The Indian government has asked WhatsApp to pause the rollout of its new username feature, warning that it could make it harder to trace users and potentially enable scams, impersonation and fraud.

At the centre of the concern is a shift away from phone numbers. WhatsApp is preparing to introduce optional usernames, allowing people to connect without sharing their mobile numbers—a fundamental change to how identity has worked on the platform so far.

The company has said that it will introduce safeguards such as limits on how many new users an account can contact, reserving high profile usernames, systems to detect abuse, and additional checks to prevent impersonation.

But it is still unclear whether these safeguards can meaningfully address the risks flagged by regulators. “There is very little public, empirical evidence on how effective these safeguards are at preventing fraud or abuse at scale. Technical fixes on their own are unlikely to be enough. Fraud ecosystems evolve quickly, often outpacing platform controls,” researcher Divij Joshi told Decode.

He added that the move is broadly positive for user agency, privacy and security, as it gives people greater control over how they share their contact identifiers.

The Meta-owned platform has also said there will be no public directory or auto-suggestions, meaning users will need to know an exact handle to start a conversation. The feature, announced last week, is expected to roll out more widely by 2026, with users able to reserve usernames in advance.

The scrutiny, however, goes beyond just design choices. Carissa Véliz, Associate Professor at the University of Oxford and author of Privacy is Power, argues that WhatsApp’s parent company Meta operates within a surveillance-driven business model.

“As long as Meta profits from surveillance, it will have a conflict of interest in protecting people’s privacy,” she said, pointing out that while usernames may appear privacy-friendly, their integration with Meta’s broader ecosystem could complicate those claims.

After WhatsApp, the IT ministry sent similar notices to Telegram, Signal and Arattai—platforms where such username-based systems are already in place.

Against this backdrop, Decode spoke to Divij Joshi to understand how usernames may change identity on WhatsApp, what risks they could introduce, and how privacy, traceability, and platform design should be balanced.

Joshi is a Research Fellow in Digital Societies at ODI Global and a doctoral researcher at the Faculty of Laws, University College London, with over a decade of experience studying the governance of emerging technologies. Here are the edited excerpts from the interview.

The move is being framed as a privacy upgrade but also flagged as a potential enabler of impersonation scams. Do you see this as a genuine shift in how identity works on WhatsApp, or more of a surface-level change?

This is a genuine shift in how identity works on WhatsApp. Phone numbers have, so far, acted as a strong and unique identifier—one that can be easily cross-linked across databases, enabling profiling and exposing users to a wide range of unsolicited communication, both on and off the platform.

Usernames change that dynamic. They introduce a layer of separation between a user’s real-world identifier and their presence on the platform, potentially allowing for greater anonymity in certain contexts.

That said, it is important to note that WhatsApp accounts are still expected to be linked to phone numbers at the backend. So, in situations where there are lawful grounds like requests from authorities, those numbers may still be accessible.

In effect, usernames give users more control over how they present themselves within WhatsApp, without forcing that identifier to travel across different platforms or services. It is less about complete anonymity, and more about contextual identity—choosing what you reveal, and where.

WhatsApp says it has safeguards like reserving high-profile usernames, limiting outreach, and detecting abuse patterns. In practice, how effective are these kinds of controls on large platforms?

There is still very little public, empirical evidence on how effective these safeguards are at actually preventing fraud or abuse at scale. Platforms often point to such measures, but without transparency, it is hard to independently assess their real-world impact.

As a result, WhatsApp needs to be clearer about why it believes these safeguards are sufficient to mitigate risks like impersonation or scams.

More importantly, technical fixes on their own are unlikely to be enough. Fraud ecosystems evolve quickly, often outpacing platform controls. Addressing them requires a broader response—stronger user awareness and digital literacy to recognise scams, along with better institutional capacity to investigate and respond to cybercrime.

Signal also uses usernames and positions it as a privacy feature. What are the key design differences between Signal’s implementation and what WhatsApp is proposing?

At a broad level, both Signal and WhatsApp are framing usernames as a privacy-enhancing feature. Based on what is publicly known so far, there do not appear to be major conceptual differences in how the feature is being positioned—though WhatsApp has not released detailed technical documentation yet.

One additional layer in WhatsApp’s approach appears to be the introduction of a “username key”. If enabled, this would require someone trying to contact you to enter not just your username, but also a four-digit code. This adds an extra barrier against unsolicited messages and could help reduce spam or random outreach.

That said, a more meaningful comparison would require deeper insight into how both platforms handle metadata, discovery, and backend identity linkage.

Should governments have a say in product features like this before rollout? Or does that set a dangerous precedent for controlling platform design?

Governments should not have an arbitrary or open-ended say in how technology systems are designed. Any intervention—especially in communication platforms—needs to be grounded in law, operate within clearly defined limits, and respect fundamental rights.

Globally, there is growing emphasis on principles like Privacy-by-Design, which encourage platforms to build safeguards into their systems from the outset. While India’s current data protection framework does not explicitly mandate this in the same way, the principle itself is widely accepted.

So, rather than ad hoc interventions, the focus should be on creating predictable regulatory frameworks. Within that, companies can innovate, while still being held accountable to clear legal standards.

About the author
Hera Rizwan
Hera Rizwan

Hera Rizwan is a correspondent with Decode. She covers AI, technology, and accountability, with a focus on how digital systems shape welfare, governance, and public life in India. Her work examines the real-world impact of emerging technologies, from biometric systems and surveillance tools to platform-driven scams and digital policy. She has reported extensively on cybercrime, AI in welfare delivery, and the intersection of tech and democracy. She is a Pulitzer Grantee and won Ramnath Goenka Award for Investigative Reporting in 2022.