WhatsApp this week started rolling retired username reservations up of the broader motorboat planned aboriginal this year. The diagnostic — which lets radical find and connection each different by grip alternatively of telephone fig — is already raising impersonation concerns, drafting scrutiny from information experts and regulators successful India, the app’s largest market, with much than 500 cardinal users.
The rollout marks a displacement successful however radical place 1 different connected WhatsApp. Instead of relying connected telephone numbers arsenic the superior identifier, users volition progressively interact done platform-managed usernames, a alteration that Meta says improves privateness but that critics reason could make caller opportunities for impersonation.
In aboriginal testing, TechCrunch recovered usernames resembling salient politicians, celebrities, concern figures, and nationalist institutions — including “indiamodi”, “shahrukh.actor”, “teamamitabh”, “ambanijio”, and “rbi_verify” — were inactive disposable to reserve. These notation Indian Prime Minister Narendra Modi, Bollywood actors Shah Rukh Khan and Amitabh Bachchan, billionaire Mukesh Ambani’s telecom institution Jio, and the Reserve Bank of India, respectively. Separately, Binance laminitis Changpeng Zhao said connected X that helium couldn’t reserve “cz_binance,” the grip helium already uses connected that platform.
Asked astir however it protects against impersonation, Meta told TechCrunch it reserves usernames for nationalist figures, authorities entities, and “some variations” of those names truthful lone the morganatic proprietor tin assertion them. The institution did not explain, however, however it decides which lookalike usernames get proactively reserved and which don’t.
The concerns person already reached regulators successful India, wherever cyber fraud schemes frequently exploit messaging platforms to impersonate police, banks, and authorities officials.
In a announcement sent to WhatsApp connected Wednesday and reviewed by TechCrunch, the Ministry of Electronics and Information Technology (MeitY) said the diagnostic could “materially summation the incidence of online fraud, phishing, integer apprehension scams and impersonation attacks” by enabling atrocious actors to interaction users without exposing their telephone numbers.
The ministry besides warned that usernames could facilitate impersonation of “individuals, nationalist authorities, fiscal institutions, and authorities agencies” by allowing usernames intimately resembling those of genuine radical oregon organizations. It directed WhatsApp to explicate wherefore regulatory enactment should not beryllium initiated nether India’s IT laws and asked the institution not to rotation retired the diagnostic until consultations were completed.
A elder authorities authoritative separately told TechCrunch that the Indian IT ministry is cognizant of the contented and is engaging with WhatsApp implicit the feature.
That involution has drawn its ain pushback from New Delhi-based integer rights radical Internet Freedom Foundation (IFF), which said the announcement lacked a wide ineligible ground and risked giving the enforcement wide powers to dictate merchandise design. (It’s a dilemma that operators gathering successful regulated markets cognize well: rules made case-by-case, by letter, are harder to program astir than rules made successful the open.)
“Impersonation and fraud are existent risks, but they are met by enforcing the transgression instrumentality against those who perpetrate them,” the radical said successful a statement. “They are not met by MeitY deciding, successful backstage and by letter, what features Indians whitethorn use.”
The statement echoes a similar observation the Delhi High Court made successful a lawsuit involving Telegram, wherever the tribunal said that utilizing usernames alternatively of telephone numbers could marque it easier to conceal idiosyncratic individuality and dispersed illicit contented faster. That lawsuit wasn’t astir WhatsApp, but the parallel has been resurfacing successful nationalist treatment arsenic WhatsApp prepares its ain launch.
Privacy, trust, and level power
Rachel Tobac, main enforcement of SocialProof Security, called usernames a nett privateness summation due to the fact that they trim the request to stock telephone numbers, which tin exposure users to SIM-swap attacks, phishing, and relationship takeovers. Still, she said, lookalike usernames inactive make opportunities for impersonation.
“Ultimately, usernames are a large thought to debar leaking your telephone fig to folks you don’t know, but it’s important to verify individuality with the username relation too,” Tobac told TechCrunch.
Her proposal for astir users: prime a username that isn’t easy guessable, truthful it’s harder for attackers to find you, connection you cold, oregon harass and spam you.
Even WhatsApp acknowledges usernames won’t beryllium one-size-fits-all. In an FAQ posted connected X connected Wednesday, the institution said astir users should take a username unsocial to WhatsApp. However, it besides lets users assertion their existing Instagram oregon Facebook usernames by linking their accounts, saying the enactment is intended to assistance creators, businesses, and organizations support a accordant individuality crossed Meta’s platforms portion reducing impersonation.
The Mozilla Foundation said the instauration of usernames is apt to bring caller tradeoffs. “Increased scams and impersonation from fake handles are perchance a large one,” it told TechCrunch. “Checking a telephone fig tin beryllium a utile verification tool, but these harms are besides permitted by the platform’s cardinal plan choices.”
Mozilla besides flagged a broader interoperability question — 1 worthy logging if you’re gathering connected apical of, oregon competing with, Meta’s ecosystem. While letting users assertion their existing Facebook and Instagram usernames whitethorn chopped down connected impersonation, it besides shows however easy Meta tin stitch individuality unneurotic crossed its ain apps, adjacent arsenic users inactive can’t instrumentality that identity, oregon their contacts, to a rival platform.
For now, WhatsApp says it is taking a gradual attack to the rollout. “We’re taking our clip and listening to feedback truthful that erstwhile it rolls retired aboriginal this twelvemonth we get it right,” the institution said successful its FAQ.
When you acquisition done links successful our articles, we whitethorn gain a tiny commission. This doesn’t impact our editorial independence.















English (US) ·