WhatsApp this week began rolling out username reservations forward of the broader launch deliberate later this yr. The function — which lets folks discover and message one another by deal with as an alternative of cellphone quantity — is already elevating impersonation considerations, drawing scrutiny from safety specialists and regulators in India, the app’s largest market, with greater than 500 million customers.
The rollout marks a shift in how folks determine each other on WhatsApp. As an alternative of counting on cellphone numbers as the first identifier, customers will more and more work together by means of platform-managed usernames, a change that Meta says improves privateness however that critics argue may create new alternatives for impersonation.
In early testing, TechCrunch discovered usernames resembling outstanding politicians, celebrities, enterprise figures, and public establishments — together with “indiamodi”, “shahrukh.actor”, “teamamitabh”, “ambanijio”, and “rbi_verify” — have been nonetheless obtainable to order. These reference Indian Prime Minister Narendra Modi, Bollywood actors Shah Rukh Khan and Amitabh Bachchan, billionaire Mukesh Ambani’s telecom firm Jio, and the Reserve Financial institution of India, respectively. Individually, Binance founder Changpeng Zhao mentioned on X that he couldn’t reserve “cz_binance,” the deal with he already makes use of on that platform.
Requested about the way it protects in opposition to impersonation, Meta instructed TechCrunch it reserves usernames for public figures, authorities entities, and “some variations” of these names so solely the respectable proprietor can declare them. The corporate didn’t clarify, nonetheless, the way it decides which lookalike usernames get proactively reserved and which don’t.
The considerations have already reached regulators in India, the place cyber fraud schemes steadily exploit messaging platforms to impersonate police, banks, and authorities officers.
In a discover despatched to WhatsApp on Wednesday and reviewed by TechCrunch, the Ministry of Electronics and Info Know-how (MeitY) mentioned the function may “materially improve the incidence of on-line fraud, phishing, digital arrest scams and impersonation assaults” by enabling dangerous actors to contact customers with out exposing their cellphone numbers.
The ministry additionally warned that usernames may facilitate impersonation of “people, public authorities, monetary establishments, and authorities companies” by permitting usernames intently resembling these of real folks or organizations. It directed WhatsApp to clarify why regulatory motion shouldn’t be initiated below India’s IT legal guidelines and requested the corporate to not roll out the function till consultations have been accomplished.
A senior authorities official individually instructed TechCrunch that the Indian IT ministry is cognizant of the problem and is participating with WhatsApp over the function.
That intervention has drawn its personal pushback from New Delhi-based digital rights group Web Freedom Basis (IFF), which mentioned the discover lacked a transparent authorized foundation and risked giving the chief broad powers to dictate product design. (It’s a dilemma that operators constructing in regulated markets know effectively: guidelines made case-by-case, by letter, are tougher to plan round than guidelines made within the open.)
“Impersonation and fraud are actual dangers, however they’re met by imposing the felony legislation in opposition to those that commit them,” the group mentioned in a press release. “They aren’t met by MeitY deciding, in personal and by letter, what options Indians might use.”
The talk echoes a related remark the Delhi Excessive Court docket made in a case involving Telegram, the place the court docket mentioned that utilizing usernames as an alternative of cellphone numbers may make it simpler to hide consumer id and unfold illicit content material quicker. That case wasn’t about WhatsApp, however the parallel has been resurfacing in public dialogue as WhatsApp prepares its personal launch.
Privateness, belief, and platform energy
Rachel Tobac, chief govt of SocialProof Safety, referred to as usernames a internet privateness acquire as a result of they cut back the necessity to share cellphone numbers, which may expose customers to SIM-swap assaults, phishing, and account takeovers. Nonetheless, she mentioned, lookalike usernames nonetheless create alternatives for impersonation.
“In the end, usernames are a fantastic concept to keep away from leaking your cellphone quantity to people you don’t know, nevertheless it’s vital to confirm id with the username operate too,” Tobac instructed TechCrunch.
Her recommendation for many customers: choose a username that isn’t simply guessable, so it’s tougher for attackers to seek out you, message you chilly, or harass and spam you.
Even WhatsApp acknowledges usernames gained’t be one-size-fits-all. In an FAQ posted on X on Wednesday, the corporate mentioned most customers ought to select a username distinctive to WhatsApp. Nevertheless, it additionally lets customers declare their present Instagram or Fb usernames by linking their accounts, saying the choice is meant to assist creators, companies, and organizations keep a constant id throughout Meta’s platforms whereas decreasing impersonation.
The Mozilla Basis mentioned the introduction of usernames is prone to carry new tradeoffs. “Elevated scams and impersonation from pretend handles are probably a giant one,” it instructed TechCrunch. “Checking a cellphone quantity is usually a helpful verification instrument, however these harms are additionally permitted by the platform’s elementary design decisions.”
Mozilla additionally flagged a broader interoperability query — one value logging if you happen to’re constructing on high of, or competing with, Meta’s ecosystem. Whereas letting customers declare their present Fb and Instagram usernames might minimize down on impersonation, it additionally reveals how simply Meta can sew id collectively throughout its personal apps, whilst customers nonetheless can’t take that id, or their contacts, to a rival platform.
For now, WhatsApp says it’s taking a gradual strategy to the rollout. “We’re taking our time and listening to suggestions in order that when it rolls out later this yr we get it proper,” the corporate mentioned in its FAQ.
Once you buy by means of hyperlinks in our articles, we might earn a small fee. This doesn’t have an effect on our editorial independence.
