WhatsApp Privacy Policy Update Part II - Uncluttering the misinformation and an Unbiased View

WhatsApp updated its terms of use and privacy policy, basically to notify its users that they have until February 8 to read and agree to the new terms. Failure to do so would lead to WhatsApp deleting the user's account.

This move seems to have been misunderstood and even overhyped by commentators with limited expertise. Others with an axe to grind against WhatsApp / Facebook because of mistrust have shared somewhat biased views in view of alternative messaging apps citing them to be less intrusive.

In this article, we hope to give a balanced view from a layman's perspective of what is happening and explain the specific context on how users will benefit besides sharing the privacy pitfalls to be wary of. Users can then decide the next steps.

Don't Fault WhatsApp for Being Transparent

Firstly, WhatsApp is being "transparent". As a company that is based in the US, they face few local legal requirements in relation to data protection / privacy, but seem to have chosen to comply with the transparency requirements that are typically seen in data protection laws. Arguably, they have been more transparent than is required under the PDPA in Singapore, for example.

The most important update is about how they will use their users' metadata, which is data about data, such as the time, frequency and duration of a user's activities and interactions with other users. WhatsApp was already collecting additional information such as information about a user's hardware model, operating system and phone number, but have now said that they will also collect information such as battery level, signal strength, app version and mobile operator. WhatsApp already collects the IP address of its users, but have clarified that this is with only enough precision to estimate a user's general location (for example their city and country), except where a user permits collection of more precise location information in order to use a specific service provided by WhatsApp and to which the user wants to opt-in. Note: it is metadata - and not the actual contents of your communications which are being shared - which most people have misunderstood, therefore fearing for their privacy. That explains one of the reasons for the exodus of users to other platforms.

The other major change is for WhatsApp to collect personal data in the context of the WhatsApp Business app when users of WhatsApp Messenger - which is the version individuals use to communicate - decide that they will communicate with businesses, including when they want to buy goods or services and/or make payments via WhatsApp. WhatsApp, however, clarified that the update relates to how merchants using WhatsApp Business to chat with customers can share data with Facebook, which could use the information for targeting ads. Note: this is paving the way for users to decide whether to take advantage of additional WhatsApp services and, again, seems to have been misunderstood by many commentators which explains one of the reasons for the exodus of users to other platforms.

In their privacy policy update. WhatsApp declares that it collects user information "to operate, provide, improve, understand, customise, support, and market our Services." We know that as a business model, WhatsApp offers free messaging services, though at present they do not include targeting ads to users of WhatsApp Messenger. Many businesses, and perhaps WhatsApp Messenger in the future, provide free services in exchange for collecting metadata which they then use to target ads at users. It seems likely that businesses that use WhatsApp for Business will take advantage of such services, including through their use of a company Facebook page.

Gmail, Chrome, Instagram, TikTok, and shopping portals are all already collecting metadata for similar purposes as are many commercial applications in the market. And this trend will continue.

Let's look in detail on what has NOT changed.

What HAS NOT Changed

The fact is nothing major has changed since 2016 as data had all the while been shared with Facebook. In short, their privacy policy changes relating to private individuals do not actually impact WhatsApp's existing practices or behaviour around sharing data with Facebook.

There have been many criticisms against their privacy practices and Facebook has been in the news in recent years for getting into trouble with data protection authorities especially in Europe. The Cambridge Analytica data scandal has understandably created lots of mistrust and damaged their privacy credentials. However, it is inconceivable that Facebook (and WhatsApp) in moving head, do not take into account the privacy of stakeholders while executing their company strategy. The problem is that Facebook is not the only one that users should be wary of as long as organisations' business models have something to do with processing of data. Or worse still, if the entire business is depending on a data-driven model especially one that monetises personal data.

Be wary of companies that don't tell you what they do with your personal data

Importantly, while there are various data protection laws in place in various countries, the responsibility ultimately falls to the users to do "due diligence", by reading the privacy policies of online services. Users should refrain from using online services which have questionable privacy practices - and questionable privacy policies are easy to spot. We often hear complaints that policies are long, technical, legalistic and very difficult to read. That, in itself, is a questionable privacy practice as it shows no real attempt - and possibly the opposite - by an online service to let users know what it is doing with personal data.

Another questionable practice is users should instead be wary of is, when a service doesn't tell you what they specifically do with the information they collect. Many companies (including those in Singapore) do not specifically state what the mobile permissions or personal information are being used for or even make any reference to what their mobile app functions do with personal data. This lack of transparency should be of concern.

So let's not fault WhatsApp for its efforts in reminding its users about its practices in handling personal data.

Don't Confuse Sharing of MetaData vs Sharing of Content

One common misconception, which is prompting users to move away from WhatsApp Messenger the WhatsApp platform is that people mistakenly think that WhatsApp can view the contents of your communications. This is not true. WhatsApp cannot see your chats, photos, video or group calls as these are encrypted end- to- end.

WhatsApp uses Signal Encryption Protocol, which is believed to be more secure than most messengers because of a process called "end-to-end encryption." Without end-to-end encryption, your conversations may be subjected to a "man-in-the-middle attack" by cybercriminals and other malicious actors who can access and steal the data.

The protocol works by encoding a sender's message in such a way that only the intended receiver's device (mobile phone/ tablet) can unlock it. Neither WhatsApp nor Signal (both use the same encryption protocol) or Facebook, your phone company, a service provider, nor anyone including the government, can read your messages. Note that only the people engaged in that communication can read the messages.

Only the user's metadata is being shared with Facebook to offer experiences and integrations across Facebook's family of apps and products. For example, depending on the permissions you have consented to WhatsApp initially, the following information may be shared with Facebook: Account information such as phone number, logs of how long and how often you use WhatsApp, information about how you interact with other users and device identifiers. Additional information that may be shared includes device details like IP address, operating system, browser details, battery health information, app version, mobile network, language and time zone, transaction and payment data, cookies, and location information.

Depending on the device you use, certain phone operating systems now provide you with choices whether to share certain information with the apps, including WhatsApp and other messaging platforms.

But is WhatsApp the only messaging app accessing lots of personal data?

According to reports from Apple's new privacy labels in its App Store which give consumers a detailed look at what personal information apps are collecting and how that data is used, this seems to be the case.

As seen, WhatsApp, along with WeChat and Line are the biggest culprits when it comes to data being collected. But here's a slight problem. The information that Apple compiles called Privacy Nutrition Labels is provided directly by developers for publication on its Apps Store. The privacy details are only mandatory once a developer submits a new app or an update to Apple for review. So the information is only as accurate as what is declared (or not?). There is a possibility that developers might not be as transparent as we want them to be. Or, based on the flak that WhatsApp has received recently, might hesitate to accurately do so.

Look at what permissions Apps have access to as a more accurate indicator.

Android operating system (Google) offers a similar view to Apple's Privacy Nutrition labels called permissions. A 'permission' in an app protects the privacy of the user of the app. Every app must include an 'app manifest' that, amongst other things, lists the permissions that the app uses. Note that it is "objective declared" by the system (instead of the subjective submissions by the developer via Apple privacy label.

In simple terms, a central design point of the Android security architecture is that no application, by default, has permission to perform any operations (including reading or writing the user's personal data such as contacts or emails) that would adversely impact other applications, the operating system, or the user.

Hence, this system generated "permissions" is a better indication of what personal data a developer has access as the application must declare the permissions they need for additional capabilities not provided by the basic application platform.

The vast majority of mobile phones are 'Android phones' and they have two 'permissions' categories:

1. Normal permissions: these permissions do not directly risk the user's privacy - for example, permission to set the time zone is a normal permission. If an app lists a normal permission in its manifest, the system grants the permission automatically.
2. Dangerous permissions: these permissions give the app access to the user's personal data in their mobile phone, such as contacts and SMS messages, as well as certain system features, such as the camera. If a dangerous permission is requested, privacy laws do not allow the relevant personal data to be collected, used or disclosed unless the user gives explicit consent by 'accepting' the request for permission to do so. In addition, privacy laws generally restrict 'dangerous permissions' to personal data that the app may collect, use or disclose while the user is actually using it - they do not allow apps to collect, use or disclose personal data simply because the user downloaded the app.

Take a look at the comparison table below of the various messaging apps and what permissions they require at the systems level. While there are criticisms specifically targeted at WhatsApp for being privacy intrusive (as stated in the previous Privacy Label Table) , it is important to note that all the applications need various permissions in order to deliver their respective features and functionalities.

For example, if your messaging app wants to attach a document, a photo and send it to a number of contacts listed in your phone address book, then the respective permissions need to be granted to "read the contents of your USB storage", "take pictures and videos" and "read your contacts and find accounts on the device".

It also means that an app developer theoretically can also extract the contents from your phone, turn on and monitor you using your own camera as well as steal your contact list.

In simple terms, if the developer wishes to, and the user grants those permissions within the app, it is tantamount to giving your entire phone and trusting that your messaging app will process your personal data responsibly.

As can be seen from the above table, in order to perform its functions, WhatsApp (along with WeChat and to an extent, Telegram) access permissions which are not typically used by other applications like Signal, which has been the standard that many privacy commentators have referenced. Without understanding their actual reasons (unless the privacy policy explains), these permissions may be misconstrued as being privacy invasive.

For example, both WhatsApp and WeChat need the "retrieve running apps" permission, allowing the app to sit in the background until you open it again without the need of signing out.

Both Signal and WhatsApp requests for permissions to "receive and read messages". Again, this may understandably create privacy concerns. However, the rationale here is to allow the apps to make it convenient for users to automatically accept an OTP validation without the need to manually cut and paste the OTP code from your default SMS app into the messaging app to verify the user.

 The table also suggests that Signal has "access to precise location (GPS and network-based)" (on the Android platform) but has declared in the Apple's privacy label that they do not collect such detailed information as a policy.

In addition, Signal requests for permissions to "read calendar events plus confidential information" as well as "add or modify calendar events and send email to guests without owners' knowledge" although the other messaging apps do not require such permissions. Signal's own privacy policy doesn't explain the reasons for doing so, while we presume that this could be a future feature where users can schedule events within its app.

The privacy concerns, therefore, are not just about WhatsApp (and its sharing practices with Facebook). All apps have access to your personal information.

Every time you, as a user, gives a permission to an app, you should very closely weigh the benefits of the feature and whether that is excessive. Therefore, the privacy policy is your main means to understand the purposes of processing your personal data and what they do with it. Unfortunately, many of the privacy policies are written by legal professionals which may not be simple enough for the layman to understand. This is where WhatsApp paid the price for being transparent yet was misunderstood.

In case you missed Part I where the controversy was outlined, do click here. 
Click here for Part III outlining What HAS changed.

Article by Kevin Shepherdson - Fellow of Information Privacy, CIPM, CIPP/A, CIPP/E, CIPT, Exin (GDPR, Infosec), GRCP, 

based on webinar panel discussion with:

Celine Chew - Fellow of Information Privacy, CIPM, CIPP/A, CIPT, Exin (GDPR, Infosec), GRCP

Dr Prapanpong Khumon - Associate Dean at School of Law, University of the Thai Chamber of Commerce, Thailand. Advisor to Secretary-General of the Personal Data Protection Commission in Thailand.

Lyn Boxall - Fellow of Information Privacy, CIPP/E, CIPP/A, CIPM

Andrew Fam - CIPT, Chief Technology Officer (CTO).

PS (as of 18 January 2021): Due to widespread criticism, WhatsApp has announced that the change in privacy policy will be delayed to 15 May 2021.