What WhatsApp announced
A phone number will still be mandatory to create and use a WhatsApp account. The username does not replace the number for registration, it offers an alternative way to connect with new contacts without revealing that number during the first interaction, and users can change or remove their username whenever they want. Businesses and creators will also be able to claim their existing Instagram or Facebook usernames on WhatsApp to keep their identity consistent across Meta’s platforms.
What are the concerns
PTI reported that the government, as the statutory authority, needs to satisfy itself that the feature does not pose risks before it can proceed, and that if WhatsApp’s response is unsatisfactory, it may seek to prevent the rollout altogether.
Much of this concern stems from how usernames have played out on other platforms such as Telegram and Signal.
As usernames are self-chosen and easy to alter, threat actors can craft handles that closely mimic bank executives, officials or corporate brands, making phishing attempts look far more credible than a random phone number would.
Public usernames within large groups also make it easier for bad actors to scrape identities and build profiles of potential targets, feeding into more targeted scams and open source intelligence gathering.
There is also the problem of account recycling, since a username that is changed or deleted goes back into the public pool, letting someone else claim a recognisable handle and deceive contacts who assume they are still messaging the original user.
What WhatsApp has said
WhatsApp has pushed back on the idea that the feature is unsafe, saying it has built layered defences against impersonation and has safeguards in place such as limitations on how many new people an account can contact. In a statement, a WhatsApp spokesperson said:
“We’ve announced the option for people to reserve their preferred username on WhatsApp. The ability to use a username is not yet live and will roll out slowly later this year. To protect against impersonation, we’ve held the highest-profile names — think public figures, government entities, celebrities, verified Meta accounts — so they can only ever be claimed by their legitimate owners and lookalike derivatives of known names are held as well,” said WhatsApp on the impersonation fears raised by many over usernames usage.
Additionally, it said that users will still require a phone number to use WhatsApp and it has built multiple layers of defense against scams into usernames. These include: Other users need to know the exact username to message you, we will limit how many new people an account can contact, block repeated attempts to guess someone’s username key, and have systems to detect and remove activity showing common impersonation and abuse patterns.
“When the feature becomes available and someone sends you a message for the first time via your username, we will show you if they’re a new account, if they’re your contact, if you have groups in common, and if they’re based in a different country, so you can decide whether to respond,” said WhatsApp.
WhatsApp has also posted a detailed FAQ thread on X that addresses most of Meity’s concerns directly, covering how usernames can be reserved, what happens when someone tries to impersonate a well-known name, and how the username key limits unwanted contact.
It also noted that usernames, like phone numbers, cannot be searched within the app, and that the strongest safeguard against unwanted contact remains enabling a username key, which can be reset at any time to cut off new inbound messages. It also said that Linking an Instagram or Facebook account is only required if a user wants to match that handle’s username on WhatsApp, and the accounts can be unlinked afterward.
What legal advocates say
The Internet Freedom Foundation, a digital rights advocacy group, has pointed out that no clear legal provision forms the basis of Meity’s notice to Meta, in a post on X. It stated that Section 79 of the IT Act is a safe harbour provision governing when a platform can be held liable for user content, which it says does not necessarily extend to approving product features before release. It also referred to Sections 66C and 66D, which punish identity theft and cheating by personation, stating that these provisions are aimed at individuals who misuse a tool rather than at the company that builds it.
On the IT Rules, IFF stated that Rule 3(1)(b), Rule 3(2) and Rule 4 set out due diligence and grievance obligations, which it said do not necessarily translate into a licensing mechanism for approving features. It also referred to Section 69A, the provision that allows Meity to block specific online content through a defined procedure, stating that this does not necessarily cover vetting features before launch.
The group also referred to a March 2024 instance, when Meity asked large intermediaries including AI companies to seek permission before deploying under-tested AI models, a requirement it withdrew within a fortnight after it was flagged as lacking a clear empowering provision.