Privacy Groups Ask FTC to Halt Facebook's Acquisition of WhatsApp


Related Links

Top 5 Stories


Privacy Groups Ask FTC to Suspend Facebook's Acquisition of WhatsApp

07 March 2014

The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) have filed a complaint with the Federal Trade Commission (FTC) asking it to suspend the proposed Facebook takeover of WhatsApp and investigate the privacy implications of Facebook's potential access to WhatsApp user information.

Facebook is in the process of acquiring the WhatsApp mobile messaging service for a total of $19 billion. The two services have diametrically opposed business models. Facebook makes its revenue by selling advertising based on its knowledge of its users. WhatsApp makes its revenue by a subscription fee, eschews advertising, and promises to respect its users' privacy.

The privacy groups' complaint is twofold: that selling the service to Facebook amounts to a 'deceptive failure to represent "that WhatsApp’s governing principles of anonymity and privacy were subject to reversal;" and that it amounts to "unfair failure to adequately protect user data in the event of an acquisition." The concern is that Facebook will incorporate WhatsApp user data and start scanning WhatsApp messages (something WhatsApp does not currently do) in order to improve and expand its own targeted advertising revenue model.

The complaint argues that this possibility was never fairly presented to WhatsApp users, and that this failure amounts to deceptive practices. For its part, Facebook responded to the complaint by saying, "As we have said repeatedly, Whatsapp will operate as a separate company and will honor its commitments to privacy and security." 

However, this is not a legal guarantee, and the complaint points to Facebook's earlier acquisition of Instagram. "When Facebook purchased Instagram in 2012, Instagram users were not subjected to advertisements based on the content they uploaded to the site," says the complaint. "After the acquisition, Facebook did in fact access Instagram users’ data and changed the Instagram Terms of Service to reflect this change." The concern is that something similar could happen with WhatsApp.

The privacy groups also argue that the acquisition implicates safe harbor compliance. The FTC, charged with overseeing the EU/US safe harbor arrangement, has already issued a settlement order on Facebook which prohibits the social network from misrepresenting the extent to which it participates in safe harbor. But Dutch and German data protection regulators have begun separate investigations into the data protection issues related to the acquisition. This is presented as a further argument that the FTC needs to investigate the acquisition itself.

EPIC is asking the FTC to investigate the acquisition to examine Facebook's ability to access WhatsApp user data, and to suspend the acquisition until this has been done. If it subsequently allows the merger to proceed, EPIC is asking the FTC to "insulate WhatsApp users’ information from access by Facebook’s data collection practices."

The FTC has not yet commented on the complaint. However, it separately announced yesterday that it had signed a memorandum of understanding with the UK's Information Commissioner "to promote increased cooperation and communication between the two agencies in their efforts to protect consumer privacy." The UK is not (yet, at least) one of the EU member states that has raised any queries over the WhatsApp acquisition. Nevertheless, the UK is bound by the same data protection directive that underlies the Dutch and German data protection laws. Their findings are not binding on the UK, but could be used to support any complaint made to the ICO. This new MoU between the FTC and the ICO can only increase pressure on the FTC to uphold EPIC's complaint.

Infosecurity asked the UK's ICO if it has any plans to investigate the WhatsApp acquisition, and was told, "We have no plans to investigate WhatsApp at this time."

This article is featured in:
Cloud Computing  •  Compliance and Policy  •  Industry News  •  Internet and Network Security  •  Wireless and Mobile Security



cfajana says:

10 March 2014

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×