WhatsApp, the messaging application that Facebook acquired last year for $16 bn, claims more than a billion mobile downloads, more than 450 million active business and consumer users, and has more than a million users joining every day. But it earns abysmal marks concerning the privacy of all those enthusiastic users, says the Electronic Frontier Foundation.
In all, the service earned just one star in this year’s ‘Who Has Your Back’ report. This is WhatsApp’s first year in the roundup, and although EFF gave the company a full year to prepare for its inclusion, it has adopted none of the best practices that EFF identified when it comes to privacy—even if those best practices may not be strictly applicable given the company’s data stewardship approach.
Its transgressions in EFF’s eyes are myriad:
- WhatsApp does not publicly require a warrant before giving content to law enforcement.
- It doesn’t publish a transparency report or a law enforcement guide.
- It doesn’t publish information about its data retention policies, including retention of IP addresses and deleted content.
WhatsApp does however have a pro-user public policy to oppose backdoors. In a public, official written format, WhatsApp’s parent company Facebook opposes the compelled inclusion of deliberate security weaknesses—i.e., introducing intentional vulnerabilities into secure products for the government’s use
On behalf of itself as well as WhatsApp, Facebook signed a coalition letter organized by the Open Technology Institute, which stated: “We appreciate the steps that WhatsApp’s parent company Facebook has taken to stand by its users, but there is room for WhatsApp to improve,” the EFF said in its report.
“WhatsApp should publicly require a warrant before turning over user content, publish a law enforcement guide and transparency report, have a stronger policy of informing users of government requests, and disclose its data retention policies. WhatsApp does get credit for Facebook’s public position opposing back doors, and we commend Facebook for that.”
All of this said, it should be noted that WhatsApp has always prided itself on not even collecting user data in the first place—a state of affairs that may make moot the EFF’s concerns about turning user info over to law enforcement.
“Respect for your privacy is coded into our DNA, and we built WhatsApp around the goal of knowing as little about you as possible,” co-founder and CEO Jan Koum said ahead of the Facebook acquisition. “We don’t know your likes, what you search for on the internet or collect your GPS location. None of that data has ever been collected and stored by WhatsApp, and we really have no plans to change that.”
Like any company built on code, privacy flaws do crop up. In February 2015, a researcher uncovered a privacy bug in WhatsApp that allows strangers to view users’ profile pictures, even if they have been set to ‘contacts only’. The researcher also claimed that if a user sends a photo which is subsequently deleted, it’s not blurred out, as happens on the mobile version.
Privileged users were found to pose the biggest risk to their organization—a substantial step up from 38% in last year’s study.