WhatsApp forces users sharing data with Facebook: False alarm?
by Gabriel Avigdor
On 4 January 2021, WhatsApp pushed to all its users a notification screen to ACCEPT its updated terms of service (terms of use) and privacy policy (read “privacy notice”). The text displayed on users’ phone is pretty clear: accept to continue using the app or decline and stop using our service. For the time being, users can still say “not now” or continue using the App.
What are the deadlines?
WhatsApp first gave users until 8 February 2021 to decide to continue or quit the App, which was a very tight deadline. The text displayed on the user’s screen mentioned that the new terms would include sharing data with Facebook. As a result, millions of users switched to other so-called more “privacy friendly” apps. Some of them are Signal, Viber, Telegram (US), Olvid (FR) or Threema (CH) among others. After this event and huge users’ reactions, WhatsApp decided to offer a extended deadline until 15 May 2021. This would allow users to take more time to decide to continue or stop using the App.
So, what is this update all about? What are really the changes? Why would users switch or stay with WhatsApp? Are there really any privacy concerns? I will try to provide some response in this blog as a Q&A to make information easily accessible, concise, unambiguous, fair and transparent…Note that I recently moderated a webinar with international experts to discuss the changes to WhatsApp terms of service and privacy policy. Once online, I will share the link at the end of this article.
First, by updating its terms of services WhatsApp wants to inform all users that there has been a major update to them. As part of a broader initiative, Facebook wants to expand how users could share personal data. Therefore, WhatsApp took the opportunity to update its privacy notice (privacy policy being the “US term”). Legally speaking, App owners have to inform users of a change in the platform for transparency and contractual purposes (see below how this can be permitted). Also, WhatsApp wanted to make those new terms clearer. See below more information about what terms of use and privacy policies cover.
Facts are pretty clear: Facebook was acquired around $16Bn by Facebook and since then, the App owns a 2 billion users community. There is no Ads and this is a subscription-free service. Facebook is intending to absorb completely WhatsApp (like 72 other companies, including Instagram and Telegram) to make it part of a giant social network, monetize or make business with it from a way or another. At the time of WhatsApp acquisition, Zuckerberg announced its intent to drive interoperability to become part of Facebook’s applications. For example, Facebook Messenger and WhatsApp working together: “will help the social media giant in knowing if a user has already blocked a contact on WhatsApp. It will also help in keeping a check on push notifications and other chat details.” Also, switching from WhatsApp to Facebook and Instagram could allow to stay logged and work together. As explained in this article, “Facebook is working on a such a code to allow Messenger to access user’s WhatsApp, see if a specific Facebook Messenger user is using WhatsApp or not. It may access the user’s phone number, see if the chat is an archive or not and some other essential details. Moreover Facebook will also be able to see if the particular user in specific WhatsApp group or not“. WhatsApp will become part of Facebook’s ecosystem of applications to integrate with third parties software. If so, it means that Facebook may access status updates, access the list of contacts, images and potentially track users’ behaviors for more targeted advertising with all metadata collected via users’ profile information. Clearly, the ultimate goal of Facebook is to monetize this App and get a return on its huge investment. It could be that users would just have to pay to having the app or that data is crossed with other services. However, the moment WhatsApp starts to have Ads on the system, it will likely make users leave it.
WhatsApp updates from 4 January 2021 to the terms of use and privacy policy apply to all users. However, WhatsApp does not treat equally users located inside the “European Region” or outside (you can check if your country is on the link). The European Region, as defined by WhatsApp, comprises 47 countries, such as the EEA, Switzerland, the UK and other territories. Outside of the European Region, WhatsApp has defined other terms of service and another privacy policy applies. The terms of service outside the EU Region govern the rest of the world. The main reason is that under EU privacy laws, data sharing practices cannot be implemented without users being properly informed and, if necessary, consenting to the sharing of personal data to other companies for other purposes that the use of the App. In summary, WhatsApp does not treat its users equally:
As a regular user, no. The service for regular users will stay as is. Any company that needs to “substantially” change its terms of use must provide users with a notification, giving the right to disagree. This means that users disagreeing with the updated terms will have to stop using the service. However, for business users (WhatsApp for Business) the App will enable sharing information between the ecosystem of Facebook apps and third party service providers connected to the system. The use of WhatsApp does not seem to affect any of the non-business use of WhatsApp, at least for EU users. However, the changes inform users that WhatsApp will permit and exchange information with other software, including with its parent companies, Facebook Inc. when allowed by the law or users. After such a big confusion, WhatsApp published an FAQ clarifying what it will not do, to address user’s concerns. It says in particular that WhatsApp: However, it does not say that WhatsApp still have access to certain personal data about users, including some “metadata” (information about data). The different changes for users in the European Region or outside this region are explained below. Is this enough to reassure users? Not sure.
WhatsApp remains end-to-end encrypted. This means that WhatsApp cannot see the content of the messages. No text, file, image, video and other document shared between users is accessible by WhatsApp or its parent company Facebook. The primary goal of WhatsApp with this update was to inform users about the updated terms of services providing a “clearer” privacy notice. Not to change anything on its security design.
WhatsApp cannot see the content of the messages. However, the company can access user metadata, when registering and using the app (phone number, user name). WhatsApp can also, and must access, the contact list of the smartphone in order to include the contacts into the App. Still, there is personal data that WhatsApp can still access: Although there is no possibility to read the content for WhatsApp, all the above listed information remains very valuable to WhatsApp.
Metadata refers to a set of data that describes and gives information about other data. We often use the terminology data about data, or data that describes other data. For example: data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication. Is metadata valuable? Metadata is therefore very valuable for companies. Often, the content of the communication or the message is not so much important. What companies can value is analytics, data about users, trends, metrics and other information which can be used further for advertising purposes, even though the orignal data collection did not contain any personal data. The e-Privacy Regulation will harmonize the rules around metadata in the context of electronic communications. More to come on this topic in another blog. For the time being, you can read this very technical, but excellent legal memo on metadata from the Belgian law firm Timelex. Timelex is a member of the PrivacyRules Alliance to which I am part of as the Swiss Member.
The answer is very clear. WhatsApp used the forbidden word: FACEBOOK! The tsunami of reactions that we are observing is because WhatsApp may force users to share information with Facebook companies. If they do not agree, they will have to stop using the app. Under normal circumstances, when a company updates its terms of use and privacy notice, this should not raise any particular concerns, unless there is a massive change in the use of the App. The famous “infamous” Facebook has become a company that represent everything but privacy. The “unpopular” connotation of Facebook was emphasized after the Cambridge Analytica scandal (short summary here) where data of around 87 millions was misused. Second, Facebook is known to get 98,5% of its revenues on advertising. For example, in 2019, Facebook generated around $70B revenues. As a reminder, Cambridge Analytica was a UK firm that used surveys on Facebook to collect users’ data for political purposes, including to manipulate votes intentions in the context of US presidential elections. As a result, within 2 months Cambridge Analytica got banckrupt, Facebook got the highest possible fine in the UK of £500k (before the GDPR became applicable) and got a $5B fine in the USA by the FTC.
Staying with WhatsApp has now become a conceptual and moral choice, rather than a security or a privacy concerns. At least for users located in the European Region. WhatsApp stated that they would not share data with Facebook about users located in the European Region. Not yet. However, the Guardian explains very well that WhatsApp’s change of its privacy policy “does start to eat away at the idea that you can be on WhatsApp without a Facebook footprint“. So this is it. Are users starting to become Facebook users by continuing to use WhatsApp? This is ultimately the question that users must ask themselves to continue using this App, as sooner or later the app may become it monetized through the huge amount of information that is contained into the system. User data? Content data? Targetted Ads? Tracking technologies? Future will tell.
Today and tomorrow (after 15 May 2021), none of the conservations are or will be available to WhatsApp, even with the new update. WhatsApp still believe in strong end-to-end encryption, which prevents to see all the information (text, images, videos and files) exchanged between users. However, when Facebook acquired WhatsApp, back in 2014, it initiated a step to integrate WhatsApp within its ecosystem of applications. For example, to improve interoperability between Facebook applications (such as WhatsApp and Instagram), user data could be used to enable online purchasing without quitting the App when switching from one App to the other. This refers to system “interoperability”, which allows cross-communication between an eco-system of applications, ensuring a harmonized handling of data.
Declining means quitting the App. There does not seem to be any sort of choice to continue using WhatsApp with the old terms of service. All users declining will have to uninstall the app from their device.
Extract all your files There are software to save your images, videos and files. Once received via WhatsApp, all files are automatically saved in a folder on the device and can be found manually or with another explorer-kind app. Having the files directly downloaded on a user’s phone is why WhatsApp is not secure and not recommended for exchanging confidential information. A smartphone is subject to vulnerabilities, other apps may access such content and the phone may not have encryption nor good password protection. Inform your contacts Tell people that you are leaving the platform and which one you will be using in the future, you can do it either actively or more passively. An easy passive way to do it, is to update your status saying something like: “I use XYZ. Please contact me with this App“. Some people have created logos to update the picture of the WhatsApp profile to say on which platform to contact you”. This may be an opportunity to only tell people that you really want to stay in touch with.
To decide to switch to an alternative, you need to consider the use you want to make from the App. WhatsApp is still secure, but still it has access to a lot of information stored or shared with other companies including Facebook. Journalists and other professions fear that governments may access user information which may impair freedom of speech and opinion for private or public interests. Think about what you want to protect. If you consider switching, think of what you want to protect. Is this your data or also data from others, such as exchanging professional information with your customers, patients, clients? It is generally not a best practice to exchanges confidential information through personal mobile, including using messenger application. The reason is that WhatsApp, for example, will download the exchanged content on the phone. Such content is generally not encrypted on the device, which makes it vulnerable to unauthorised access and disclosure. Also, such information, such as professional contact details and confidential documents, could be sent by error or made accessible to third party applications on the phone. Here are some of the alternatives:
If you are located in the European Region, WhatsApp explains that it will not share data with Facebook. However, to be more accurate, there is information that WhatsApp cannot access at all (such as the content of the messages exchanged between users). However, there is also information that WhatsApp has access to. Here is the list of data that WhatsApp can access: Data that WhatsApp accesses This article explains in some details what is the information that WhatsApp collect about its users. See below what data WhatsApp can access: To use WhatsApp in a more privacy-secure manner, you can disable some options, as explained on this blog. Data that Facebook accesses As explained on this page, WhatsApp shares information with Facebook:
Terms of use are a contract between the company that owns an app and users. They are designed to explain under which conditions users are permitted to use the application. As a contract, terms of use usually contain authorization to use the service / application under certain authorized behaviors, while prohibiting others. It also give users a licence to use the application that is limited to certain extent. For example, terms of use usually describe the functionalities of the application. It also describes how to pay, register and what the permitted and prohibited use of the app are. As terms of service or terms of use consist in a contract, the contract is subject to national laws and consumer protection laws. Most of the time, unless a company creates specific terms of use per country, may provisions do not work. If brought in front of a court, some limitations and conditions may become invalid in accordance with local law.
Back in 2016, the ICO UK Commissioner, Elizabeth Denham, expressed her concerns over WhatsApp accessing the contact book of its users. She did raise that users were most likely not appreciating the extent to which Facebook may access user’s personal data. Currently, the Turkish data protection authority (KVKK) and the Italian Garante have expressed concerns about the lawfulness of WhatsApp’s update to its terms. In its statement, the KVKK described that in its primary analysis, WhatsApp may have breached informed consent rules but using bundled consent for the use of personal data, sharing of personal data to third parties and the acceptance of terms for the service. In Italy, the Garante
Data protection laws around the world require to comply with the principle of transparency. The privacy notice is where a data controller explains what it does with personal information about its users in a fair and transparent manner. The commonly accepted term used by privacy professionals to designate such documentation is a “privacy notice“. A Privacy policy is a term mainly used in the US to designate website pages informing internet users about data privacy. This usually applies to users of a service or customers of a product mentioning how to use personal identifiable information (PII). The term is slightly confusing from an EU perspective. A policy is a term that organizations use when creating internal documents. This usually includes codes of conducts, dos and don’ts, rights and obligations or members of an association, consortium or a company. If you’ve ever worked for a multinational company, you may have had to read such documentation called Standard Operating Procedures (SOPs). A policy has usually the same purpose. Therefore, a policy is an internal facing document that gives guidance, or gives rights and imposes obligations to employees to follow company principles guidelines. This does not suit with privacy, which requires external facing information. The better US term could be privacy statement. As best practice, I suggest to user the term “privacy notice“, instead of privacy policy, privacy statement or privacy terms.
Stronger privacy rules in the EU. With the GDPR, privacy notices must display in easily accessible terms, concise and without ambiguity. User-friendly layouts also help to comply with EU data privacy laws. To be fair with WhatsApp, the new privacy notice looks fairly clear and more accessible when looking for information about data processing activities. From a display perspective, it looks then easier to read and to navigate and appears. On the content, this is where WhatsApp did not well. There are many unknown elements that those terms do not address very clearly. This part of the confusion made to customers is what exact data exchanges occur with Facebook. When looking closer to the details, there is a lack of clarify and the terms remain slightly fuzzy. For example, it does not explain if consent is used as a free choice and for what purpose. Also it seems like a force for the processing of personal data, rather than a free choice, which removes trust. Maybe WhatsApp would reconsider the update to mention “for user’s information only” instead of agree or decline? What about a true consent mechanism to only use the service without sharing data with Facebook? What about reinstating an opt-in to share data with Facebook applications and third parties? Consent does not seem freely given. When using consent, it must remain freely given. To be freely given, the App should allow users to agree separately for each purpose and separated from the terms of use. Also, it should not prevent users to access the service (denial of service). If there is a denial of the service or it does not allow for a clear separate choice, consent may become unlawful and not freely given. The pop-up looks more like a take it or leave approach bundled together with the terms of use and the privacy terms. For exchange with Facebook and what data WhatsApp really collects, you have to dig into the entire terms to understand what users should expect with those changes. Also, the way WhatsApp updated its terms was far from ideal from a privacy and communication perspective. To gain trust in the digital world without real people, user’s perception is key. Using a clear separation between the acceptance of new terms and the use personal data would help reinforcing trust. How could WhatsApp do it better? My personal view is that WhatsApp completely failed from a communication perspective and it could have passed if communicated and presented differently. My recommendation to WhatsApp would be to create a 2 minutes explanatory video saying to all users, depending on their region: “this what will change for you, this is what will not change for you”. Ultimately, what users really want is to understand if there is any detriment for their privacy to continue using the App.
best alternative to whatsappBriarConsentdata privacyelementeprivacyePrivacydePrivacyFacebookgafamGDPRGDPR consentillegalinstagramolvidprivacy policyriot.imsessionsignaltelegramterms of servicethreemaviberwhat data is collected by whatsappwhatsapp alternativewhatsapp privacy policywirezuckerberg
Leave a Reply