WhatsApp’s move to introduce optional usernames instead of phone numbers has ignited a wider debate in India over digital identity, privacy and fraud
Experts say usernames can reduce exposure of mobile numbers and support ‘privacy by design’
Government fears they may fuel impersonation, phishing and digital arrest scams
Meta-owned WhatsApp's decision to introduce usernames in place of phone numbers for first-time interactions has triggered a wider debate over the future of digital identity, privacy and online safety.
While the company said the optional feature is designed to let people communicate without exposing their mobile numbers, the Indian government has asked WhatsApp to pause the rollout, arguing that it could materially increase fraud, phishing, impersonation and digital arrest scams.
The debate has now extended beyond WhatsApp as the Ministry of Electronics and Information Technology (MeitY) has also sent notices to Telegram and Signal, both of which already offer username-based communication, seeking explanations on how they mitigate risks related to impersonation and fraud.
The move has widened the discussion from one platform's product update to a broader examination of whether usernames strike the right balance between privacy and accountability.
WhatsApp has defended the feature, stating that usernames are optional, cannot be searched publicly, require users to know the exact handle, and can be protected further through an optional "username key". The company has also said it has reserved usernames of public figures, government entities and verified Meta accounts, while introducing safeguards such as warnings for first-time contacts, limits on outreach by new accounts, and systems to detect impersonation and abuse.
Experts, however, believe the success of such features will ultimately depend less on the technology itself and more on implementation, regulation and user awareness.
Why Platforms Are Moving Towards Usernames
One of the strongest arguments in favour of usernames is "privacy". Mobile numbers have increasingly become universal digital identifiers, often linked to banking, payments, government services and social media accounts.
Limiting their exposure can significantly reduce unwanted contact and large-scale number harvesting.
Usernames are a response to growing consumer demand for greater control over personal information online, according to Rajesh Chhabra, General Manager for APAC and Large Markets at cybersecurity and data protection company Acronis.
"In recent years, users have moved toward wanting more privacy and more control over their actions online," Chhabra said.
"With usernames, users have the ability to communicate without the need to expose any private or sensitive contact information and thus helps prevent large-scale data collection and unwanted data scraping," he added.
The move addresses one of the most common entry points used by cybercriminals.
Criminals have long relied on harvested phone numbers to identify and target victims, said Aaron Bugal, Field CISO at Sophos.
The companies are moving towards the username feature to "close off one of the most exploited entry points for scammers: the leaked mobile number," Bugal said.
By letting users hide their number behind a username, platforms remove this low-effort route of attack, giving improved privacy for the hundreds of millions of people who use the platforms, he added.
Privacy Benefits for Ordinary Users
Legal experts argue that username-based communication reflects the broader principle of "privacy by design" describing the move as a welcome development.
The benefits extend beyond individual privacy. Users no longer have to share their primary number while interacting in groups, online marketplaces or with new acquaintances, reducing opportunities for spam, social engineering and unsolicited contact.
"From a privacy perspective, this is a welcome development. It allows individuals to communicate without disclosing their phone number, which is itself personal data, and to that extent it reduces unwarranted exposure," said Supratim Chakraborty, Partner at Khaitan & Co.
However, experts caution that usernames merely shift the nature of cyber risks rather than eliminating them. According to them, cybercriminals are unlikely to be deterred.
"The fast-paced, ever-adapting cybercriminals are not affected. They will simply move on to usernames that are similar to telephone numbers, impersonate fake accounts, and launch sophisticated phishing campaigns," Chhabra said.
Similarly, the technical security of the feature is not the issue. Bugal argued that the real vulnerability isn't a new capability for fraudsters, "It's a psychological one."
An official-looking username may appear more trustworthy than an unfamiliar phone number, making traditional scam tactics more convincing, he said.
Manish Sehgal, Partner at Deloitte India expressed similar concerns and said that users could mistake lookalike usernames for genuine accounts.
"The concern is that though privacy may be retained by people not sharing the mobile number, identity misuse or digital identity theft is likely to be caused because people may not recognise a small change in the username," Sehgal said.
This may lead to an "identity misuse or a digital identity theft", he added.
The Rise Of Digital Arrest Scams In India
India has been witnessing a rise of digital frauds including the "digital arrest scams" where fraudsters impersonate police officers, investigators or government agencies to coerce victims into transferring money.
Whether usernames could reduce or aggravate these crimes, is something that will be revealed with time. Experts remain divided arguing that the feature could lead to new fraud incidents, while some say that the username would still be linked to the phone number.
"The feature could create fresh opportunities if identity verification is not sufficiently robust," said Tarun Wig, Co-founder and CEO of Innefu Labs.
"We already know how digital arrest scams work. Someone calls pretending to be CBI or a police officer, keeps the victim on a video call for hours, sometimes days, and drains their savings. Now imagine that same scammer operating through a username instead of a number that could eventually be traced. That's the real fear here, and it's a fair one," Wig said.
He, however, added that if usernames are backed by proper verification and reserved institutional handles, they could also reduce the number harvesting that fuels many scams today.
In India, the issue of fraud could also be related to the user behavior, rather than solely on the technology. Even if platforms reserve the names of celebrities and government entities, usernames could make impersonation easier for fraudsters pretending to represent banks, schools or local institutions that the users trust upon.
Mayank Morya, Co-founder and CTO, Mitigata believes that "India doesn't verify - India trusts. We trust a name, a display photo with a flag or a God's photo, and even a forwarded message from the family group."
The usernames could remove the numbers that currently the victims can at least try to trace back and report. "A username kills all of that. There's no number to google, no callback, nothing for the victim or their family to verify," he said.
Experts say that generic usernames such as @cbi_investigation_ce1l, @cyber_ce11_helpdesk, @sbi_bank__ may not be recognised by users in Tier 2 or 3 cities who are prone to such frauds.
The Accountability Challenge For Regulators
The debate has also raised complex legal and regulatory questions around platform responsibility. Introducing usernames does not reduce platform accountability.
The regulators would instead now increasingly expect companies to implement adequate preventive measures.
"The introduction of usernames does not, in any manner, dilute the platform's accountability, and arguably heightens it," Chakraborty said.
According to him, the investigations of such matters would depend on whether platforms had implemented effective grievance mechanisms, and appropriate audit trails while still respecting user privacy.
"The central challenge is calibrating/reconciling privacy vis-à-vis platform safety. The regulatory expectation, in India and globally, is increasingly one of 'privacy by design' coupled with 'safety by design.'"
That means identity verification where appropriate, transparent reporting mechanisms, swift action on complaints and lawful handling of personal data. From an implementation perspective, Chakraborty believes platforms must rely on multiple layers of protection instead of a single safeguard.
User Awareness Remains The Missing Piece
While much attention has focused on platform safeguards and regulation, several experts believe the weakest link continues to be user awareness.
Sehgal argued that frauds existed long before usernames. "The core issue still remains what we have been propagating for the past so many years — a general awareness among the masses about the usage of cyber technologies."
Users should make greater use of existing privacy settings and understand the consequences of making their digital identities publicly visible, he said.
"The platform still has options for you to keep yourself secure... But are people aware how to use them?" he questioned.
Chhabra similarly advised users not to trust usernames blindly, verify identities through alternative channels, enable two-step verification, keep applications updated and avoid sharing sensitive information with unknown contacts.
Lessons From Telegram, Signal And X
As the debate expands beyond WhatsApp, experts believe other platforms offer useful lessons.
According to Wig, Telegram illustrates the risks of combining anonymity with weak verification. "Telegram built anonymity into its core, and that same design ended up making it a magnet for scams and misinformation in India."
He described Signal's implementation as a more balanced model because usernames are combined with stronger verification and the absence of a public directory.
"The lesson for WhatsApp is that privacy features cannot be bolted on without equally robust trust and safety infrastructure," he said.
Wig also pointed to X (formerly Twitter) as an example of how identity verification must be backed by effective abuse controls. However, Morya highlighted that X taught us what happens when identity is for sale.
"The day the blue tick became ₹650 a month, fake 'official' accounts exploded overnight. Any trust signal that can be bought or freely claimed will be misused within a week," he remarked.



























