Legal Articles

WhatsApp and Facebook The Privacy Violation Duet

On 19th February 2014, one of the largest business acquisitions of all time took place when social media giant, Facebook bought out WhatsApp in a mammoth transaction worth US $19 billion. Although WhatsApp’s modus operandi remained the same, many tech-enthusiasts and legally inclined persons explored alternate messaging applications due to Facebook’s popular track record of having no regard of privacy of its users and harvesting and mining data for monetary pursuits citing targeted content and advertisements.

Encryption and Metadata Policies
WhatsApp also added end-to-end encryption on its platform securing all chats, calls and content shared between individual as well as group chats. It is suspicious to note that all of WhatsApp’s encryption is handled exclusively by them without any user interference whatsoever. While it is understandable that the same is done for the convenience of its users, it should still give an option to let the users decide their own private key if they want to be serious about their vision of true privacy.

On January 13, 2017, the Guardian pointed out that WhatsApp had the ability to force the generation of new encryption keys for offline users, unbeknownst to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient was not made aware of this change in encryption, while the sender was only notified if they had opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and re-broadcasting of previously undelivered messages effectively allowed WhatsApp to intercept and read some users’ messages. The Guardian was also quick to report that the vulnerability was not inherent to the Signal protocol as developed by Open Whisper Systems, used by WhatsApp.

WhatsApp’s servers can still see limited details about the messages sent including to whom the message was sent and when it was sent. Moreover, WhatsApp’s privacy policy reserves the right to collect, use, preserve and share such metadata as applicable to law or regulations. A WhatsApp spokesperson confirmed that the company retains contact list data, which means that WhatsApp could also hand over your contact list in response to a government request. This makes a lot of sense, as Facebook is a social network, and knowing who speaks to who, and when, is arguably more valuable from a commercial standpoint than knowing the actual content of discussions.

Changes in Terms and Conditions
WhatsApp, as per the new policy, collects all user activity pattern data including which user gets online at what and for how much time, their status, profile photo, information related to referral websites i.e. essentially your website usage (links on websites which have the WhatsApp share button). Additionally, hardware model, operating system information, browser information, IP address, mobile network information including phone number, device identifiers, device location when a user sends his/her location via WhatsApp, or even when nearby locations are accessed, their entire address book, etc. are also collected.

This seems more like a ploy deployed by Facebook to build its comprehensive database of user’s mobile numbers along with additional user data. Although Facebook might already have this data due to the original Facebook application, prompting users to upload their entire contact list time and again. Nevertheless, Facebook has still not penetrated into the nook and crannies of third world countries where WhatsApp has flourished and increasingly gains ground eventually feeding the social media giant with more information about an area that was previously inaccessible to it.

WhatsApp will also be sharing the data with the “Facebook family of companies” – this includes photo-sharing application, Instagram, virtual reality firm, Oculus VR and nine other companies. The updated privacy policy also paves the way for businesses to send messages to WhatsApp users as well. The policy now also talks about copyright violations and intellectual right violations that might occur while using WhatsApp. While it seems that this is not applicable to personal messages due to the newly implemented end-to-end encryption, this could address issues of infringement occurring on people’s profile pictures, profile name and other information hosted by WhatsApp.

WhatsApp also gave users an option to disapprove of this data sharing with Facebook to existing users by unchecking the data sharing notification that appeared within the application shortly after the updated terms and conditions were announced. This option though was somewhat obfuscated and seemed to be created in a manner that would be missed by most of the daily users. WhatsApp also allowed a window of an additional 30 days to change the user’s preference as with regards to data sharing via a setting buried deep inside the settings menu of the application. Upon the expiration of this 30-day window, the option simply disappeared. It is worth noting here that the opt-out options available are only partial in nature and though one may opt-out of data sharing with Facebook with regards to ads, other data will be shared with Facebook and companies irrespective. Thus, the only way for a complete opt-out is to stop using the service altogether.

Significant Litigation
In India, the Delhi High Court in the case of Karmanya Singh v. Union of India, contended that WhatsApp had suddenly made drastic changes in its privacy policy and that WhatsApp was creating a façade of taking consent by presenting a Terms and Conditions dialogue box, which was beyond the comprehension of daily users. The bench went on to pass an interesting order; although it allowed WhatsApp to proceed with its new polices, it stated that in the event users opted to delete their account before 25-9-2016, no data was to be shared with Facebook or any of its companies and such data should be deleted completely from WhatsApp servers; data existing prior to 25-9-2016 of users who chose to stay could also not be shared with Facebook or its companies and data collected thereafter may be shared.

Subsequently, a Special Leave Petition was filed in the Supreme Court of India, stating that only partial relief was given by the Delhi High Court judgment. The petition prayed for users getting a fresh chance to give consent to their data being shared with Facebook in a clear manner and not adhere to the new amended privacy policy during the pendency of the petition. The matter is still sub judice in the Supreme Court of India and the next and final date of hearing is on 12th May 2017.

Although, the effort undertaken by WhatsApp to ensure end-to-end encryption to its one billion user base is laudable there are measures WhatsApp can take to reaffirm and strengthen its goal towards privacy. WhatsApp should adopt an opt-in policy for data sharing with Facebook in a simplified manner rather than an obfuscated opt-out policy. WhatsApp should make its data retention policies transparent and not open-ended and the ownership of data collected needs to be clarified. The mere fact that the WhatsApp implementation of encryption has a flaw that the original protocol shows that the code has been altered raising serious doubts on the much flaunted end-to-end encryption. Considering WhatsApp plans to integrate bank information, airlines information, etc. into a platform that may be open to eavesdropping can severely undermine privacy. WhatsApp should also adopt a spam reporting technique as done by e-mail service providers as opposed to heavily scanning metadata. Catering to a seventh of the world’s population, WhatsApp should focus on being more transparent, open-sourcing parts of its application, fixing encryption bugs and gradually moving away from metadata collection as we advance towards a more privacy centric world.

*Anmol Malhotra is a student of Rajiv Gandhi National University of Law, Punjab. He can be reached at Unabridged version  presented at GD Goenka University, Gurugram.


Leave a Comment