Indian officials are demanding that WhatsApp stores its data locally, multiple reports say. Tech experts the BBC spoke to have also confirmed this.
Critics say that this will allow government agencies to access users private data.
Officials have been quoted as saying it is because of the Pegasus breach which used WhatsApp to target users devices – about 100 Indians were also affected.
But experts say that localisation of data is a “bizarre response”.
“This makes no sense at all. The location of the data had nothing to do with the Pegasus breach,” technology expert Prasanto K Roy told the BBC.
“WhatsApp was very transparent about the breach and reported it to the authorities. What is important now, is to find out who did it and how.”
“Data localisation completely goes against the whole concept of the internet which is a global network,” he added.
Reports have quoted government officials as saying that they wanted user data stored locally as the Pegasus breach “compromised national security“.
What was the Pegasus breach all about?
Hackers were able to install surveillance software on phones and other devices by using a major vulnerability in the messaging app.
Targets received video or voice call requests from an unknown number – which even if ignored, allowed the spyware, known as Pegasus, to be installed on the device. This allowed users to remotely access everything on the phone, including text messages and location.
WhatsApp fixed the vulnerability as soon as it was discovered and informed affected users.
It also filed a lawsuit against Israeli firm NSO Group, alleging it was behind the cyber-attacks that infected devices in April and May.
NSO Group, which makes software for surveillance, says it only works with government agencies and strongly denied responsibility for the attacks.
Activists and politicians pointed fingers at the state after WhatsApp revealed Indian journalists and activists were among those targeted.
The government has denied the claims.
However, it has also repeatedly refused to discuss the issue in parliament.
It refused to answer questions about who had authorised the attacks and instead cited a controversial law that specified the right of agencies to monitor and decrypt information in national security interest.
It also tried to stop a parliamentary committee on cyber security from discussing the matter, saying it did not fall under the purview of the panel.