WhatsApp Chaos: Time for a Comprehensive Data Security and Privacy Law?

WhatsApp hit the headlines with the launch of its new terms and conditions, a policy agreement that users are obliged to accept if they wish to continue using the app after the February 8 2021 deadline. The instant user reaction has been one of dismay within days of the initial message appearing on their accounts asking them to review existing privacy choices and agree to the changes outlined in the new policy. The proposed changes specified by WhatsApp (under Facebook ownership) have come under scrutiny by media and app experts. The most concerning issue is that Facebook, under its own privacy policy, would be having access to millions of user information (metadata) from WhatsApp, making it one of the biggest media organizations to collect, process and store ‘big data’ by design. If agreed to the proposed changes, personal information will be shared with Facebook, and if rejected, the user accounts on WhatsApp will become void by the set deadline. This is a dilemma the users are having to grapple with, and millions of users have instantly ditched WhatsApp in preference to alternative Apps that are readily available for free, with hassle-free download facility via app stores. This backlash has prompted Facebook to put on hold proposed policy changes until May, but it is still not clear whether Facebook will shift its position.

This is a growing concern and arguably it is not in the public interest, and not in line with privacy policies of many nations, specially GDPR applicable countries, the UK and EU member states. However, it must be said that there is nothing new about what had been going on and what is envisaged from the new privacy policy. Ever since WhatsApp was acquired by Facebook (in 2014) it had access to a variety of user information already available on WhatsApp. These include active phone number, preferential choices, interests and user mobile device information and IP address.

There is also another side to all this, as has been explained by WhatsApp that the updates only refer to business communications and does not impact on private end-to-end encrypted conversation between friends or family, and the existing encryptions will remain unchanged. It also claims that sharing information with Facebook is a part of the company policy to introduce a payment capability facility for the user when making purchases from sponsored trading outlets and organizations. However, the completion of the process is mainly conditional on the user agreeing to company privacy policy terms and conditions, but it is hard to believe that every user was aware of pages of ‘small print’ used in its privacy policy statement about how, why and with whom and how long for, it shares metadata.

Facebook in its own defense claims that revenue from advertising on Facebook is essential for the company to function without imposing subscription charges from the user of its apps, and insists that information they hold will help operate, provide, improve, understand, customize, support and market their services and offers. That may be so, but the longstanding customer preference for WhatsApp will be tested in time when the subscribers turn to other competitive apps with similar features provided completely free to the user, in many cases without conditional agreements and privacy implications.

WhatsApp has end-to-end encryption and it is free. Therefore, it attracted subscribers, billions in number. However, as the WhatsApp-proposed privacy policy story began to unfold in the public domain, the user concerns began to rise and their reaction that followed was not good news for the company. The users wasted no time in downloading similar apps, mainly Signal and Telegram from other sources, and the numbers abandoning WhatsApp rang alarm bells in Facebook HQ. The worst to come was the rise in popularity of Signal, and it took the top spot for the most downloaded app from the play store.

WhatsApp is also facing legal challenges on the grounds that it interferes in user surveillance and threatens India’s security. India has filed a petition against WhatsApp saying it is jeopardizing national security by sharing, transmitting and storing user data in another country with the information thus governed by foreign laws. The Pakistan federal minister for science and technology has said that the government was making efforts to introduce a strong data protection law to protect citizens’ privacy.

WhatsApp users within the European region, which includes the UK, are receiving a separate privacy policy to those elsewhere in the world, and there is a clear difference in the policy note. The terms and conditions provided to European countries do not contain a section covering the information WhatsApp does collect. It is also worth noting that data sharing with Facebook is extremely limited for European users due to stronger user privacy protections in the EU. That is because the EU’s General Data Protection Regulation (GDPR) is one of the strictest in the world and ensures that consumers have full rights surrounding their data and how that data is processed and have the right to even demand erasure of information. Companies bound by the European Union’s privacy laws are liable for fines as much as 4% of global annual revenue if found in breach of the EU block laws. Also, the GDPR permits service providers to collect only essential information that is necessary to provide the services.

The regulatory vacuum is a real concern in terms of data protection as most of the countries are in the process of developing their legal mechanisms, but for most of the other countries (even though they are in the process of developing data protection laws until the Personal Data Protection Bill becomes law) it is hard to police technology companies on how user data should be processed. It is clear users have limited options, and the countries should take the protection of privacy rights seriously and come up with a personal data protection law. However, the users who are not conversant with data privacy implications might overlook the risks in downloading and using these popular messaging apps free of charge. Therefore, it is not too late to act, and introduce sound privacy legislation now to ensure that app providers have meaningful, clear terms and conditions that will allay doubts and suspicions in the minds of the user. This is also one way to promote competition in the market and allow wider use choice.

What’s Hot on Infosecurity Magazine?