Daybreak - What's in a (user)name? WhatsApp wants businesses to have one. It hasn't said who's protected from fakes

Episode Date: July 8, 2026

WhatsApp just announced usernames for Indian users. Two days later, the Indian government told it to stop.The privacy case for usernames is real — phone numbers are permanent, linked to eve...rything, and once shared, impossible to take back. But India already has 43,000 WhatsApp-related cybercrimes in a single quarter. And when TechCrunch tested the feature, handles like "rbi_verify," "indiamodi," and "ambanijio" were still available for anyone who gets there first.WhatsApp has until tomorrow to explain itself to MeitY. And even if the deadline keeps getting extended, the problem isn't going away.Daybreak is produced from the newsroom of The Ken, India’s first subscriber-only business news platform. Subscribe for more exclusive, deeply-reported, and analytical business stories.

Transcript
Discussion (0)
Starting point is 00:00:01 Last last week, WhatsApp decided to go through a major identity change. You've probably heard about it already. The platform was rolling out reservations for WhatsApp usernames in India, with the full feature launching in late 2026. After years of having accounts identified by numbers, the platform was finally letting users go by handles of their choice instead, the same way you do on Instagram or X. The feature was first announced by Kunal Shah, the former CEO of Kred, who rather dramatically
Starting point is 00:00:35 left his position at Kred to become the global head of WhatsApp. After his move, one of the first things he did was tweet out a username reservation rollout. Then, just a couple days later, METI or the Ministry of Electronics and Information Technology of India, issued a notice, asking WhatsApp to pause the rollout because it warned that this username feature could facilitate the impersonation of individuals, public authorities, financial institutions and government agencies. It also gave WhatsApp till July 6th to explain both the feature and what the internal safeguards would look like to lessen the risk of scams and
Starting point is 00:01:18 impersonations. And if WhatsApp did not comply, it would see regulatory action under India's ID laws. July 6 was this Monday. And as of today, on July 8th, since WhatsApp and Mity have been having preliminary conversations, METI has extended the deadline to July 9th, which is tomorrow. Now, WhatsApp's pitch with the username is privacy. Right now, once your number is shared with a person or once it becomes part of a large group, it's exposed forever. Plus, right now, phone numbers are linked to all sorts of accounts and login IDs for us.
Starting point is 00:01:55 One leak can compromise a lot. So, usernames fix that by ensuring that only the people who know your handle can reach out to you. On the other hand, Méti also has a valid case. In the way that usernames are being rolled out right now, anyone can book any sort of a username, and there is a genuine risk of impersonation and fishing. And these worries are well-founded. India as a whole is already vulnerable to such scams. Meta's own adversarial threat report in March found that online scam syndicates targeted users in India more frequently than any country other than the US.
Starting point is 00:02:38 Even the Indian government reports that cybercrime incidents have more than doubled in 2024 to more than 2 million cases from what used to be 1 million cases in 2022. The thing is ho for WhatsApp, this whole move is not just about user privacy. It's also about giving businesses a memorable permanent identity on the platform that can replace yet another string of numbers. So far, though, Meta has only committed to reserving the names of the most popular celebrities and institutions. But the nature of scams in India has evolved into something a little bit more personal than that. What Meta hasn't accounted for are the names of specific branches of banks or a local bakery, or even a coaching center. So in trying to solve for both user privacy and business identity,
Starting point is 00:03:32 did WhatsApp create a new problem for the very people and businesses it's trying to fix for? Welcome to Daybreak, a business podcast from the Ken. I'm your host, Rachel Virgis, and every day of the week, my co-host, Natasha Ram and I will bring you one new story that is worth understanding and worth your time. Today is Wednesday, the 8th of July. Ever since the Méti notice has been issued, WhatsApp's assurances to the government already cover a lot of ground. Here's what the companies say.
Starting point is 00:04:17 Firstly, it claims that to protect users, it's not going to build a directory of usernames into the platform, unlike, say, a telegram. This is basically so that usernames are not discoverable to random people on the internet who might want to try finding usernames by guessing or just happen to by chance. Next, WhatsApp is also introducing a username pin as an extra layer of security. How this works is that even if someone does find your username or has it,
Starting point is 00:04:49 they would also have to input a specific PIN number to actually be able to get in touch with you. To be clear, though, all of this is on an opt-in basis. Usernames are not going to be default, at least not yet. And even if you do choose to go with a username instead of a number on the app, the pin is also a choice on top of that. A lot of this is obviously a way for WhatsApp to catch up to its competitors like Telegram and Signal. Popularity of these apps with their users prove that people do want and like the username feature and the control it gives them over their own privacy.
Starting point is 00:05:29 In a tech crunch report, Rachel Tobach, the chief executive of Social Proof Security called username's a net privacy gain. because usernames reduce the need to share phone numbers, because phone numbers can expose users to swim-swap attacks, fishing and account takeovers. But net privacy gain aside, this move is also a way for WhatsApp to deepen its relationship with the businesses
Starting point is 00:05:57 that are already on its platform. And that decision is not surprising at all, because WhatsApp has more than half a billion users in India, and Meta itself has described India as its largest market for WhatsApp for business. Aksham Atul, a tech founder and CEO, told Storyboard 18 in a report that WhatsApp usernames lets businesses give customers something more permanent and memorable to recognize and trust. One of the first signs that this is a major move to engage businesses is the fact that WhatsApp has already decided to reserve the highest profile names,
Starting point is 00:06:36 so that they can only be claimed by the legitimate owners. The company is also withholding lookalike derivatives of known names to protect public profiles from impersonation. We'll get into what lookalike derivatives are in a bit. The company has even reserved the option for brands to maintain their names across other meta platforms like Insta and Facebook. Obviously, this deepens the dependency brands will have on the meta ecosystem. Now, if you put all of that together with the fact that there is no directory, no search engine or algorithm that's actually surfacing any names, then you can kind of see where this is headed.
Starting point is 00:07:18 Sindhu Biswal, the CEO of a growth marketing company, put it quite simply in the Storyboard report. The lack of discoverability right now is the exact kind of gap that Meta can later fill by offering a boosted handle or promoted business product. And that starts to make even more sense when you learn that WhatsApp is also building a backend focused around a BSUID or business scoped user ID for businesses to be able to continue connecting with users who have switched on usernames. Meta, in their own blog, mentioned that they had been rolling out the BSUID feature since April this year. WhatsApp has even urged businesses to prepare their systems for the BSUID. integration so that they can ensure uninterrupted customer communication as the feature begins to roll out. Basically, WhatsApp has been busy building out and updating its entire infrastructure for its business users. Gopa Manin, the CEO of an AI marketing agency called The Blur, put it pretty succinctly in the Storyboard report.
Starting point is 00:08:30 Meta never builds identity infrastructure out of pure goodwill. Usernames are the bait. Sponsored visibility is the toll booth that comes later. Once enough businesses and users are on board. But while WhatsApp is setting this up with both regular users and businesses in mind, there are arguments that basically say that it's not really solving for either party very well. Stay tuned. Consults about user safety is exactly what prompted the government response to the feature announcement.
Starting point is 00:09:10 To put that in context, here are some worrying numbers. Rest of World reported last month that more than 43,000 cybercrimes reported between January and March 24 alone involved the misuse of WhatsApp, which also happened to be the top platform for scammers. Another 22,000-plus crimes involved Telegram and nearly 20,000 more involved Instagram. Now, the Mady notice went out on July 1st to WhatsApp. And as TechCrunch reports, it said that the new feature materially increased the incidence of online fraud, fishing, digital arrest scams and impersonation attacks by enabling bad actors to contact users without exposing their phone numbers. The fears are not entirely unfounded. Like I mentioned earlier, India has 500 million WhatsApp users and a shockingly concerning number of digital scams that take place on the platform.
Starting point is 00:10:10 And turns out, in a report from last week, TechCrunch in its early testing found that there are some holes in Mada's promises. It found that there were some usernames resembling prominent politicians, celebrities, business figures and public institutions, including names like India Modi, Sharuk actor, Team Amitab, Ambani Gio and RBI underscore Verify were still available to reserve. If you didn't know, these names referred to Indian Prime Minister Narendra Modi, Bollywood actors, Sharukh Khan and Amidab Batchin, billionaire Mukesh Ambani and his telecom company, Gio and the Reserve Bank of India.
Starting point is 00:10:53 In another case, Chang Peng Zhao, the founder of Binance, said on X that he could not reserve Z-Undesk underscore Binance, which is the handle that he already uses on that platform. Bipin-Preet Singh, the chief executive at Moby Quick, posted that when he checked, several variations of his own name had already been taken. He wrote, and I quote, Wonder what they could be used for. Now, like I mentioned earlier,
Starting point is 00:11:22 Meda did claim to reserve usernames for public figures, government entities, and some variations of those names so that only the legitimate owner could claim them. But what the company did fail to mention was how exactly, it decides which lookalike usernames get proactively reserved
Starting point is 00:11:40 and which don't. And that's something to take note of because it's not like all scams are made in the name of a Shah Ruk Khan or RBI. Increasingly, scams are getting more personal. Many report scams that happen in the name of smaller
Starting point is 00:11:56 more local service providers. These names are unlikely to be reserved by META. And if bad actors end up reserving the names before the businesses themselves or if they reserve lookalike names, then that could obviously mean trouble. Lookalike names, by the way, are the names that have slight differences, but look the same at a glance. Take this example that Policy Circle gave, for instance. Say, if someone were to reserve
Starting point is 00:12:23 State Bank of India with the capital I of India swapped out for a small L, it would look similar enough to fool someone who's not paying the closest retention. Or someone could do that. Or someone could Reserve State Bank of India underscore Mumbai or dot Bangalore. And unless you know for sure that those handles are fake, they could look credible enough to trust. So if WhatsApp doesn't come up with a fix for this, it risks allowing scammers to erode the trust for certain brand names and also opening up its regular users to these same scams. Amid Jaju, a partner and India head at a New York-based consulting group, told E.T. in a report, that the danger is especially acute on an encrypted platform
Starting point is 00:13:09 because users inherently trust the identity behind the handle. Even the Policy Circle report agrees with this. A message from a handle that resembles an employer, a bank or a government office can look more personal and more urgent. And that is enough for many scams to take place. The other concern that METI has specified is traceability. Right now, an account based on a number is, tied to a SIM card, which should be tied to a KYC.
Starting point is 00:13:39 So, when it comes to cybercrimes, that means law enforcement can at least try to trace numbers to specific culprits. Initially, the whole privacy angle made it look like the username feature could obscure that kind of traceability. But that's where some of the safeguards that WhatsApp has created comes in. And while they are useful, policy circle writes that they shift too much of the burden to the recipient. Now, here's what they are.
Starting point is 00:14:05 WhatsApp plans to show some very specific signals when a first message arrives, including whether the sender is a new user, whether you share common groups, whether the sender is already in your contact list, and whether the message appears to come from another country. Now, while such labels can help users who already move carefully, they may not be of much help to more vulnerable people online. Like the elderly, for instance, or new internet users, or people who are already under pressure from fraudsters posing as police, a bank or an employer.
Starting point is 00:14:42 Which is why this consultation with the Indian government needs to end in something more concrete than just usernames and back-in verification with numbers. Meta needs to be able to tell how fast impersonation complaints will be handled, how repeat offenders will be blocked, and what account records will remain available under requests made under the law. For example, it should actively make high-risk messages harder to miss, not just label them and wait for users to interpret those labels. Now, there is no denying that the concerns are very real and very well-founded. But none of this makes user privacy any less important. So, if user names are to be the new norm for one of the world's largest messaging apps,
Starting point is 00:15:29 there's a lot both the government and big tech need to figure out together. Daybreak is produced from the newsroom of the Ken India's first subscriber-focused business news platform. What you're listening to is just a small sample of our subscriber-only offerings. A full subscription offers daily long-form feature stories, newsletters and a whole bunch of premium podcasts. To subscribe, head to the Ken.com and click on the red subscribe button on the top of the Ken website. Today's episode was hosted and produced by my colleague Rachel Vargis and edited by Rajiv Sien. Thank you.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.