned?
The central concern is not simply the use of usernames.
The concern is whether greater anonymity could make online fraud easier.
Suppose an unknown person contacts a user using only a username.
The receiver may find it more difficult to determine:
- Where the sender is located
- Whether the account is genuine
- Whether the sender is using multiple identities
- Whether the account is linked to previous fraud
Cybercriminals could potentially exploit this uncertainty to impersonate:
- Police officers
- Government agencies
- Bank officials
- Investment advisers
- Company representatives
This creates a classic digital governance dilemma.
Privacy requires limiting unnecessary identity exposure.
But:
Cyber security requires sufficient traceability and accountability.
Understanding Social Media Intermediaries
The controversy must be understood within India’s broader system of intermediary regulation.
An intermediary is an entity that receives, stores, transmits or provides services related to information created by someone else.
Examples may include:
- Social media platforms
- Messaging services
- Internet service providers
- Search engines
- Online marketplaces
- Web-hosting services
The intermediary generally provides the infrastructure through which users communicate or publish content.
What is Intermediary Liability?
Intermediary liability refers to the legal responsibility of an online platform for content created or transmitted by its users.
Consider a simple example.
A user posts unlawful content on a social media platform.
The legal question is:
Should only the user be responsible?
or
Should the platform also be held responsible?
Indian law attempts to answer this through the principle of:
Safe Harbour
Section 79 of the IT Act, 2000
The legal foundation of intermediary protection is:
Section 79 of the Information Technology Act, 2000
Section 79 provides conditional legal immunity to intermediaries for third-party information hosted or transmitted through their services.
This protection is commonly known as:
Safe Harbour
What is Safe Harbour?
Safe harbour means that an intermediary is generally not automatically responsible for unlawful content created by its users.
Consider a simple example.
If a user sends an illegal message through an online platform, the platform does not automatically become the author or publisher of that message.
However, this protection is:
Conditional, Not Absolute
The intermediary must follow the due diligence requirements prescribed by law.
When Does Safe Harbour Apply?
Broadly, the protection is available when the intermediary acts as a neutral technological facilitator.
The intermediary should not:
- Initiate the transmission.
- Select the receiver of the transmission.
- Select or modify the information contained in the transmission.
The basic principle is:
Neutral Conduit = Greater Legal Protection
When Can an Intermediary Lose Safe Harbour?
An intermediary may lose its legal protection if it fails to comply with statutory obligations.
This may happen when it:
- Violates prescribed due diligence requirements.
- Fails to comply with a valid legal order.
- Participates in unlawful activity.
- Aids or induces the commission of an unlawful act.
Loss of safe harbour can expose the intermediary to liability under applicable Indian laws.
The Meaning of “Actual Knowledge”
A major controversy surrounding intermediary liability concerned the meaning of:
Actual Knowledge
Should a platform remove content whenever a private person claims that the content is illegal?
The Supreme Court addressed this question in the landmark:
Shreya Singhal v. Union of India
What Did the Supreme Court Decide?
The Court restricted the meaning of “actual knowledge” to protect online free speech.
An intermediary cannot generally be expected to decide the legality of every disputed piece of content merely because a private complaint has been made.
For the relevant takedown obligation, legal action is generally triggered by:
- A court order, or
- A valid notification from the appropriate government or authorised agency under the law.
This prevents private complaints from automatically becoming instruments of censorship.
Why Was the Shreya Singhal Judgment Important?
Without such protection, platforms might remove lawful content whenever they receive a complaint.
This could lead to:
Over-Censorship
Platforms may remove content simply to avoid legal risks.
The judgment therefore sought to balance:
- Freedom of speech
- Government regulation
- Platform responsibility
- Online safety
Special Protection Against Intimate and Sexually Explicit Content
The IT Rules provide a faster grievance mechanism for certain highly harmful content involving an individual.
This includes content that:
- Exposes private areas.
- Depicts nudity or sexual acts.
- Involves impersonation, including certain artificially morphed content.
After receiving a qualifying complaint from the affected individual or an authorised person, the intermediary must act within the prescribed short timeline.
The purpose is to protect victims from:
- Non-consensual intimate imagery
- Sexual privacy violations
- Image-based abuse
- Harmful manipulated content
What are Social Media Intermediaries?
The IT Rules distinguish between different categories of online platforms.
Social Media Intermediary (SMI)
A social media intermediary primarily enables online interaction between users and allows them to:
- Create information
- Upload content
- Share information
- Modify content
- Disseminate information
What is a Significant Social Media Intermediary (SSMI)?
A large social media platform with:
50 Lakh or More Registered Users in India
is classified as a:
Significant Social Media Intermediary
Because these platforms can influence millions of people and shape public discourse, they face additional compliance requirements.
Why are SSMIs Regulated More Strictly?
Large digital platforms can influence:
- Elections
- Public opinion
- Social stability
- Financial behaviour
- National security
Their massive scale can also amplify:
- Misinformation
- Hate speech
- Cyber fraud
- Deepfakes
- Coordinated manipulation
Therefore, the law imposes additional responsibilities on them.
Additional Due Diligence for SSMIs
Chief Compliance Officer
The platform must appoint a:
Chief Compliance Officer (CCO)
The officer is responsible for ensuring compliance with the IT Act and relevant rules.
The person must be a key managerial personnel or senior employee and must be resident in India.
Nodal Contact Person
The platform must appoint a:
Nodal Contact Person
This person facilitates coordination with:
- Law enforcement agencies
- Government authorities
The role requires round-the-clock coordination capability.
Resident Grievance Officer
The platform must also appoint a:
Resident Grievance Officer
The officer handles:
- User complaints
- Grievance redressal
- Compliance with complaint timelines
The officer must be resident in India.
Other Important Obligations
Significant platforms may also have to follow requirements relating to:
- Grievance redressal
- Compliance reports
- Preservation of information
- Cooperation with lawful investigations
- Transparency in platform governance
The objective is to make large digital platforms more accountable.
The WhatsApp Username Dilemma
The controversy can be understood as a conflict between two legitimate objectives.
| Privacy Benefits | Security Concerns |
|---|---|
| Hides personal mobile numbers | May reduce visible identity signals |
| Reduces unwanted number sharing | Could help impersonators |
| Protects personal contact details | May complicate fraud detection |
| Creates a privacy layer | Could increase trust problems with unknown users |
The policy challenge is therefore not simply:
Privacy vs Security
The real challenge is:
How to achieve both privacy and security simultaneously?
Why Could Usernames Help Users?
Username-based communication can be useful when people interact with:
- Online sellers
- Delivery agents
- Public groups
- Customer support services
- Unknown business contacts
A user may not want to reveal a permanent mobile number in every such interaction.
From a privacy perspective, this is a genuine benefit.
Why Could Usernames Create Cybercrime Risks?
Cyber fraud often depends on:
Identity Manipulation
Fraudsters create a false sense of authority or trust.
A username-only environment may potentially make it easier to create deceptive identities that resemble:
- Government agencies
- Banks
- Police officers
- Companies
- Famous personalities
The risk becomes greater when users cannot easily identify the geographical origin or authenticity of an unknown account.
Digital Arrest Scams and Identity Deception
India has witnessed growing concern over so-called:
Digital Arrest Scams
In such frauds, criminals may impersonate:
- Police officers
- Investigation agencies
- Customs officials
- Financial regulators
Victims are threatened through calls or video communication and pressured into transferring money.
The debate over usernames therefore forms part of the wider challenge of preventing identity-based cyber fraud.
Encryption and Traceability
Messaging platforms also raise another important issue:
End-to-End Encryption
Under end-to-end encryption, the contents of a message are intended to be accessible only to the sender and receiver.
This protects:
- Personal privacy
- Confidential communication
- Financial information
However, law enforcement agencies often raise concerns about investigating serious crimes committed through encrypted platforms.
This creates another difficult balance between:
Privacy
and
Lawful Investigation
Way Forward
Cooperative Regulation
Governments and technology platforms should work together instead of treating privacy and security as mutually exclusive.
Technical solutions should be explored before imposing outright restrictions.
Stronger Verification for Sensitive Accounts
Additional safeguards may be considered for accounts claiming to represent:
- Government institutions
- Banks
- Public authorities
- Major businesses
This can reduce impersonation.
Better Warnings for Unknown Users
Platforms can prominently warn users when:
- The sender is not in their contacts.
- The account is newly created.
- The account shows suspicious behaviour.
Strong Anti-Impersonation Systems
Platforms should rapidly identify and act against accounts falsely claiming to represent public institutions.
User-Controlled Privacy
Users should be able to protect their mobile numbers while retaining access to safety tools.
Cyber Awareness Campaigns
Citizens should be educated about:
- Digital arrest scams
- Phishing
- Fake investment schemes
- OTP fraud
- Malicious links
- Impersonation
Technology alone cannot prevent cybercrime without informed users.
Conclusion
The debate over WhatsApp usernames reflects one of the most important challenges of the digital age: balancing privacy with accountability.
Protecting mobile numbers can reduce unnecessary exposure of personal information. At the same time, digital platforms must prevent anonymity features from becoming tools for impersonation, fraud and cybercrime.
India’s intermediary liability framework attempts to address this wider challenge through conditional safe harbour, due diligence obligations and additional responsibilities for large social media platforms.
The future of digital governance will depend not on choosing between privacy and security, but on designing systems that protect both.
UPSC Prelims Focus
| Feature | Details |
|---|---|
| Safe Harbour Provision | Section 79 of the IT Act, 2000 |
| Major Rules | IT Rules, 2021 |
| SSMI Threshold | 50 lakh registered users in India |
| Landmark Case | Shreya Singhal v. Union of India |
| Key Officers | CCO, Nodal Contact Person and Resident Grievance Officer |
| Nodal Ministry | Ministry of Electronics and Information Technology |
Previous Year Question
UPSC Prelims 2021
In India, it is mandatory for which of the following to report cyber security incidents?
- Service providers
- Data centres
- Body corporate
Select the correct answer:
(a) 1 only
(b) 1 and 2 only
(c) 3 only
(d) 1, 2 and 3
Correct Answer:
(d) 1, 2 and 3
UPSC Mains Previous Year Question
UPSC Mains 2020
What are social networking sites and what security implications do these sites present? What policy framework is needed to check the misuse of these sites?
UPSC Syllabus Mapping
GS Paper II: Government Policies, Governance, Regulation and Fundamental Rights
GS Paper III: Cyber Security, Communication Networks, Internal Security and Information Technology
GS Paper IV: Ethics of Technology, Privacy, Accountability and Corporate Responsibility











