The Ministry of Electronics and Information Technology, and the Ministry of Home Affairs is set to meet representatives of several peer-to-peer messaging platforms today (July 2) to discuss the implications of usernames on WhatsApp and potentially similar features elsewhere. The meeting follows a notice Meity sent WhatsApp asking it to defer the rollout of its new usernames feature, which lets users message each other without sharing phone numbers, until the ministry is satisfied the feature cannot be exploited for fraud. WhatsApp has pushed back, saying it has built multiple safeguards against impersonation and scams. Here is what has happened so far.

 


What WhatsApp announced

WhatsApp began rolling out username reservations on June 29, a feature that lets users connect with others without sharing their phone numbers. The system itself is not live yet, but users can reserve a unique username ahead of rollout planned later this year. Once live, users will be able to share a username instead of a phone number when starting a new conversation, and WhatsApp has said there will be no public directory or username suggestions, so someone will need to know the exact username to reach another user for the first time. An optional username key adds a further layer, requiring anyone messaging a user for the first time through their username to enter a code before the conversation can begin.

 


A phone number will still be mandatory to create and use a WhatsApp account. The username does not replace the number for registration, it offers an alternative way to connect with new contacts without revealing that number during the first interaction, and users can change or remove their username whenever they want. Businesses and creators will also be able to claim their existing Instagram or Facebook usernames on WhatsApp to keep their identity consistent across Meta’s platforms.


What are the concerns

Meity has asked Meta to defer the rollout until consultations are completed, citing concerns over impersonation, fraud and online scams, and has directed the company to submit a detailed explanation within three days. Business Standard reported that the Home Affairs Ministry first raised concerns about cyber fraud and conveyed them to Meity, prompting Thursday’s meeting with executives from several messaging platforms. Business Standard also reported that the examination would focus on whether the feature could be exploited by scammers, and that concerns about genuine users being unable to claim their own names were also being flagged to WhatsApp.

 


PTI reported that the government, as the statutory authority, needs to satisfy itself that the feature does not pose risks before it can proceed, and that if WhatsApp’s response is unsatisfactory, it may seek to prevent the rollout altogether.

 


Much of this concern stems from how usernames have played out on other platforms such as Telegram and Signal.

 


As usernames are self-chosen and easy to alter, threat actors can craft handles that closely mimic bank executives, officials or corporate brands, making phishing attempts look far more credible than a random phone number would.

 


Public usernames within large groups also make it easier for bad actors to scrape identities and build profiles of potential targets, feeding into more targeted scams and open source intelligence gathering.

 


There is also the problem of account recycling, since a username that is changed or deleted goes back into the public pool, letting someone else claim a recognisable handle and deceive contacts who assume they are still messaging the original user.


What WhatsApp has said


WhatsApp has pushed back on the idea that the feature is unsafe, saying it has built layered defences against impersonation and has safeguards in place such as limitations on how many new people an account can contact. In a statement, a WhatsApp spokesperson said:

 


“We’ve announced the option for people to reserve their preferred username on WhatsApp. The ability to use a username is not yet live and will roll out slowly later this year. To protect against impersonation, we’ve held the highest-profile names — think public figures, government entities, celebrities, verified Meta accounts — so they can only ever be claimed by their legitimate owners and lookalike derivatives of known names are held as well,” said WhatsApp on the impersonation fears raised by many over usernames usage.


Additionally, it said that users will still require a phone number to use WhatsApp and it has built multiple layers of defense against scams into usernames. These include: Other users need to know the exact username to message you, we will limit how many new people an account can contact, block repeated attempts to guess someone’s username key, and have systems to detect and remove activity showing common impersonation and abuse patterns.

 


“When the feature becomes available and someone sends you a message for the first time via your username, we will show you if they’re a new account, if they’re your contact, if you have groups in common, and if they’re based in a different country, so you can decide whether to respond,” said WhatsApp.

 


WhatsApp has also posted a detailed FAQ thread on X that addresses most of Meity’s concerns directly, covering how usernames can be reserved, what happens when someone tries to impersonate a well-known name, and how the username key limits unwanted contact.

 


It also noted that usernames, like phone numbers, cannot be searched within the app, and that the strongest safeguard against unwanted contact remains enabling a username key, which can be reset at any time to cut off new inbound messages. It also said that Linking an Instagram or Facebook account is only required if a user wants to match that handle’s username on WhatsApp, and the accounts can be unlinked afterward.


What legal advocates say


The Internet Freedom Foundation, a digital rights advocacy group, has pointed out that no clear legal provision forms the basis of Meity’s notice to Meta, in a post on X. It stated that Section 79 of the IT Act is a safe harbour provision governing when a platform can be held liable for user content, which it says does not necessarily extend to approving product features before release. It also referred to Sections 66C and 66D, which punish identity theft and cheating by personation, stating that these provisions are aimed at individuals who misuse a tool rather than at the company that builds it.


On the IT Rules, IFF stated that Rule 3(1)(b), Rule 3(2) and Rule 4 set out due diligence and grievance obligations, which it said do not necessarily translate into a licensing mechanism for approving features. It also referred to Section 69A, the provision that allows Meity to block specific online content through a defined procedure, stating that this does not necessarily cover vetting features before launch.

 


The group also referred to a March 2024 instance, when Meity asked large intermediaries including AI companies to seek permission before deploying under-tested AI models, a requirement it withdrew within a fortnight after it was flagged as lacking a clear empowering provision.


Will this affect businesses

Business Standard previously reported that executives across the direct to consumer and logistics ecosystem see limited impact on how they engage with customers, largely because phone numbers remain central to commerce and delivery. Here is what the executives from the direct-to-consumer (D2C) and logistics ecosystem told Business Standard.



Source link

YouTube
Instagram
WhatsApp