WhatsApp started sharing its user data with Facebook since 2016, violating the assurance it had given its users in 2014 when Facebook acquired the messaging platform. In 2016, it changed its policies of not sharing its users’ data with Facebook and gave its then-existing users a very narrow 30-day window to opt-out.
Since then, anybody joining WhatsApp has to read its 8,000-word user agreement, find the specific clause on sharing their data, and then opt out of this clause. Virtually nobody goes through this tortuous exercise and, therefore, overwhelming number of its users today have their data shared with Facebook.
India has 400 million WhatsApp users, outnumbering by a distance any other country. Spooked with the mass exodus from WhatsApp, Facebook is in damage control mode. It has assured its users that WhatsApp encrypted message content will not be read or shared with Facebook or other businesses. In an attempt to stem the tide of WhatsApp departures, WhatsApp has taken the costly route of taking out full-page ads in all the major newspapers in the country.
This is reminiscent of Facebook’s failed attempt to sway the people with misleading information at the time of Free Basics. What it forgets to mention is what Facebook/WhatsApp does with the whole host of data apart from the content of its messages. This data, as its App policy indicates, is shared with others including its parent company, Facebook.
The biggest WhatsApp partner in India is Reliance’s JioMart [owned by Mukesh Ambani, the richest man in India, who is perceived to be close to the government], which is, therefore, the largest beneficiary of WhatsApp’s customer data. Facebook had secured approval for its payment app—WhatsApp UPI—in November last year, soon after Facebook pumped $5.7 billion in the Reliance Jio platform. While giving approval, the Indian regulator—NPCI (National Payments Corporation of India)—had asked that WhatsApp data be kept separate from Facebook. It does not appear from its App Store declaration that Facebook followed this regulatory requirement. Its new policy of sharing data with Facebook is another violation of the NPCI’s directive.
Interestingly enough, under pressure from the European Union and United Kingdom regulators, WhatsApp data is not shared with Facebook, a provision which Facebook says it will still follow. For the rest, including the US, it is data enclosure on a massive scale. And as we know, data is the lifeblood of the digital economy.
Before we check its other claims, let us see how WhatsApp describes its sharing of data policies in the Apple App Store.
WhatsApp-Facebook’s claims, a reality check
What are the claims that WhatsApp and Facebook have made regarding their users data privacy and what is the reality?
- WhatsApp cannot see your private messages, therefore it cannot share them with Facebook or any other third-party:
WhatsApp claims that as the content of the messages is end-to-end encrypted, only the sender and receiver can see them. Then the grand fudge: they only collect information used to ‘personalize features’, ‘show relevant offers and ads’, ‘make suggestions’ etc. So the use of a range of meta-data as declared in their App Store declaration. Meta-data is as crucial as the content because it monitors our behavior on the platform, therefore its collection, use and sharing is a violation of our privacy.
2. WhatsApp cannot see your shared location: This is another blatant lie. Even if you do not give WhatsApp the location permission, it will estimate your geographical location by using an IP address and then share it with Facebook.
3. WhatsApp does not share your contacts: According to WhatsApp, the contacts’ phone number and your phone number are stored in the form of a ‘cryptographic hash’. In theory, this means that they are not stored in the raw form but in a format that makes it difficult to identify the phone number. However, this is a duplicitous declaration because your phone number is part of your account information which is stored by WhatsApp and shared with Facebook. So, even if the phone numbers of your contacts are stored in hashed form, WhatsApp can still identify the person, as their account information isn’t encrypted. Moreover, Facebook, Instagram, WhatsApp accounts running on the same device are linked as soon as you install those apps on your phone.
4. WhatsApp groups remain private: This claim rests on the proposition that phone number and any associated information used to identify individuals is stored only in the form of a cryptographic hash. We have seen that this is not the case and that personally identifiable information is being shared with Facebook. We have recently seen that the group invitation links were used to extract group membership information and made accessible to search engines.
Interactions with ‘Business Accounts’
The Supreme Court has affirmed privacy as a fundamental right of all the citizens of India. Unfortunately, a new data protection Act that will enable this fundamental right is yet to be enacted by the Narendra Modi government. It is worth reiterating here that even the interaction we have with any business is just between the two parties and unwarranted access to such information is a violation of privacy.
By monitoring our interactions with business accounts, WhatsApp aims to collect not just our chats but all the related information about our activity on various third party apps/sites. For example, if a ticket booking site sends you confirmation about a movie, or if you buy something from an e-commerce app which sends you an invoice, it will be collected by WhatsApp. All this data will also be shared with Facebook and then be used to show you related ads when you are on WhatsApp or Facebook. WhatsApp will be the sole entity deciding which businesses are permitted to show ads. In doing so, WhatsApp will be able to force these businesses into sharing our data available with them and enable WhatsApp/Facebook to capture even more data about us.
Facebook’s Threat to Privacy and Democracy
Facebook’s acquisitions—Instagram, WhatsApp—has built a social media monopoly. It has done this by exploiting the data of individuals and communities for profit. Its growth is directly proportional to the systematic erosion of the privacy of its user base. Linking WhatsApp data with Facebook for no apparent reason than monitoring our social media behavior and controlling it, would further strengthen this monopoly. It will also allow Facebook to exploit our data for micro-targeting. Weakening users’ privacy is the major ground of the anti-monopoly lawsuits filed by the Federal Trade Commission and 46 state governments against Facebook.
We have also seen significant data leaks from Facebook (Cambridge Analytica) and WhatsApp (Pegasus). Linking all the users’ data only increases the risk of these leaks even more. Data sharing between WhatsApp, Facebook and other businesses only increases the threat manifold. Once data from these different platforms are linked, it will be irreversible and no way to decouple the data.
By using peoples’ profiles, interests and conversations to categorize them into micro-targeted groups and then suggesting groups and ads for behavioral modification, Facebook is already subverting our democratic process. Along with the US elections, Brexit campaign, Facebook data has been used to distort elections in India too.
WhatsApp data coupled with the data that Facebook has, is a threat to our sovereignty and national security, just as it is in most countries. It is time to examine the risk that data monopolies pose not only to our privacy, but also our economy and polity.