WhatsApp usernames are already raising impersonation red flags
WhatsApp usernames are already raising impersonation red flags
WhatsApp 用户名功能引发冒充风险担忧
WhatsApp this week started rolling out username reservations ahead of the broader launch planned later this year. The feature — which lets people find and message each other by handle instead of phone number — is already raising impersonation concerns, drawing scrutiny from security experts and regulators in India, the app’s largest market, with more than 500 million users.
本周,WhatsApp 开始推出用户名预留功能,为今年晚些时候的全面发布做准备。该功能允许用户通过用户名而非电话号码来查找和联系他人,但目前已引发了关于冒充行为的担忧,并引起了安全专家和印度监管机构的密切关注。印度是 WhatsApp 最大的市场,拥有超过 5 亿用户。
The rollout marks a shift in how people identify one another on WhatsApp. Instead of relying on phone numbers as the primary identifier, users will increasingly interact through platform-managed usernames, a change that Meta says improves privacy but that critics argue could create new opportunities for impersonation.
此次功能的推出标志着 WhatsApp 用户身份识别方式的转变。用户将不再仅仅依赖电话号码作为主要标识,而是越来越多地通过平台管理的用户名进行互动。Meta 表示此举旨在提升隐私保护,但批评人士认为,这可能会为冒充行为创造新的机会。
In early testing, TechCrunch found usernames resembling prominent politicians, celebrities, business figures, and public institutions — including “indiamodi,” “shahrukh.actor,” “teamamitabh,” “ambanijio,” and “rbi_verify” — were still available to reserve. These reference Indian Prime Minister Narendra Modi, Bollywood actors Shah Rukh Khan, and Amitabh Bachchan, billionaire Mukesh Ambani’s telecom company Jio, and the Reserve Bank of India, respectively. Separately, Binance founder Changpeng Zhao said on X that he couldn’t reserve “cz_binance,” the handle he already uses on that platform.
在早期测试中,TechCrunch 发现一些类似于知名政治人物、名人、商业领袖和公共机构的用户名(如“indiamodi”、“shahrukh.actor”、“teamamitabh”、“ambanijio”和“rbi_verify”)仍可被预留。这些用户名分别指向印度总理纳伦德拉·莫迪、宝莱坞演员沙鲁克·汗和阿米塔布·巴强、亿万富翁穆凯什·安巴尼旗下的电信公司 Jio,以及印度储备银行。另外,币安创始人赵长鹏在 X 上表示,他无法预留自己在该平台上使用的“cz_binance”这一账号。
Asked about how it protects against impersonation, Meta told TechCrunch it reserves usernames for public figures, government entities, and “some variations” of those names so only the legitimate owner can claim them. The company did not explain, however, how it decides which lookalike usernames get proactively reserved and which don’t.
当被问及如何防范冒充行为时,Meta 向 TechCrunch 表示,公司会为公众人物、政府实体及这些名称的“某些变体”预留用户名,以确保只有合法所有者才能认领。然而,该公司并未解释其如何决定哪些相似用户名会被主动预留,而哪些不会。
The concerns have already reached regulators in India, where cyber fraud schemes frequently exploit messaging platforms to impersonate police, banks, and government officials. In a notice sent to WhatsApp on Wednesday and reviewed by TechCrunch, the Ministry of Electronics and Information Technology (MeitY) said the feature could “materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks” by enabling bad actors to contact users without exposing their phone numbers.
这些担忧已经引起了印度监管机构的注意。在印度,网络诈骗分子经常利用即时通讯平台冒充警察、银行和政府官员。在周三发给 WhatsApp 并由 TechCrunch 审阅的一份通知中,印度电子和信息技术部(MeitY)表示,该功能可能使不法分子在不暴露电话号码的情况下联系用户,从而“实质性增加网络诈骗、钓鱼攻击、数字逮捕诈骗和冒充攻击的发生率”。
The ministry also warned that usernames could facilitate impersonation of “individuals, public authorities, financial institutions, and government agencies” by allowing usernames closely resembling those of genuine people or organizations. It directed WhatsApp to explain why regulatory action should not be initiated under India’s IT laws and asked the company not to roll out the feature until consultations were completed.
该部门还警告称,用户名可能通过允许创建与真实个人或组织高度相似的名称,从而助长对“个人、公共机构、金融机构和政府部门”的冒充行为。该部门要求 WhatsApp 解释为何不应根据印度 IT 法规对其采取监管行动,并要求该公司在完成磋商之前不得推出该功能。
A senior government official separately told TechCrunch that the Indian IT ministry is cognizant of the issue and is engaging with WhatsApp over the feature. That intervention has drawn its own pushback from New Delhi-based digital rights group Internet Freedom Foundation (IFF), which said the notice lacked a clear legal basis and risked giving the executive broad powers to dictate product design.
一位政府高级官员向 TechCrunch 表示,印度信息技术部已意识到该问题,并正在就此功能与 WhatsApp 进行沟通。这一干预措施遭到了总部位于新德里的数字权利组织“互联网自由基金会”(IFF)的反对。该组织表示,此通知缺乏明确的法律依据,且有风险赋予行政部门过大的权力来干预产品设计。
(It’s a dilemma that operators building in regulated markets know well: Rules made case-by-case, by letter, are harder to plan around than rules made in the open.) “Impersonation and fraud are real risks, but they are met by enforcing the criminal law against those who commit them,” the group said in a statement. “They are not met by MeitY deciding, in private and by letter, what features Indians may use.”
(这是在受监管市场运营的企业非常熟悉的一种困境:通过信函逐案制定的规则,比公开制定的规则更难规划。)该组织在声明中表示:“冒充和欺诈确实是风险,但应对之道是通过刑法惩处犯罪者,而不是由电子和信息技术部在私下通过信函来决定印度人可以使用哪些功能。”
The debate echoes a similar observation the Delhi High Court made in a case involving Telegram, where the court said that using usernames instead of phone numbers could make it easier to conceal user identity and spread illicit content faster. That case wasn’t about WhatsApp, but the parallel has been resurfacing in public discussion as WhatsApp prepares its own launch.
这场辩论呼应了德里高等法院在涉及 Telegram 的案件中所提出的类似观点,即使用用户名代替电话号码可能更容易隐藏用户身份并加速非法内容的传播。虽然该案件并非针对 WhatsApp,但随着 WhatsApp 准备推出此功能,类似的讨论再次出现在公众视野中。
Privacy, trust, and platform power
隐私、信任与平台权力
Rachel Tobac, chief executive of SocialProof Security, called usernames a net privacy gain because they reduce the need to share phone numbers, which can expose users to SIM-swap attacks, phishing, and account takeovers. Still, she said, lookalike usernames still create opportunities for impersonation. “Ultimately, usernames are a great idea to avoid leaking your phone number to folks you don’t know, but it’s important to verify identity with the username function too,” Tobac told TechCrunch.
SocialProof Security 的首席执行官 Rachel Tobac 认为,用户名在隐私方面是净收益,因为它们减少了分享电话号码的必要性,而分享号码可能会使用户面临 SIM 卡交换攻击、钓鱼攻击和账户被盗的风险。不过她也指出,相似的用户名依然会创造冒充机会。Tobac 对 TechCrunch 表示:“归根结底,用户名是避免向陌生人泄露电话号码的好主意,但通过用户名功能进行身份验证同样重要。”
Her advice for most users: Pick a username that isn’t easily guessable, so it’s harder for attackers to find you, message you cold, or harass and spam you. Even WhatsApp acknowledges usernames won’t be one-size-fits-all. In an FAQ posted on X on Wednesday, the company said most users should choose a username unique to WhatsApp.
她给大多数用户的建议是:选择一个不容易被猜到的用户名,这样攻击者就更难找到你、向你发送骚扰信息或进行垃圾信息轰炸。即使是 WhatsApp 也承认用户名并非万能。在周三发布于 X 的常见问题解答中,该公司表示大多数用户应选择 WhatsApp 专属的用户名。
However, it also lets users claim their existing Instagram or Facebook usernames by linking their accounts, saying the option is intended to help creators, businesses, and organizations maintain a consistent identity across Meta’s platforms while reducing impersonation.
不过,它也允许用户通过关联账户来认领现有的 Instagram 或 Facebook 用户名。公司称,此选项旨在帮助创作者、企业和组织在 Meta 的各个平台上保持身份一致,同时减少冒充行为。
The Mozilla Foundation said the introduction of usernames is likely to bring new tradeoffs. “Increased scams and impersonation from fake handles are potentially a big one,” it told TechCrunch. “Checking a phone number can be a useful verification tool, but these harms are also permitted by the platform’s fundamental design choices.”
Mozilla 基金会表示,引入用户名可能会带来新的权衡。“虚假账号带来的诈骗和冒充行为增加可能是一个重大问题,”该基金会告诉 TechCrunch。“核对电话号码是一种有效的验证工具,但这些危害也是由平台的基本设计选择所允许的。”
Mozilla also flagged a broader interoperability question — one worth logging if you’re building on top of, or competing with, Meta’s ecosystem. While letting users claim their existing Facebook and Instagram usernames may cut down on impersonation, it also shows how easily Meta can stitch identity together across its own apps, even as users still can’t take that identity, or their contacts, to a rival platform.
Mozilla 还提出了一个更广泛的互操作性问题——如果你正在 Meta 的生态系统之上进行开发或与之竞争,这一点值得注意。虽然允许用户认领现有的 Facebook 和 Instagram 用户名可能会减少冒充,但也显示了 Meta 可以多么轻易地将其旗下应用中的身份信息整合在一起,尽管用户仍然无法将这些身份或联系人带到竞争对手的平台上。
For now, WhatsApp says it is taking a gradual approach to the rollout. “We’re taking our time and listening to feedback so that when it rolls out later this year we get it right,” the company said in its FAQ.
目前,WhatsApp 表示正在采取循序渐进的方式进行推广。“我们正在花时间倾听反馈,以便在今年晚些时候全面推出时能够做到万无一失,”该公司在常见问题解答中表示。