On 19th February 2014, one of the largest business acquisitions of all time took place when social media giant, Facebook bought out WhatsApp in a mammoth transaction worth US $19 billion. Although WhatsApp’s modus operandi remained the same, many tech-enthusiasts and legally inclined persons explored alternate messaging applications due to Facebook’s popular track record of having no regard of privacy of its users and harvesting and mining data for monetary pursuits citing targeted content and advertisements.
Encryption and Metadata Policies
WhatsApp also added end-to-end encryption on its platform securing all chats, calls and content shared between individual as well as group chats. It is suspicious to note that all of WhatsApp’s encryption is handled exclusively by them without any user interference whatsoever. While it is understandable that the same is done for the convenience of its users, it should still give an option to let the users decide their own private key if they want to be serious about their vision of true privacy.
On January 13, 2017, the Guardian pointed out that WhatsApp had the ability to force the generation of new encryption keys for offline users, unbeknownst to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient was not made aware of this change in encryption, while the sender was only notified if they had opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and re-broadcasting of previously undelivered messages effectively allowed WhatsApp to intercept and read some users’ messages. The Guardian was also quick to report that the vulnerability was not inherent to the Signal protocol as developed by Open Whisper Systems, used by WhatsApp.
Changes in Terms and Conditions
WhatsApp, as per the new policy, collects all user activity pattern data including which user gets online at what and for how much time, their status, profile photo, information related to referral websites i.e. essentially your website usage (links on websites which have the WhatsApp share button). Additionally, hardware model, operating system information, browser information, IP address, mobile network information including phone number, device identifiers, device location when a user sends his/her location via WhatsApp, or even when nearby locations are accessed, their entire address book, etc. are also collected.
This seems more like a ploy deployed by Facebook to build its comprehensive database of user’s mobile numbers along with additional user data. Although Facebook might already have this data due to the original Facebook application, prompting users to upload their entire contact list time and again. Nevertheless, Facebook has still not penetrated into the nook and crannies of third world countries where WhatsApp has flourished and increasingly gains ground eventually feeding the social media giant with more information about an area that was previously inaccessible to it.
WhatsApp also gave users an option to disapprove of this data sharing with Facebook to existing users by unchecking the data sharing notification that appeared within the application shortly after the updated terms and conditions were announced. This option though was somewhat obfuscated and seemed to be created in a manner that would be missed by most of the daily users. WhatsApp also allowed a window of an additional 30 days to change the user’s preference as with regards to data sharing via a setting buried deep inside the settings menu of the application. Upon the expiration of this 30-day window, the option simply disappeared. It is worth noting here that the opt-out options available are only partial in nature and though one may opt-out of data sharing with Facebook with regards to ads, other data will be shared with Facebook and companies irrespective. Thus, the only way for a complete opt-out is to stop using the service altogether.
Although, the effort undertaken by WhatsApp to ensure end-to-end encryption to its one billion user base is laudable there are measures WhatsApp can take to reaffirm and strengthen its goal towards privacy. WhatsApp should adopt an opt-in policy for data sharing with Facebook in a simplified manner rather than an obfuscated opt-out policy. WhatsApp should make its data retention policies transparent and not open-ended and the ownership of data collected needs to be clarified. The mere fact that the WhatsApp implementation of encryption has a flaw that the original protocol shows that the code has been altered raising serious doubts on the much flaunted end-to-end encryption. Considering WhatsApp plans to integrate bank information, airlines information, etc. into a platform that may be open to eavesdropping can severely undermine privacy. WhatsApp should also adopt a spam reporting technique as done by e-mail service providers as opposed to heavily scanning metadata. Catering to a seventh of the world’s population, WhatsApp should focus on being more transparent, open-sourcing parts of its application, fixing encryption bugs and gradually moving away from metadata collection as we advance towards a more privacy centric world.
*Anmol Malhotra is a student of Rajiv Gandhi National University of Law, Punjab. He can be reached at firstname.lastname@example.org. Unabridged version presented at GD Goenka University, Gurugram.