WhatsApp Usernames: Privacy vs Security Debate in India
WhatsApp Usernames: Privacy vs Security Debate in India

WhatsApp Usernames: A Privacy Feature Under Government Scrutiny

Meta announced on June 29 that WhatsApp users would soon be able to be found and messaged by a chosen handle instead of a phone number. The Ministry of Electronics and Information Technology (MeitY) swiftly responded with a notice, seeking a detailed explanation within three days and directing WhatsApp not to launch the feature in India until consultations with MeitY, the Ministry of Home Affairs (MHA), and rival messaging platforms were complete. The ministry's fear, spelled out in the notice, is that usernames could "materially increase" online fraud, phishing, digital arrest scams, and impersonation.

For a market of more than 500 million users — WhatsApp's largest anywhere — caution is understandable. However, the feature is not a gift to fraudsters but a tool that benefits ordinary users. With the safeguards Meta has built, it can meet the government's security and impersonation concerns. Three points make the case.

Closing a Privacy Leak That Fuels Fraud

The government's premise is that hiding a phone number is dangerous. Yet WhatsApp already exposes numbers to strangers today, most glaringly the moment a user is added to a group. In a group of unknown participants, one's number is laid bare to every member, and such groups have become a documented harvesting ground for spammers and scammers who scrape numbers to seed the very frauds the state is trying to stop.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

A phone number is not a neutral identifier; in India it is tied to one's bank, UPI, Aadhaar, and OTPs, which is exactly why fraudsters prize it. Digital arrest scams where criminals impersonate the CBI, Enforcement Directorate, or RBI to terrify victims into transferring money accounted for close to a tenth of the roughly Rs 22,495 crore Indians lost to cyber fraud in 2025, across some 28 lakh complaints logged by the MHA and the Indian Cyber Crime Coordination Centre. Those campaigns begin with a working phone number. By letting users chat, connect in groups, and deal with strangers without surrendering their digits, usernames shrink the pool of exposed numbers that scammers depend on. The feature narrows an existing attack surface rather than opening a new one — a direct benefit to users and, in aggregate, to public safety.

Traceability Survives: The Number Never Disappears

The heart of the security objection is traceability: an Indian +91 number gives investigators a thread to pull, and officials worry usernames sever it. They do not. Every WhatsApp account will still require a phone number to register and operate; the username is only a display layer, not a replacement for identity. To another user, the number is hidden, the privacy win, but to the platform, and through lawful process to law enforcement, it remains on record as an anchor for tracing. Meta has also said users receiving a first-time message will still be shown whether the sender is a brand-new account or based abroad, giving investigators and recipients alike more signal, not less.

Crucially, the government already holds the lever to guarantee this. The Department of Telecommunications' SIM-binding directive requires WhatsApp, Signal, Telegram, and other platforms to tie handles to a verified number, precisely so a username-based account stays attributable. The genuine gap the police cite — a foreign number impersonating an official with no Indian trail, exists today, independent of usernames, and is a matter of cross-border cooperation and WhatsApp's response times to law-enforcement requests, an area where its reported multi-day turnaround is a fair grievance. That is a problem to be fixed through binding cooperation norms, not by blocking a privacy feature that leaves the domestic tracing anchor fully intact.

Pickt after-article banner — collaborative shopping lists app with family illustration

Design Built to Defeat Impersonation

MeitY's sharpest worry is lookalike handles — an "RBI verify" or a doctored "Modi" impersonating institutions and public figures. Here, Meta's architecture is deliberately hostile to the abuse. There is no public directory, no search, and no autocomplete, so a stranger cannot browse for you or stumble onto a convincing fake; they must already know your exact username to make contact. High-profile names belonging to public figures, government bodies, and celebrities are held back so only their legitimate owners can claim them, and Meta says it reserves some lookalike derivatives as well. Businesses, creators, and organisations can lock in the same handle they already use on Instagram or Facebook by proving ownership through the Meta Accounts Centre — building consistency of identity across apps and reducing spoofing.

Layered on top are limits on how many new people an account can contact, protections against username-guessing, and an optional numeric "username key" that a stranger must enter before reaching you. Compared with a raw phone number, which anyone who harvests it can save and message, this is a materially harder environment for impersonation. Where gaps remain, such as which lookalikes get proactively reserved, they are refinements to negotiate in consultation, not reasons to shelve the feature.

Global Experience Supports a Measured View

Signal and Telegram already let users hide their numbers behind usernames; Signal pairs the option with a minimalist data footprint and little controversy, while Telegram's looser design has drawn criticism for enabling scams, a caution the Delhi High Court has echoed. Usernames are neither inherently reckless nor automatically safe: outcomes turn on the surrounding safeguards and on how responsibly the platform cooperates with authorities. On both counts, WhatsApp's model — phone number retained, no discovery directory, reserved names, contact limits, and an opt-in key — sits closer to the responsible end.

None of this means the government's scrutiny is misplaced; digital arrest and impersonation scams are a genuine national crisis, and consultation is the right instinct. One hopes the order is a pause, not a permanent ban, and it should stay that way.