In Defense of Telegram’s Username Policy

Why securing a user’s consistent identity helps your company

I’m from an earlier era of the internet. In the 2000s, if your desired username was anything other than one of the top few thousand dictionary words, you could acquire it on every service, every time. We got used to this, to the point that it became, at least for me, viscerally unpleasant to be denied your desired username.

It’s as though each service was a country and your username was your real name. You move or travel to a new country and customs waves you in, welcoming you by the same name you had before your emigration. Then, toward the end of the 2000s, something unpleasant started happening. Customs would allow you in, but they’d take your passport and add some numbers to the end of your name. Welcome to Portugal, Michael_2.

It felt like impersonation. I’m Michael in every other country I’ve visited, and I’ve been to most of the big ones. What is going on with your country? Is this some sort of prank or extortion? What looks like first-come, first-serve to you appears as condoning impersonation to me. Clearly, each of us has a preferred username, and we’ve registered it on most of the popular services of the era. This new person who claims to be Michael in your country knows he’s not Michael in any other country in the world, as every place he’s signed up has informed him there’s already a Michael. Why would you allow him to use that name here?

That is the username dilemma in a nutshell. We all use many popular services and while some of us have clearly blocked off an identity on several of them, each new service that pops up creates a freshly frustrating landrush. Many services have engineered their own solutions to this problem.

Namespace Landrush Models

Email only

Some services offer no usernames at all, instead using your email address as your unique identifier and nothing else. For many services, this can work. With any kind of social component, however, it will be doomed. No one wants to type emails to find friends or would even want to give away the equivalent of their home mailing address to anyone they want to follow or interact with.

That your address happens to be unique to you and that sites need a way to uniquely identify users is merely a convenient coincidence, and no grounds for using that address as a unique public identifier. For that reason alone, usernames are often a necessary evil.

Spotify is getting rid of usernames entirely, now assigning long strings of numbers to anyone that signs up and instead relying on Facebook integration and real names to allow friends to recognize each other.

First-come, first-serve

The seminal model strongly rewards early adopters and squatters but is wrought with problems in being unable to reward high value users with high value usernames. Its shortcomings are too well known to warrant hashing out here.

Forced enclaving

GeoCities, Blizzard, and now Discord use a forced enclaving of usernames with numbers. The newest and best solution of these is implemented by Discord as a username plus a random four-digit number. Once all ten thousand combinations are taken, that username is unavailable. Additionally, for a subscription price to the service, the specific number is selectable if no random account had previously landed there. There’s only one 0001 for each username, but many may also be satisfied with a different specific number if it’s repeating or personally meaningful.

Blocking off common names

Google+ set up several requirements for preferred URLs. First, you needed several followers and a month-old account to even be offered a username. Next, the name you were offered wasn’t customizable and instead built off your real name, something you couldn’t change often. And finally, but most unique, the system recognized that many people had similar names, and so let no one have the generic form of it. If your real name was John Smith, Google+ prompted you with the following notice, “Many people have the same name. Add a few extra characters to this URL to get one that is unique for you.” It may have minimized animosity toward those who got there faster, but maximized animosity for a service that allowed no true winners, despite being almost functionally identical to Discord’s system.

Piggybacking

Pinterest piggybacks off the Twitter user namespace, the most sought-after namespace on the web. This has the advantage of minimizing the sting of a username being unavailable and the process of choosing a replacement, as you’ve already been through the emotions and accepted your fate when you signed up for Twitter. Many programming-related sites are now doing this as well, instead piggybacking off the king in that arena, GitHub.

Majority usurping

Telegram has the most interesting, and in my opinion, best solution to this problem that incorporates the benefits of first-come, first-serve, piggybacking, and reassignment respective to existing identities and trademarks without the drawbacks.

We understand that certain usernames are part of an online identity for some of us. If your desired username is already taken, we will be happy to help you acquire it for your account or channel, provided that you have that same username on at least two of these services: Facebook, Twitter, Instagram.

This has drawn a lot of ire and is very frustrating to those early adopters of the service who came before the corresponding Twitter, Instagram, and Facebook user could claim that identity. But was it really rightfully your identity to assume on Telegram if it’s monopolized on two of those three platforms, and not just monopolized, but by the same person? Couldn’t it instead be argued that you are the one impersonating them on a new platform and Telegram is merely returning what’s rightfully their identity? There’s nothing inherently fair or moral about the default “first-come, first-serve” policy of most sites — we’re just used to it. Essentially, Telegram’s policy is first-come, first-serve, only at the internet level rather than the individual service level.

To reuse the country analogy, it’s as if you’ve traveled the world attempting to call yourself Elon Musk only to learn that most countries already know an Elon Musk. Then, on a trip to Madagascar, the customs agent informs you Elon’s never been here; you may assume that identity. You’re secretly happy, but play it cool, knowing full well you couldn’t use the name anywhere else because such a person already exists. Now, when the real Elon Musk shows up to Madagascar demanding to use his identity, could you argue you really have any claim to it, especially given your prior knowledge of him, or is he rightful in taking it back from you?

Any arguments about the security risks of reassigning usernames with this policy can be turned on their head. While the Telegram user whose name was reassigned in the midst of a transaction can claim someone new is now impersonating him, it could just as easily be argued that he was the original impersonator and the transaction potentially deceitful. He could’ve easily reached out to the rightful owner’s contacts and said, “Hi, it’s me from Facebook and Twitter. Let’s continue our transaction here.”

In addition to effortlessly protecting trademarks by the proxy consensus of other high-value sites, this policy also rewards a very specific group of people with the best usernames. It gives them to those who had multi-disciplinary, multi-year foresight into choosing, and thereby creating, winning products and services.

If you have a generic identity and anticipated the rise of Twitter in 2007, got in early on the Facebook landrush in 2009, and then joined Instagram in 2010, you are absolutely the kind of person a startup wants to reward with a generic username. You didn’t strike gold or get lucky once. You were one of the earliest adopters of two services that later became worth billions. Not only would we love to have you on ours, we’re going to make sure the identity you worked hard to create is intact with us so that you can add the same value to our service that catapulted the others you joined into the billion-dollar club.

While Telegram’s model works well for social networking, you don’t have to piggyback off those specific services. Instead, use major players in your own niche, much like a trademark. If you have two out of three of the GitHub, GitLab, and Bitbucket username, that’s de facto ownership of the identity in the programming space. Two out of three of SoundCloud, Bandcamp, and ReverbNation is ownership in the musicmaking space. Not every username need be globally unique, but don’t alienate the highest-value, established users in your niche by refusing them their established identity.