Why The Government’s WhatsApp Username Notice Misses The Actual Source Of Impersonation Fraud

MeitY has sent Meta a notice over WhatsApp’s unreleased username feature citing impersonation risk, but the phone number linked identity system it is defending has itself been the backbone of India’s biggest scam operations for years, a contradiction nobody in this debate is naming.

Highlights:

  • MeitY has directed Meta to defer WhatsApp’s username rollout and explain the feature within three days.
  • A government source said authorities will examine legal mechanisms to potentially block the feature if it is found risk prone.
  • Meta says it has already reserved high profile names for public figures and verified accounts to prevent impersonation.
  • India’s existing phone number based identity system has for years been the primary tool scammers use for impersonation through spoofed and rented SIM cards.
  • A meeting between MeitY, the Home Ministry and messaging platforms was scheduled within days of the notice being sent.

The Ministry of Electronics and Information Technology has asked Meta to pause the rollout of WhatsApp’s new username feature and explain, within three days, how it plans to prevent misuse. On the surface, this looks like exactly the kind of proactive consumer protection intervention regulators are supposed to make. Look one layer deeper, though, and the notice reveals something more interesting than a simple safety measure, it reveals a government defending an identity system, the phone number, that has itself been the primary weapon of impersonation fraud in India for the better part of a decade, while treating a feature designed partly to reduce that exposure as the newer, scarier risk.

The sequence of events is straightforward. Meta announced that WhatsApp users would soon be able to reserve unique usernames, allowing people to connect and message each other without sharing their phone numbers. Government sources speaking to news agency ANI were direct about the concern this triggered. According to one source, the government will look into WhatsApp’s username feature over impersonation concerns, examining legal mechanisms to possibly block the feature and assessing its overall legality, and could send Meta a formal legal notice if the feature is found to be risk prone. A separate official quoted by Business Standard went further, noting that the review would also examine whether the feature could be exploited by scammers, and that concerns around usernames not being available to original or genuine users were also being raised with WhatsApp for examination. MeitY has since directed Meta to defer the rollout until consultations are completed, and has asked the company for a detailed written explanation of the feature within three days.

Meta’s response, notably, was to point out that it had already anticipated this exact concern. A company spokesperson told reporters, “We’ve announced the option for people to reserve their preferred username on WhatsApp,” confirming the feature is not yet live and will roll out gradually later this year. The spokesperson added that the company has built multiple safeguards to prevent impersonation and scams, and confirmed that WhatsApp has deliberately held back the highest profile names, the kind attached to public figures, government entities, celebrities and verified Meta accounts, specifically so they cannot be claimed by anyone attempting to impersonate them. That detail matters, because it suggests the specific impersonation scenario the government is worried about, someone posing as a recognisable brand or official entity by claiming its name as a username, is precisely the failure mode Meta says it had already engineered against before the government’s notice ever arrived. A source within Meta separately confirmed to Business Standard that the company had received the notice from MeitY and was working with the government, though Meta itself declined to comment further on the record. Business Standard

Here is where the story most other coverage of this notice is missing sits. The government’s framing treats usernames as the introduction of a new impersonation risk into an otherwise trustworthy identity system. But the phone number based identity model that WhatsApp currently relies on, and that the government appears to be implicitly defending by resisting the shift away from it, has for years been the actual mechanism behind India’s largest impersonation and scam operations. Fraudsters routinely use rented, stolen or fraudulently issued SIM cards to spin up WhatsApp accounts tied to real, dialable phone numbers, numbers that carry an inherent credibility a random username never would, precisely because Indian users have been conditioned to trust a working phone number as a marker of a real, traceable person. Digital arrest scams, fake customs and courier fraud, impersonation of bank officials and even law enforcement, almost all of the headline grabbing WhatsApp scam categories that have plagued Indian users over the last two years have relied not on usernames, which do not currently exist on the platform, but on precisely the phone number system the government’s notice implicitly treats as the safer status quo.

This is not a minor rhetorical point, it changes how the underlying risk calculus should actually be read. A username system, properly implemented with reserved names for verified entities as Meta claims to have done, arguably reduces one specific attack surface, the ability to harvest a user’s phone number simply by messaging them, a technique used extensively for SIM swap targeting and cross platform account takeover attempts. What it does not eliminate is the broader trust exploitation problem, the ability to construct a plausible seeming identity and use it to defraud someone, which exists regardless of whether that identity is anchored to a phone number or a username. The government’s notice, focused narrowly on the username feature as the emerging threat, risks treating the symptom rather than the underlying disease, an Indian digital ecosystem where identity verification on messaging platforms has always been thin, and where the real fix would require far more structural intervention than delaying a single feature by a few months.

There is also a second, less discussed thread here worth pulling on, the practical reality of the rollout itself. Multiple users attempting to reserve their preferred usernames during the feature’s testing phase have reportedly run into a separate and somewhat ironic problem, being unable to secure names they had already registered previously, suggesting the rollout has technical kinks well beyond the fraud question the government is focused on. According to Business Standard, a meeting has been scheduled between Meity, the Ministry of Home Affairs and other messaging platforms offering similar username style features, to discuss the concerns collectively, which suggests this notice is not really a WhatsApp specific intervention at all, but the opening move in a broader regulatory conversation about how identity should work across India’s messaging ecosystem going forward. That is a legitimate and arguably overdue conversation to have. But framing it, as the current notice does, around a single unreleased feature that has already built in safeguards against the specific scenario cited, while leaving the far more exploited phone number system entirely unexamined, suggests a regulatory reflex built more around reacting to a headline generating announcement than around a coherent assessment of where India’s actual digital fraud exposure lies.

None of this means WhatsApp’s username feature deserves a free pass. Any new identity primitive on a platform used by hundreds of millions of Indians warrants genuine scrutiny, and the government’s instinct to ask hard questions before a feature reaches national scale is, in principle, the right one. But scrutiny is only useful if it is proportionate to actual risk, and right now the risk being scrutinised most intensely is a feature that has not yet shipped and that its maker says was built with impersonation protections from day one, while the identity system responsible for the vast majority of documented WhatsApp led fraud in India continues to operate exactly as it always has, unexamined, in the background of this entire debate. The more interesting question, one this notice does not appear to be asking, is not whether usernames are dangerous, it is why the phone number system that has enabled so much fraud already has never received anything close to the same three day ultimatum.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *