The ugly truth of WhatsApp’s user data privacy

Facebook’s meteoric rise as one of the biggest global monopolies has been accompanied by continuous weakening of its user privacy. With WhatsApp users voting with their feet, has Facebook’s past finally caught up with it?

January 16, 2021 by Sasank, Prabir Purkayastha
Mark Zuckerberg. Photo: Anthony Quintano. CC BY 2.0 , via Wikimedia Commons

WhatsApp, a company owned by Facebook since 2014, issued a new privacy policy for its two billion users changing its data-sharing rules, which was to be effective from February 8, but has been put off by three months after facing severe backlash. In this new policy, WhatsApp will its share data with Facebook, user chats, connections, location and device information, transactions and payments. It will also share data of our interactions with other businesses that use WhatsApp.

The public outcry over the new privacy policy has prompted an exodus to much safer alternatives like Signal. The weekly downloads of Signal and Telegram, the other popular messaging app, have increased by millions, coupled with a significant drop in WhatsApp’s new downloads. Brian Acton, a co-founder of WhatsApp, quit Facebook following the 2016 change of policy and violation of assurances to WhatsApp users during its acquisition. He founded the Signal Foundation, a non-profit, to create the Signal app that is emerging as a more secure alternative to WhatsApp on encrypted messenger services.

WhatsApp started sharing its user data with Facebook since 2016, violating the assurance it had given its users in 2014 when Facebook acquired the messaging platform. In 2016, it changed its policies of not sharing its users’ data with Facebook and gave its then-existing users a very narrow 30-day window to opt-out.

Since then, anybody joining WhatsApp has to read its 8,000-word user agreement, find the specific clause on sharing their data, and then opt out of this clause. Virtually nobody goes through this tortuous exercise and, therefore, overwhelming number of its users today have their data shared with Facebook.

However, there still existed a provision for users to opt out, if they went through the torture of reading their legal jargon filled 8,000-word privacy policy. The proposed change removes even this choice. The other key change in WhatsApp’s privacy policy is that it will share the data of users with businesses using WhatsApp to chat and order goods.

India has 400 million WhatsApp users, outnumbering by a distance any other country. Spooked with the mass exodus from WhatsApp, Facebook is in damage control mode. It has assured its users that WhatsApp encrypted message content will not be read or shared with Facebook or other businesses. In an attempt to stem the tide of WhatsApp departures, WhatsApp has taken the costly route of taking out full-page ads in all the major newspapers in the country.

This is reminiscent of Facebook’s failed attempt to sway the people with misleading information at the time of Free Basics. What it forgets to mention is what Facebook/WhatsApp does with the whole host of data apart from the content of its messages. This data, as its App policy indicates, is shared with others including its parent company, Facebook.

The biggest WhatsApp partner in India is Reliance’s JioMart [owned by Mukesh Ambani, the richest man in India, who is perceived to be close to the government], which is, therefore, the largest beneficiary of WhatsApp’s customer data. Facebook had secured approval for its payment app—WhatsApp UPI—in November last year, soon after Facebook pumped $5.7 billion in the Reliance Jio platform. While giving approval, the Indian regulator—NPCI (National Payments Corporation of India)—had asked that WhatsApp data be kept separate from Facebook. It does not appear from its App Store declaration that Facebook followed this regulatory requirement. Its new policy of sharing data with Facebook is another violation of the NPCI’s directive.

Interestingly enough, under pressure from the European Union and United Kingdom regulators, WhatsApp data is not shared with Facebook, a provision which Facebook says it will still follow. For the rest, including the US, it is data enclosure on a massive scale. And as we know, data is the lifeblood of the digital economy.

Before we check its other claims, let us see how WhatsApp describes its sharing of data policies in the Apple App Store.

In other words, WhatsApp has officially declared that it collects your personal data, and as per its new privacy policy, will be shared not only with Facebook but also with other businesses that use the Facebook-WhatsApp platform. What it does not read, store or share is the content of the encrypted messages. But the real commercial value is in the meta data, which it does collect and share with Facebook and now proposes to share with its business partners.

WhatsApp-Facebook’s claims, a reality check

What are the claims that WhatsApp and Facebook have made regarding their users data privacy and what is the reality?

  1. WhatsApp cannot see your private messages, therefore it cannot share them with Facebook or any other third-party:

WhatsApp claims that as the content of the messages is end-to-end encrypted, only the sender and receiver can see them. Then the grand fudge: they only collect information used to ‘personalize features’, ‘show relevant offers and ads’, ‘make suggestions’ etc. So the use of a range of meta-data as declared in their App Store declaration. Meta-data is as crucial as the content because it monitors our behavior on the platform, therefore its collection, use and sharing is a violation of our privacy.

2. WhatsApp cannot see your shared location: This is another blatant lie. Even if you do not give WhatsApp the location permission, it will estimate your geographical location by using an IP address and then share it with Facebook.

3. WhatsApp does not share your contacts: According to WhatsApp, the contacts’ phone number and your phone number are stored in the form of a ‘cryptographic hash’. In theory, this means that they are not stored in the raw form but in a format that makes it difficult to identify the phone number. However, this is a duplicitous declaration because your phone number is part of your account information which is stored by WhatsApp and shared with Facebook. So, even if the phone numbers of your contacts are stored in hashed form, WhatsApp can still identify the person, as their account information isn’t encrypted. Moreover, Facebook, Instagram, WhatsApp accounts running on the same device are linked as soon as you install those apps on your phone.

4. WhatsApp groups remain private: This claim rests on the proposition that phone number and any associated information used to identify individuals is stored only in the form of a cryptographic hash. We have seen that this is not the case and that personally identifiable information is being shared with Facebook. We have recently seen that the group invitation links were used to extract group membership information and made accessible to search engines.

5. Sharing data of our Business interactions: WhatsApp claims that only the interactions with business accounts will be affected by the new privacy policy. This confirms that not only will WhatsApp collect and store information about our interactions with these business accounts but it will also share them with Facebook. Even sharing an article with somebody by clicking a WhatsApp share button on a news site is counted as interaction. It separates ‘chats with friends and family’ and ‘chats with businesses’ and deems the former to be ‘private’ and the latter not. This betrays the thinking of Facebook, all your data is fair game for surveillance and making money.

Interactions with ‘Business Accounts’

The Supreme Court has affirmed privacy as a fundamental right of all the citizens of India. Unfortunately, a new data protection Act that will enable this fundamental right is yet to be enacted by the Narendra Modi government. It is worth reiterating here that even the interaction we have with any business is just between the two parties and unwarranted access to such information is a violation of privacy.

By monitoring our interactions with business accounts, WhatsApp aims to collect not just our chats but all the related information about our activity on various third party apps/sites. For example, if a ticket booking site sends you confirmation about a movie, or if you buy something from an e-commerce app which sends you an invoice, it will be collected by WhatsApp. All this data will also be shared with Facebook and then be used to show you related ads when you are on WhatsApp or Facebook. WhatsApp will be the sole entity deciding which businesses are permitted to show ads. In doing so, WhatsApp will be able to force these businesses into sharing our data available with them and enable WhatsApp/Facebook to capture even more data about us.

Facebook’s Threat to Privacy and Democracy

Facebook’s acquisitions—Instagram, WhatsApp—has built a social media monopoly. It has done this by exploiting the data of individuals and communities for profit. Its growth is directly proportional to the systematic erosion of the privacy of its user base. Linking WhatsApp data with Facebook for no apparent reason than monitoring our social media behavior and controlling it, would further strengthen this monopoly. It will also allow Facebook to exploit our data for micro-targeting. Weakening users’ privacy is the major ground of the anti-monopoly lawsuits filed by the Federal Trade Commission and 46 state governments against Facebook.

We have also seen significant data leaks from Facebook (Cambridge Analytica) and WhatsApp (Pegasus). Linking all the users’ data only increases the risk of these leaks even more. Data sharing between WhatsApp, Facebook and other businesses only increases the threat manifold. Once data from these different platforms are linked, it will be irreversible and no way to decouple the data.

By using peoples’ profiles, interests and conversations to categorize them into micro-targeted groups and then suggesting groups and ads for behavioral modification, Facebook is already subverting our democratic process. Along with the US elections, Brexit campaign, Facebook data has been used to distort elections in India too.

WhatsApp data coupled with the data that Facebook has, is a threat to our sovereignty and national security, just as it is in most countries. It is time to examine the risk that data monopolies pose not only to our privacy, but also our economy and polity.