This move seems to have been misunderstood and even overhyped by commentators with limited expertise. Others with an axe to grind against WhatsApp / Facebook because of mistrust have shared somewhat biased views in view of alternative messaging apps citing them to be less intrusive.
In this article, we hope to give a balanced view from a layman's perspective of what is happening and explain the specific context on how users will benefit besides sharing the privacy pitfalls to be wary of. Users can then decide the next steps.
Firstly, WhatsApp is being "transparent". As a company that is based in the US, they face few local legal requirements in relation to data protection / privacy, but seem to have chosen to comply with the transparency requirements that are typically seen in data protection laws. Arguably, they have been more transparent than is required under the PDPA in Singapore, for example.
The most important update is about how they will use their users' metadata, which is data about data, such as the time, frequency and duration of a user's activities and interactions with other users. WhatsApp was already collecting additional information such as information about a user's hardware model, operating system and phone number, but have now said that they will also collect information such as battery level, signal strength, app version and mobile operator. WhatsApp already collects the IP address of its users, but have clarified that this is with only enough precision to estimate a user's general location (for example their city and country), except where a user permits collection of more precise location information in order to use a specific service provided by WhatsApp and to which the user wants to opt-in. Note: it is metadata - and not the actual contents of your communications which are being shared - which most people have misunderstood, therefore fearing for their privacy. That explains one of the reasons for the exodus of users to other platforms.
The other major change is for WhatsApp to collect personal data in the context of the WhatsApp Business app when users of WhatsApp Messenger - which is the version individuals use to communicate - decide that they will communicate with businesses, including when they want to buy goods or services and/or make payments via WhatsApp. WhatsApp, however, clarified that the update relates to how merchants using WhatsApp Business to chat with customers can share data with Facebook, which could use the information for targeting ads. Note: this is paving the way for users to decide whether to take advantage of additional WhatsApp services and, again, seems to have been misunderstood by many commentators which explains one of the reasons for the exodus of users to other platforms.
Gmail, Chrome, Instagram, TikTok, and shopping portals are all already collecting metadata for similar purposes as are many commercial applications in the market. And this trend will continue.
Let's look in detail on what has NOT changed.
There have been many criticisms against their privacy practices and Facebook has been in the news in recent years for getting into trouble with data protection authorities especially in Europe. The Cambridge Analytica data scandal has understandably created lots of mistrust and damaged their privacy credentials. However, it is inconceivable that Facebook (and WhatsApp) in moving head, do not take into account the privacy of stakeholders while executing their company strategy. The problem is that Facebook is not the only one that users should be wary of as long as organisations' business models have something to do with processing of data. Or worse still, if the entire business is depending on a data-driven model especially one that monetises personal data.
Importantly, while there are various data protection laws in place in various countries, the responsibility ultimately falls to the users to do "due diligence", by reading the privacy policies of online services. Users should refrain from using online services which have questionable privacy practices - and questionable privacy policies are easy to spot. We often hear complaints that policies are long, technical, legalistic and very difficult to read. That, in itself, is a questionable privacy practice as it shows no real attempt - and possibly the opposite - by an online service to let users know what it is doing with personal data.
Another questionable practice is users should instead be wary of is, when a service doesn't tell you what they specifically do with the information they collect. Many companies (including those in Singapore) do not specifically state what the mobile permissions or personal information are being used for or even make any reference to what their mobile app functions do with personal data. This lack of transparency should be of concern.
So let's not fault WhatsApp for its efforts in reminding its users about its practices in handling personal data.
One common misconception, which is prompting users to move away from WhatsApp Messenger the WhatsApp platform is that people mistakenly think that WhatsApp can view the contents of your communications. This is not true. WhatsApp cannot see your chats, photos, video or group calls as these are encrypted end- to- end.
WhatsApp uses Signal Encryption Protocol, which is believed to be more secure than most messengers because of a process called "end-to-end encryption." Without end-to-end encryption, your conversations may be subjected to a "man-in-the-middle attack" by cybercriminals and other malicious actors who can access and steal the data.
The protocol works by encoding a sender's message in such a way that only the intended receiver's device (mobile phone/ tablet) can unlock it. Neither WhatsApp nor Signal (both use the same encryption protocol) or Facebook, your phone company, a service provider, nor anyone including the government, can read your messages. Note that only the people engaged in that communication can read the messages.
Only the user's metadata is being shared with Facebook to offer experiences and integrations across Facebook's family of apps and products. For example, depending on the permissions you have consented to WhatsApp initially, the following information may be shared with Facebook: Account information such as phone number, logs of how long and how often you use WhatsApp, information about how you interact with other users and device identifiers. Additional information that may be shared includes device details like IP address, operating system, browser details, battery health information, app version, mobile network, language and time zone, transaction and payment data, cookies, and location information.
Depending on the device you use, certain phone operating systems now provide you with choices whether to share certain information with the apps, including WhatsApp and other messaging platforms.
According to reports from Apple's new privacy labels in its App Store which give consumers a detailed look at what personal information apps are collecting and how that data is used, this seems to be the case.
As seen, WhatsApp, along with WeChat and Line are the biggest culprits when it comes to data being collected. But here's a slight problem. The information that Apple compiles called Privacy Nutrition Labels is provided directly by developers for publication on its Apps Store. The privacy details are only mandatory once a developer submits a new app or an update to Apple for review. So the information is only as accurate as what is declared (or not?). There is a possibility that developers might not be as transparent as we want them to be. Or, based on the flak that WhatsApp has received recently, might hesitate to accurately do so.
Look at what permissions Apps have access to as a more accurate indicator.
Android operating system (Google) offers a similar view to Apple's Privacy Nutrition labels called permissions. A 'permission' in an app protects the privacy of the user of the app. Every app must include an 'app manifest' that, amongst other things, lists the permissions that the app uses. Note that it is "objective declared" by the system (instead of the subjective submissions by the developer via Apple privacy label.
In simple terms, a central design point of the Android security architecture is that no application, by default, has permission to perform any operations (including reading or writing the user's personal data such as contacts or emails) that would adversely impact other applications, the operating system, or the user.
Hence, this system generated "permissions" is a better indication of what personal data a developer has access as the application must declare the permissions they need for additional capabilities not provided by the basic application platform.
The vast majority of mobile phones are 'Android phones' and they have two 'permissions' categories:
Take a look at the comparison table below of the various messaging apps and what permissions they require at the systems level. While there are criticisms specifically targeted at WhatsApp for being privacy intrusive (as stated in the previous Privacy Label Table) , it is important to note that all the applications need various permissions in order to deliver their respective features and functionalities.
For example, if your messaging app wants to attach a document, a photo and send it to a number of contacts listed in your phone address book, then the respective permissions need to be granted to "read the contents of your USB storage", "take pictures and videos" and "read your contacts and find accounts on the device".
It also means that an app developer theoretically can also extract the contents from your phone, turn on and monitor you using your own camera as well as steal your contact list.
In simple terms, if the developer wishes to, and the user grants those permissions within the app, it is tantamount to giving your entire phone and trusting that your messaging app will process your personal data responsibly.
For example, both WhatsApp and WeChat need the "retrieve running apps" permission, allowing the app to sit in the background until you open it again without the need of signing out.
Both Signal and WhatsApp requests for permissions to "receive and read messages". Again, this may understandably create privacy concerns. However, the rationale here is to allow the apps to make it convenient for users to automatically accept an OTP validation without the need to manually cut and paste the OTP code from your default SMS app into the messaging app to verify the user.
The table also suggests that Signal has "access to precise location (GPS and network-based)" (on the Android platform) but has declared in the Apple's privacy label that they do not collect such detailed information as a policy.
The privacy concerns, therefore, are not just about WhatsApp (and its sharing practices with Facebook). All apps have access to your personal information.
Article by Kevin Shepherdson - Fellow of Information Privacy, CIPM, CIPP/A, CIPP/E, CIPT, Exin (GDPR, Infosec), GRCP,
based on webinar panel discussion with:
Celine Chew - Fellow of Information Privacy, CIPM, CIPP/A, CIPT, Exin (GDPR, Infosec), GRCP
Dr Prapanpong Khumon - Associate Dean at School of Law, University of the Thai Chamber of Commerce, Thailand. Advisor to Secretary-General of the Personal Data Protection Commission in Thailand.
Lyn Boxall - Fellow of Information Privacy, CIPP/E, CIPP/A, CIPM
Andrew Fam - CIPT, Chief Technology Officer (CTO).
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region