Key facts
- India's Ministry of Electronics and Information Technology (MeitY) has raised concerns about WhatsApp's new username feature.
- Regulators warned the feature could facilitate impersonation and increase online fraud, phishing, and scams.
- MeitY directed WhatsApp to explain why regulatory action should not be initiated and to halt the feature's rollout.
- Examples of usernames resembling prominent Indian figures and institutions were found to be available for reservation.
- Meta stated it reserves usernames for public figures and government entities but did not detail its process for handling lookalike names.
WhatsApp has begun rolling out a username reservation feature, allowing users to be found and messaged via handles instead of phone numbers. This change, intended by Meta to enhance privacy, has immediately triggered concerns about impersonation and fraud, particularly in India, WhatsApp's largest market.
Security experts and Indian regulators have voiced apprehension that the new system could enable malicious actors to impersonate individuals, public authorities, and financial institutions without revealing their phone numbers. Early testing revealed that usernames resembling prominent figures like Indian Prime Minister Narendra Modi, Bollywood stars Shah Rukh Khan and Amitabh Bachchan, and institutions such as the Reserve Bank of India were available for reservation.
Meta has stated that it reserves usernames for public figures and government entities, along with some variations, but has not elaborated on its process for identifying and reserving lookalike handles. Binance founder Changpeng Zhao reported being unable to reserve his existing handle, "cz_binance."
India's Ministry of Electronics and Information Technology (MeitY) issued a notice to WhatsApp, warning that the feature could significantly increase online fraud, phishing, and impersonation attacks. The ministry directed WhatsApp to explain why regulatory action should not be taken under India's IT laws and to pause the feature's rollout until consultations are complete.
Digital rights group Internet Freedom Foundation (IFF) criticized MeitY's notice, arguing it lacked a clear legal basis and could grant the executive excessive power over product design. They contend that impersonation and fraud should be addressed through criminal law enforcement rather than dictating platform features.
The situation draws parallels to observations made by the Delhi High Court regarding Telegram's username feature, which suggested that usernames could facilitate the concealment of identity and the faster spread of illicit content. Security experts like Rachel Tobac of SocialProof Security acknowledge that usernames offer a privacy benefit by reducing phone number sharing but emphasize that lookalike handles still present impersonation risks. Tobac advises users to choose unique, non-guessable usernames.
The Mozilla Foundation also flagged potential downsides, including an increase in scams from fake handles, and noted that while usernames reduce phone number exposure, the platform's design choices permit these harms. They also pointed out that Meta's ability to link usernames across its platforms highlights its control over user identity management.
