Panelists discussing WhatsApp cybersecurity concerns
x

Is WhatsApp’s new username feature about privacy or monetisation? | AI With Sanket

Cybersecurity experts and digital rights advocates warn the platform's incoming alpha-numeric handle feature could trigger an explosion in impersonation scams


Click the Play button to hear this message in audio format

Will WhatsApp's new username feature, which allows people to use the app without their phone numbers, help protect their privacy or make it a handy tool for digital identity theft? That was the topic of discussion in this episode of AI With Sanket.

The Federal spoke to Jitendra Jain, a prominent cybersecurity expert, Apar Gupta, lawyer and founder director of the Internet Freedom Foundation, and Kanishk Gaur, CEO of Athenian Tech, to unpack how decoupling user profiles from phone numbers impacts public safety.

While the tool is promoted as a privacy shield, the experts suggested that it could open a dangerous new frontier for digital fraudsters looking to exploit common users. "Privacy has always been a double-edged sword," warned Jain.

Decoupling phone numbers

The feature introduces a significant shift in how users interact on the messaging application by allowing alphanumeric handles. Gupta explained that the system allows people to communicate without revealing their mobile phone numbers. This functions as a basic shield for identity protection, but the security benefits remain limited.

Gupta noted that the system fails to prevent user profiling by Meta group companies and instead prompts users to link their Instagram handles. This data bundling connects independent social profiles into a centralized corporate database.

The dominant position of the messaging app in everyday communication makes it nearly impossible for citizens to opt out. Gupta pointed out that families, businesses, and essential service providers rely heavily on the system for one-time passwords (OTPs) and transactional alerts.

Also read: WhatsApp’s username feature: How is it different from Telegram and Signal?

Because the application serves as a default utility on modern smartphones, its architectural modifications require strict regulatory oversight. The evolution from a simple messaging tool into an interconnected commercial repository reflects a broader shift towards data financialization.

The transition compromises the historic privacy pledges made during the platform's initial market acquisition. When Meta acquired the application, early policies promised that user data would remain strictly confidential and entirely free. However, subsequent policy updates enabled the corporate sharing of metadata, including sign-up names, telephone numbers, and group structures.

This metadata, combined with outbound links and server backups, provides vast training data for commercial profiling. The integration of alphanumeric handles accelerates this monetization strategy across the corporate digital ecosystem.

Rising impersonation risks

The primary threat vector of unverified alphanumeric handles centres on widespread name squatting and corporate impersonation. Jain pointed out that while security-focused applications like Telegram and Signal use handles, they lack the massive public scale of Meta's messaging tool. Fraudsters can easily reserve look-alike handles representing public officials, celebrities, or corporate brands to execute financial scams. This structural vulnerability amplifies the threat surface for vulnerable demographics, such as the elderly, who are frequently targeted by coordinated digital arrest operations.

The issue of fake ads and unverified promotions highlights Meta's historical inability to contain identity fraud. Fraudsters consistently use minor typographical variations, such as underscores or alternate letters, to mimic prominent personalities like entrepreneur Ankur Warikoo and mislead the public.

Also read: WhatsApp’s privacy policy and the myth of user choice

Jain emphasized that the platform has a commercial incentive to let these identity problems proliferate before charging users for safety solutions. This business model positions premium safety tools, like verification badges and advanced spam filters, as paid subscription services rather than default protections.

The current regulatory framework in India remains poorly equipped to handle the rapid expansion of cross-platform big tech infrastructure. Firefighting temporary crises with piecemeal blocking orders under old laws fails to change unsafe digital architectures. India currently lacks comprehensive legislative modernizations comparable to the Digital Markets Act or the Digital Services Act seen globally. Without independent regulatory bodies with enforcement capabilities, technology companies can deploy high-risk software modifications long before data protection laws take full effect.

Seeking permanent fixes

Addressing structural identity fraud requires moving away from reactive internet censorship towards proactive technical verification. Gaur stated that true protection against impersonation requires robust biometric validation. Advanced digital platforms operating internationally require users to verify identities using passports matched directly to live facial biometrics. Simple alphanumeric handle reservations without rigorous cryptographic authentication function merely as stop-gap arrangements that fail to secure public trust, as evidenced by high-profile scams involving figures like former MP Naresh Gujral.

The unique nature of the application means that incoming spam messages exploit personal trust far more effectively than traditional SMS. Because users treat their messaging inbox as an intimate communication space, they open malicious messages at significantly higher rates. To counter this, Jain proposed a geographic transparency feature that reveals the origin country of the phone number linked to a handle. This technical intervention would instantly inform recipients whether an alleged corporate support account is originating from a legitimate location or an international scam hub.

Also read: AI With Sanket | Should WhatsApp be banned in India?

Developing long-term regulatory solutions requires an open dialogue between digital rights organizations, technical experts, and administrative bodies. The current polarized environment prevents collaborative policy design, leaving digital infrastructure vulnerable to exploitation. Effective national cybersecurity requires treating privacy and public safety as complementary goals secured by strong regulatory standards. Until permanent structural fixes replace temporary administrative interventions, citizens will face escalating threats from unverified digital identity systems.

(The content above has been transcribed from video using a fine-tuned AI model. To ensure accuracy, quality, and editorial integrity, we employ a Human-In-The-Loop (HITL) process. While AI assists in creating the initial draft, our experienced editorial team carefully reviews, edits, and refines the content before publication. At The Federal, we combine the efficiency of AI with the expertise of human editors to deliver reliable and insightful journalism.)

Next Story