Why India Is Forcing Meta to Defend WhatsApp's New Username Feature Against Fraud Risks
India's government has challenged Meta's rollout of WhatsApp usernames, citing concerns that the privacy-focused feature could enable a surge in online fraud, phishing, and impersonation attacks. The Indian government gave Meta a three-day deadline to provide a detailed explanation of how the feature protects users, and directed the company to pause the rollout until those concerns are addressed.
The tension between privacy and security is playing out in real time on one of the world's most widely used messaging platforms. WhatsApp introduced usernames as a "major privacy feature" designed to let people stay connected without sharing their phone numbers. But in a country where cybercrime incidents more than doubled from 1 million cases in 2022 to nearly 2.3 million cases in 2024, regulators are skeptical.
What Security Risks Does the Username Feature Create?
The Indian government's concerns center on how usernames could be weaponized by bad actors. According to the government's statement, the feature "may materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks, by enabling bad actors to solicit and message victims".
The scale of WhatsApp's user base in India amplifies these risks. With more than half a billion WhatsApp users in the country, the platform has become a prime target for scammers. Meta's own Adversarial Threat report from March found that online scam syndicates targeted users in India more frequently than any country other than the United States.
Experts point to specific attack vectors. Scammers could use familiar names and photos to impersonate legitimate contacts, and misinformation could spread faster through the platform when combined with the username feature, according to security researchers.
How Is Meta Defending Against These Threats?
Meta has outlined multiple layers of defense built into the username feature to address regulator and user concerns:
- Phone Number Requirement: Users still need a phone number to use WhatsApp, creating a baseline verification step that cannot be bypassed by usernames alone.
- Contact Limiting: The system limits the number of new people an account can contact, reducing the ability of scammers to blast messages to large numbers of potential victims.
- Username Guessing Prevention: Meta will block repeated attempts to guess usernames, making it harder for attackers to brute-force access to accounts.
- Impersonation Detection: Automated systems will detect and remove activity showing common patterns associated with impersonation or abuse.
- Reserved Names: Meta will reserve the highest-profile names, which can only be claimed by their legitimate owners, and withhold lookalike derivatives of known names to protect against impersonation.
A Meta spokesperson told CNBC that these defenses are designed to work together as a comprehensive security framework. The company also noted that the username feature is not yet live and will be rolled out "slowly later this year," giving the company time to refine protections and address regulatory feedback.
Why Is India Taking Such a Hard Line on Digital Security?
India's aggressive stance on platform security reflects a broader shift in how governments view their role in protecting citizens from digital harm. While user privacy remains important to policymakers, the sharp rise in cyber-enabled financial crime has fundamentally changed the regulatory calculus.
"User privacy does play a role in policymaking, but the sharp rise in cyber-enabled financial crime has undoubtedly shifted the center of gravity towards security," said Reema Bhattacharya, head of Asia research at Verisk Maplecroft.
Reema Bhattacharya, Head of Asia Research at Verisk Maplecroft
This regulatory pressure is not new to India. Just weeks before the WhatsApp username controversy, India temporarily banned Telegram to prevent exam fraud during a crucial national test. The government said the platform hosted channels claiming to have leaked test papers and demanded money from candidates and their families for access. Telegram responded that the ban punished "150 million ordinary users of the app" in India rather than targeting those who actually leaked the exam material.
Telegram
The pattern suggests that India's government increasingly expects digital platforms to share responsibility for reducing harm on their services. However, experts caution that this approach creates a difficult balancing act.
"Governments increasingly expect digital platforms to share responsibility for reducing harm, but it is difficult to draw the line between legitimate regulation and measures that could discourage innovation or weaken user privacy," noted Bhattacharya.
Reema Bhattacharya, Head of Asia Research at Verisk Maplecroft
The WhatsApp username feature represents a test case for how platforms can introduce privacy-enhancing features without creating new vectors for fraud. As Meta navigates India's regulatory demands, the outcome could influence how other governments approach similar features on messaging platforms worldwide. The company's ability to demonstrate robust security controls may determine whether the feature eventually launches in India and how other regulators respond to similar innovations.