
Days after WhatsApp began rolling out username reservations for its yet-to-be-released feature, the platform seems to have run into a regulatory hurdle in India. The new feature, named usernames, allows people to find each other by username instead of phone number.
In a letter to the Meta-owned platform, the Ministry of Electronics and Information Technology (MeitY) said usernames could increase the instances of online fraud and digital arrest scams, and could unleash impersonation by allowing bad actors to contact users without revealing their phone numbers. The government body also warned that usernames resembling those of noted individuals, financial institutions or government agencies could lead to identity spoofing.
This is the latest attempt by the government to scrutinise anonymity features on messaging platforms. A few weeks ago, the government raised similar concerns about Telegram’s username-based messaging feature and argued that hiding phone numbers makes it difficult for law enforcement to identify users involved in cybercrime.
The latest standoff raises broader questions: are the government’s concerns justified, or do WhatsApp’s safeguards sufficiently address them?
What is changing?
Ever since its inception, WhatsApp has been relying on phone numbers as users’ identities. To message someone, you need to have their phone number. The new usernames feature is essentially changing that. Once rolled out, users will be able to reserve a unique username and eventually share it in place of their phone number.
WhatsApp’s upcoming usernames feature will let users connect without sharing their phone numbers.
This allows them to initiate conversations without sharing phone numbers, which have become one of their most personal identifiers. Even with the feature, one would still need a phone number to create and maintain a WhatsApp account.
Story continues below this ad
Users can reserve a unique username ahead of WhatsApp’s wider rollout later this year.
Unlike similar features on other platforms, WhatsApp claims that usernames will not be publicly searchable. There will be no public directory or username suggestions. To communicate with someone, one would need their exact username. WhatsApp said that users can also change or disable their username later. As an added layer of privacy, the platform is also introducing an optional ‘username key’. When it is activated, both the username and the key must be entered before someone can send the first message.
WhatsApp says usernames will not be publicly searchable and must be entered exactly to initiate contact.
Why is India concerned?
Based on MeitY’s letter to WhatsApp, the government’s primary concern seems to be that usernames could make it easier for scammers to impersonate notable individuals or organisations, while also making it harder for victims to identify them.
Over the past few years, India has witnessed a steep rise in phishing, financial fraud, and digital arrest scams, in which fraudsters impersonate police officers, government officials, or bank employees to pressure victims into transferring money. Government data shows cyber incidents more than doubled between 2022 and 2024, while millions of cybercrime complaints have been registered through the National Cyber Crime Reporting Portal, highlighting the growing scale of online financial fraud.
Officials are apprehensive that if fraudsters no longer need to expose their phone numbers, they could create convincing usernames that resemble prominent banks, regulators, or government agencies and reach out to victims with fewer visible identifiers. The government also warned that a feature like this could further complicate investigations by reducing the number of immediately visible identity information accessible to users and investigators.
Story continues below this ad
Can privacy and safety coexist?
WhatsApp argues that the feature is designed to improve privacy without sacrificing security. Digital rights experts say the feature could also benefit women and other vulnerable users who may not wish to share their phone numbers when joining groups or interacting with new contacts.
The platform said that, at its core, Usernames is a privacy feature, not a social media handle, and that there is no directory to browse or suggestions. When it comes to impersonation, WhatsApp has said it reserves usernames for public figures, celebrities, government entities, and verified Meta accounts, so only their legitimate owners can claim them. It has also reserved similar variations of many prominent names to reduce impersonation attempts.
Additionally, the platform said it will limit the number of new users an account can contact, block repeated attempts to guess usernames or username keys, and use automated systems to detect abusive behaviour or potential impersonation.
When users receive a first message from a username, WhatsApp will also display contextual information, such as whether the sender is a new account, already in the recipient’s contacts, shares common groups, or is based in another country, allowing recipients to make a more informed decision before responding.
Story continues below this ad
While the debate has largely focused on fraud risks, privacy advocates say the feature could also offer tangible benefits for users who do not want to disclose their phone numbers. “Without a doubt, this is a welcome feature for women, vulnerable users who would rather not reveal their mobile numbers to be contacted when joining WhatsApp groups and communities. The 850+ million userbase of WhatsApp also places larger scrutiny on WhatsApp than other messaging platforms,” said Nidhi Sudhan, co-founder of the Citizen Digital Foundation.
Are the government’s concerns legitimate?
Experts say the debate reflects a genuine tradeoff between user privacy and platform security. While the government’s apprehensions are technically credible, the risks will largely depend on how effectively the platform’s safeguards work in the real world.
Dr Srinivas Padmanabhuni, CTO of AiEnsured, said the concerns have “strong technical merit” because phone numbers currently act as traceable identifiers. “Phone numbers are tied to SIMs, KYC and telecom logs — physical, traceable anchors that raise the cost for an attacker. Usernames remove that barrier entirely,” he said. He added that usernames make it easier for fraudsters to create convincing identities at scale.
According to Padmanabhuni, usernames are “free, infinite and enable industrialised impersonation”, allowing attackers to create thousands of deceptive accounts using techniques such as leetspeak or lookalike characters to evade detection.
Story continues below this ad
Advocate Dr Chinmay Bhosale, co-founder of NYAI, said the government’s concerns were “not without merit”, given the scale of identity-based fraud and impersonation that could occur if safeguards were not built into the feature from the outset. “It’s not just government officials being impersonated for scams like digital arrests. This can very well extend to day-to-day frauds involving ordinary individuals as well,” he said.
Bhosale said robust verification measures would be essential if the feature is rolled out.”Proper safeguards should be in place, including tagging the right KYC documents to each account, thereby ensuring that the identity of the account holder can be authenticated,” he added.
He also warned that the lack of authentication could undermine trust in official communications from businesses, banks and government agencies, while creating greater opportunities for fraud and cybercrime.
Privacy gains versus security risks
However, Garima Saxena, programme manager at The Dialogue, said the risks are not unique to WhatsApp and should be viewed alongside the privacy benefits of reducing phone-number exposure.
Story continues below this ad
“Username-based contact systems can offer a privacy benefit by allowing users to connect without disclosing phone numbers. This is important because phone-number exposure can itself create risks of harassment, scraping, stalking, spam, and fraud,” she said.
Meanwhile, Tarun Wig, co-founder and CEO of Innefu Labs, said those privacy gains should be viewed in the context of how phone numbers function in India. “In India, the phone number quietly doubles as an identity and trust signal for a huge population that isn’t deeply tech-literate. So the benefit is real, it just needs to be rolled out alongside safeguards that preserve that same trust, not instead of it,” he said.
Saxena noted that WhatsApp’s implementation differs from platforms such as Telegram, where usernames are publicly searchable. “WhatsApp has stated that usernames will be optional, non-searchable, and usable only where someone knows the exact username. It will also offer an optional username key, meaning that a person may need both the username and key to initiate contact. This reduces discovery, impersonation, and unsolicited contact risks.” She said regulators should assess whether WhatsApp’s safeguards are sufficient for India’s threat landscape rather than treat usernames as inherently unsafe. Padmanabhuni, however, believes some important gaps remain.
“Reserved names block @whatsapp, not every permutation of it. Contact limits slow down spam but do little against targeted spear-phishing. Contextual warnings rely on user judgement, which is weak against panic-driven fraud like digital arrest scams.”
Story continues below this ad
Wig said reducing phone-number exposure addresses only one aspect of online fraud. “It only addresses one category of fraud. It does nothing to prevent social-engineering attacks, arguably it makes them easier, since a username offers none of the implicit verification a phone number currently provides,” he said.
Saxena said additional protections could further reduce the risks. She suggested making username keys and stricter first-contact controls the default for public-facing accounts, expanding lookalike detection beyond celebrities and government entities to commonly impersonated banks and public services, and displaying clearer context about first-time senders, such as whether an account is new, recently renamed or based in another country.
“From a policy perspective, the focus should be on escalation channels, clear impersonation-dispute processes, and time-bound mechanisms to freeze or revoke usernames where credible harm is shown,” she said.
What happens next?
WhatsApp has said usernames are not yet live and will be rolled out gradually later this year as it continues gathering feedback. India, which has more than 500 million WhatsApp users, remains the platform’s largest market, making the government’s position particularly significant.
Story continues below this ad
The outcome of the consultations could shape not only WhatsApp’s rollout in India but also regulators’ evaluation of future privacy-enhancing features. More broadly, the dispute reflects a growing tension between two competing priorities: protecting users’ privacy by reducing the amount of personal information they must share online, and ensuring that new technologies do not inadvertently facilitate fraud and impersonation.
View original source — Indian Express ↗
