Daybreak - What's in a (user)name? WhatsApp wants businesses to have one. It hasn't said who's protected from fakes
Episode Date: July 8, 2026WhatsApp just announced usernames for Indian users. Two days later, the Indian government told it to stop.The privacy case for usernames is real — phone numbers are permanent, linked to eve...rything, and once shared, impossible to take back. But India already has 43,000 WhatsApp-related cybercrimes in a single quarter. And when TechCrunch tested the feature, handles like "rbi_verify," "indiamodi," and "ambanijio" were still available for anyone who gets there first.WhatsApp has until tomorrow to explain itself to MeitY. And even if the deadline keeps getting extended, the problem isn't going away.Daybreak is produced from the newsroom of The Ken, India’s first subscriber-only business news platform. Subscribe for more exclusive, deeply-reported, and analytical business stories.
Transcript
Discussion (0)
Last last week, WhatsApp decided to go through a major identity change.
You've probably heard about it already.
The platform was rolling out reservations for WhatsApp usernames in India,
with the full feature launching in late 2026.
After years of having accounts identified by numbers,
the platform was finally letting users go by handles of their choice instead,
the same way you do on Instagram or X.
The feature was first announced by Kunal Shah, the former CEO of Kred, who rather dramatically
left his position at Kred to become the global head of WhatsApp.
After his move, one of the first things he did was tweet out a username reservation
rollout.
Then, just a couple days later, METI or the Ministry of Electronics and Information Technology
of India, issued a notice, asking WhatsApp to pause the rollout because it warned that this
username feature could facilitate the impersonation of individuals, public authorities,
financial institutions and government agencies. It also gave WhatsApp till July 6th to explain both
the feature and what the internal safeguards would look like to lessen the risk of scams and
impersonations. And if WhatsApp did not comply, it would see regulatory action under India's
ID laws. July 6 was this Monday. And as of today,
on July 8th, since WhatsApp and Mity have been having preliminary conversations,
METI has extended the deadline to July 9th, which is tomorrow.
Now, WhatsApp's pitch with the username is privacy.
Right now, once your number is shared with a person or once it becomes part of a large group,
it's exposed forever.
Plus, right now, phone numbers are linked to all sorts of accounts and login IDs for us.
One leak can compromise a lot.
So, usernames fix that by ensuring that only the people who know your handle can reach out to you.
On the other hand, Méti also has a valid case.
In the way that usernames are being rolled out right now, anyone can book any sort of a username,
and there is a genuine risk of impersonation and fishing.
And these worries are well-founded.
India as a whole is already vulnerable to such scams.
Meta's own adversarial threat report in March found that online scam syndicates targeted users in India more frequently than any country other than the US.
Even the Indian government reports that cybercrime incidents have more than doubled in 2024 to more than 2 million cases from what used to be 1 million cases in 2022.
The thing is ho for WhatsApp, this whole move is not just about user privacy.
It's also about giving businesses a memorable permanent identity on the platform that can replace yet another string of numbers.
So far, though, Meta has only committed to reserving the names of the most popular celebrities and institutions.
But the nature of scams in India has evolved into something a little bit more personal than that.
What Meta hasn't accounted for are the names of specific branches of banks or a local bakery,
or even a coaching center.
So in trying to solve for both user privacy and business identity,
did WhatsApp create a new problem for the very people and businesses it's trying to fix for?
Welcome to Daybreak, a business podcast from the Ken.
I'm your host, Rachel Virgis, and every day of the week,
my co-host, Natasha Ram and I will bring you one new story that is worth understanding and worth your time.
Today is Wednesday, the 8th of July.
Ever since the Méti notice has been issued,
WhatsApp's assurances to the government already cover a lot of ground.
Here's what the companies say.
Firstly, it claims that to protect users,
it's not going to build a directory of usernames into the platform,
unlike, say, a telegram.
This is basically so that usernames are not discoverable to random people on the internet
who might want to try finding usernames by guessing or just happen to by chance.
Next, WhatsApp is also introducing a username pin
as an extra layer of security.
How this works is that even if someone does find your username or has it,
they would also have to input a specific PIN number to actually be able to get in touch with you.
To be clear, though, all of this is on an opt-in basis.
Usernames are not going to be default, at least not yet.
And even if you do choose to go with a username instead of a number on the app,
the pin is also a choice on top of that.
A lot of this is obviously a way for WhatsApp to catch up to its competitors like Telegram and Signal.
Popularity of these apps with their users prove that people do want and like the username feature
and the control it gives them over their own privacy.
In a tech crunch report, Rachel Tobach, the chief executive of Social Proof Security
called username's a net privacy gain.
because usernames reduce the need to share phone numbers,
because phone numbers can expose users to swim-swap attacks,
fishing and account takeovers.
But net privacy gain aside,
this move is also a way for WhatsApp
to deepen its relationship with the businesses
that are already on its platform.
And that decision is not surprising at all,
because WhatsApp has more than half a billion users in India,
and Meta itself has described India as its largest market for WhatsApp for business.
Aksham Atul, a tech founder and CEO, told Storyboard 18 in a report that WhatsApp
usernames lets businesses give customers something more permanent and memorable to recognize and trust.
One of the first signs that this is a major move to engage businesses is the fact that WhatsApp
has already decided to reserve the highest profile names,
so that they can only be claimed by the legitimate owners.
The company is also withholding lookalike derivatives of known names
to protect public profiles from impersonation.
We'll get into what lookalike derivatives are in a bit.
The company has even reserved the option for brands
to maintain their names across other meta platforms like Insta and Facebook.
Obviously, this deepens the dependency brands will have on the meta ecosystem.
Now, if you put all of that together with the fact that there is no directory, no search engine or algorithm that's actually surfacing any names, then you can kind of see where this is headed.
Sindhu Biswal, the CEO of a growth marketing company, put it quite simply in the Storyboard report.
The lack of discoverability right now is the exact kind of gap that Meta can later fill by offering a boosted handle or promoted business product.
And that starts to make even more sense when you learn that WhatsApp is also building a backend focused around a BSUID or business scoped user ID for businesses to be able to continue connecting with users who have switched on usernames.
Meta, in their own blog, mentioned that they had been rolling out the BSUID feature since April this year.
WhatsApp has even urged businesses to prepare their systems for the BSUID.
integration so that they can ensure uninterrupted customer communication as the feature begins to roll out.
Basically, WhatsApp has been busy building out and updating its entire infrastructure for its business users.
Gopa Manin, the CEO of an AI marketing agency called The Blur, put it pretty succinctly in the Storyboard report.
Meta never builds identity infrastructure out of pure goodwill.
Usernames are the bait.
Sponsored visibility is the toll booth that comes later.
Once enough businesses and users are on board.
But while WhatsApp is setting this up with both regular users and businesses in mind,
there are arguments that basically say that it's not really solving for either party very well.
Stay tuned.
Consults about user safety is exactly what prompted the government response to the feature announcement.
To put that in context, here are some worrying numbers.
Rest of World reported last month that more than 43,000 cybercrimes reported between January and March 24 alone
involved the misuse of WhatsApp, which also happened to be the top platform for scammers.
Another 22,000-plus crimes involved Telegram and nearly 20,000 more involved Instagram.
Now, the Mady notice went out on July 1st to WhatsApp.
And as TechCrunch reports, it said that the new feature materially increased the incidence of online fraud, fishing, digital arrest scams and impersonation attacks by enabling bad actors to contact users without exposing their phone numbers.
The fears are not entirely unfounded.
Like I mentioned earlier, India has 500 million WhatsApp users and a shockingly concerning number of digital scams that take place on the platform.
And turns out, in a report from last week, TechCrunch in its early testing found that
there are some holes in Mada's promises.
It found that there were some usernames resembling prominent politicians, celebrities,
business figures and public institutions, including names like India Modi, Sharuk actor,
Team Amitab, Ambani Gio and RBI underscore Verify were still available to reserve.
If you didn't know, these names referred to Indian Prime Minister Narendra Modi,
Bollywood actors, Sharukh Khan and Amidab Batchin, billionaire Mukesh Ambani and his telecom company,
Gio and the Reserve Bank of India.
In another case, Chang Peng Zhao, the founder of Binance, said on X that he could not reserve
Z-Undesk underscore Binance, which is the handle that he already uses on that platform.
Bipin-Preet Singh, the chief executive at Moby Quick,
posted that when he checked,
several variations of his own name had already been taken.
He wrote, and I quote,
Wonder what they could be used for.
Now, like I mentioned earlier,
Meda did claim to reserve usernames for public figures,
government entities,
and some variations of those names
so that only the legitimate owner could claim them.
But what the company did fail to mention
was how exactly,
it decides which lookalike
usernames get proactively reserved
and which don't.
And that's something to take note of
because it's not like all scams
are made in the name of a Shah Ruk Khan
or RBI.
Increasingly, scams are getting more
personal. Many report scams
that happen in the name of smaller
more local service providers.
These names are
unlikely to be reserved by META.
And if bad actors end up
reserving the names before the businesses
themselves or if they reserve lookalike names, then that could obviously mean trouble.
Lookalike names, by the way, are the names that have slight differences, but look the same
at a glance. Take this example that Policy Circle gave, for instance. Say, if someone were to reserve
State Bank of India with the capital I of India swapped out for a small L, it would look similar
enough to fool someone who's not paying the closest retention. Or someone could do that. Or someone could
Reserve State Bank of India underscore Mumbai or dot Bangalore.
And unless you know for sure that those handles are fake, they could look credible enough to trust.
So if WhatsApp doesn't come up with a fix for this, it risks allowing scammers to erode
the trust for certain brand names and also opening up its regular users to these same scams.
Amid Jaju, a partner and India head at a New York-based consulting group, told E.T. in a report,
that the danger is especially acute on an encrypted platform
because users inherently trust the identity behind the handle.
Even the Policy Circle report agrees with this.
A message from a handle that resembles an employer, a bank or a government office
can look more personal and more urgent.
And that is enough for many scams to take place.
The other concern that METI has specified is traceability.
Right now, an account based on a number is,
tied to a SIM card, which should be tied to a KYC.
So, when it comes to cybercrimes, that means law enforcement can at least try to trace numbers
to specific culprits.
Initially, the whole privacy angle made it look like the username feature could obscure
that kind of traceability.
But that's where some of the safeguards that WhatsApp has created comes in.
And while they are useful, policy circle writes that they shift too much of the burden to
the recipient.
Now, here's what they are.
WhatsApp plans to show some very specific signals when a first message arrives,
including whether the sender is a new user, whether you share common groups,
whether the sender is already in your contact list,
and whether the message appears to come from another country.
Now, while such labels can help users who already move carefully,
they may not be of much help to more vulnerable people online.
Like the elderly, for instance, or new internet users,
or people who are already under pressure from fraudsters posing as police, a bank or an employer.
Which is why this consultation with the Indian government needs to end in something more concrete than just
usernames and back-in verification with numbers.
Meta needs to be able to tell how fast impersonation complaints will be handled, how repeat offenders
will be blocked, and what account records will remain available under requests made under the law.
For example, it should actively make high-risk messages harder to miss, not just label them and wait for users to interpret those labels.
Now, there is no denying that the concerns are very real and very well-founded.
But none of this makes user privacy any less important.
So, if user names are to be the new norm for one of the world's largest messaging apps,
there's a lot both the government and big tech need to figure out together.
Daybreak is produced from the newsroom of the Ken India's first subscriber-focused business news platform.
What you're listening to is just a small sample of our subscriber-only offerings.
A full subscription offers daily long-form feature stories, newsletters and a whole bunch of premium podcasts.
To subscribe, head to the Ken.com and click on the red subscribe button on the top of the Ken website.
Today's episode was hosted and produced by my colleague Rachel Vargis and edited by Rajiv Sien.
Thank you.
