A bit of history
How it all started
WhatsApp was created in the 2010’s by Jan Koum and Brian Acton, 2 employees of Yahoo, the famous American search engine company.
At the time, WhatsApp wanted to replace text messages with an ad-free application based on a few simple text and image exchange functionalities. Remember that, at the time, phone bundles were extremely limited and sending text messages and images could end up being very expensive.
Even though in the years 2009-2012 other competitors appeared such as Viber, Facebook Messenger and LINE, WhatsApp Messenger was the first and its success was such that the number of users climbed very quickly to reach 450 million active users by its 5th anniversary.
It should also be noted that the 2 partners, who grew up in Ukraine (at the time still attached to the USSR), were familiar to the phone spying carried out by the Soviet authorities through the generation of their parents. After being refused a job at Facebook, they registered the company Whatsapp Inc. on 24 February 2009 in order to create an application that would only require a phone number, and wouldn’t imply creating a profile (which could be resold). Above all, the application would not store any personal information such as the messages sent.
Let’s talk about Facebook now. Even though the different download platforms show that WhatsApp still seems to be owned by “WhatsApp Inc” and that the additional mention “from Facebook” on WhatsApp only appeared about a year ago, the buyout of the company was made in 2014 after being turned down by Google.
The philosophy of “No Ads! No Games! No Gimmicks! ” changed very quickly as a consequence. Although the takeover may have seemed beneficial for Facebook, the company was actually losing money. In 2018, as Facebook wanted to increase profits by using personal data, Jan Koum, WhatsApp’s boss and co-founder, resigned.
Privacy and encryption
Although this part will be discussed in more detail in a future article, it should be noted that many of the applications we have in our phones contain trackers, including WhatsApp. These trackers usually do not transmit your personal data per se (we don’t know what WhatsApp was actually collecting). Traditionally they included usage statistics, sometimes anonymized or pseudonymized, but still data about you. All of this data ends up being shared with Facebook and third party publishers (Google and others) without any real control.
Let’s now look at the issue from an encryption perspective. Many people think that WhatsApp is secure, because it shows everywhere that conversations are encrypted from end to end. This means that someone hacking into the network would not be able to intercept your conversations, and in theory this is indeed quite correct (see appendices).
From this moment onwards, WhatsApp and Facebook could know information such as the number of people you talk to on Facebook, the number of messages you send to your contacts, but also the type of message, the size of the photos, the duration of the audio files, etc. All of this was hidden behind unique identifiers, but thanks to which both companies could very easily get an idea of your habits, build a digital identity and therefore a profiling of its users.
What will change in May 2021
Before getting to the heart of the matter, I would like to point out that the information presented below is retrieved from the different versions of the conditions and policies directly provided by WhatsApp and available online (see Sources & Appendices). There are only 4 versions in total: 07/07/2012, 25/08/2016, 24/04/2018 and 04/01/2021.
Over the past few weeks we have all noticed a message inviting us to accept new terms and conditions, and I am sure that many of you may have already clicked to give your consent. Of course you are not to blame, we all do it!
The message seems innocent since it talks about “the way WhatsApp processes our data”. You could then think that Facebook and WhatsApp care about our data.
I therefore suggest that we put these infamous Conditions under the microscope and dissect them together. The first thing we notice is that if we do not accept, we will no longer be able to use the application.
The first link that we see is “Key Updates” which brings us on a page (see Sources & Appendices) where we can read that “The respect of your confidentiality is anchored in our DNA” which could be enough for many to accept the new conditions:
An important piece of information to note is that WhatsApp seems to take into account the GDPR regulation (General Data Protection Regulation) and has therefore separated these general conditions and security policies in two for people residing in the European area and for others.
If you would like to see the “Terms of Use” or “Privacy Policy” applied to the rest of the world, please follow the following link.
Source: https://www.whatsapp.com/legal/updates/terms-of-service-eea
In the rest of this article, we will discuss WhatsApp’s new conditions and policies applied to the countries of the European region on 04 January 2021. However, be careful if you interact with people and companies outside the European area.
Terms and conditions of use
The first point that is important to note is that WhatsApp seems to give us the choice by asking for our consent (in accordance with the GDPR and the agreements detailed here), to access our data, which is a rather good thing:
Sources: https://www.whatsapp.com/legal/updates/terms-of-service-eea (WhatsApp Privacy Policy)
On the other hand, and as we saw in the previous chapter, this is not what is stated on the notification we received. We will get more information in the coming weeks and in particular on May 2021 for those still concerned.
Here we do not find much new information compared to the old conditions, but what is important to note is that here you will have to validate in order to continue using the services. For some people who would continue to use the service, there will be new things that will come into effect. We can read in particular that WhatsApp collects data to help companies using the service better target their customers, and that they use other third-party companies for this purpose:
Source: Our Services https://www.whatsapp.com/legal/terms-of-service-eea (WhatsApp Privacy Policy)
Regarding third-party companies, WhatsApp does not hide its link to Facebook by saying that the two platforms are connected and exchange information not only together, but also with all Facebook entities (detailed here):
Source: https://faq.whatsapp.com/general/security-and-privacy/the-facebook-companies (WhatsApp Privacy Policy)
As the conditions of use for the European zone are very controlled, we do not find any more information that could infringe our personal data. I am therefore interested in the privacy policy, still concerning the European zone.
Privacy policy
Along with the terms of use, a new privacy policy also comes into effect. As the new version will be mandatory to use the WhatsApp services, even within the European zone, you will allow new exchanges with Facebook entities. It is therefore important to analyse the situation and what is said.
As you know, in order to communicate with your contacts WhatsApp needs access to your contact book, which seems logical given that the service is based solely on phone numbers. Unfortunately WhatsApp doesn’t seem to stop there since it says :
“We collect device-specific information […] such as hardware model, operating system information, battery level, signal strength, application version, browser information, mobile network, connection data (including phone number, mobile operator or ISP), language and time zone, IP address, information regarding activity on the device and identifiers (including unique identifiers on Products from Facebook entities associated with the same device or account)”
If you use other services belonging to the group such as Facebook and Instagram, your information is centralized and associated with each other. In addition, we can read a little further on:
“When other people you know use our Services, they may give us your phone number, name and other information (such as information from their mobile address book), just as you can give us theirs.”
WhatsApp states in its Privacy Policy that you are not required to give WhatsApp access to your entire address book and that you may provide WhatsApp with the contact file of your choice, however, once you remove contact authorization (at least on Android), you lose any ability to identify who is behind the phone numbers. This may be a feature to come from February 9th but none of my research has been able to clarify this point.
For an email service that only needs your number, it turns out that WhatsApp and other Facebook entities know all the information you have brought to their attention about you.
You may have already noticed that although you block access to your contacts and delete your phone number from the privacy settings on the Facebook application, you still receive friend suggestions from people in your address book or from people you follow on Instagram.
To conclude
To conclude on these new conditions, it could be said that there is not much that is really new for European users who would have already accepted the previous conditions (then prior to the GDPR). For the others the questioning is very legitimate, as acceptance is for the moment still mandatory.
Indeed, until now, and as mentioned in last summer’s privacy policy (July 20, 2020), WhatsApp still gave its users the choice to share or not share their information: “You can choose not to share your WhatsApp account information with Facebook to enhance your experience with Facebook products and ads. Users […] will have an additional 30 days to make this choice by going to Settings > My Account”. In the new terms, this mention has of course disappeared.
I pointed out that acceptance was “for the moment” mandatory, because according to many legal experts specialising in the GDPR regulation, forcing a user to accept strongly endangers the concept of “free consent”.
Will WhatsApp and Facebook maintain this obligation? A question that will be of interest, especially since, according to my analysis of the security policy, the deletion of a WhatsApp account results in the deletion of all your data. This would in turn prevent you from reopening an account with the same number, which is another abusive practice.
Source: https://www.whatsapp.com/legal/updates/privacy-policy-eea (WhatsApp Privacy Policy)
Of course, I don’t want to be paranoid, so everyone is free to check for themselves and make their own interpretation, especially since WhatsApp’s privacy policy justifies the use of data to serve the interests of its users and help them use their services.
What are the alternatives?
If you decide to stop using WhatsApp after you read this, there are alternatives. As I didn’t want to switch to an email service with questionable and unclear terms of use and security policies, I have done some research to provide you with information on both functionalities and privacy. Unfortunately, there are a lot of them, so I focused on the 6 main ones:
Comparative table
Pros and cons analysis
Sources & Appendices
English
Français
- WhatsApp reporte le partage de données avec Facebook au 15 mai 2021
- Le chiffrement de bout-en-bout, qu’est-ce que c’est ?
- Code des communications électroniques européennes avec WhatsApp
- Mises à jour clés
- Nouvelles conditions – Hors zone européenne
- Nouvelles conditions – Zone européenne
- Nouvelle politique de confidentialité
- UFC Que Choisir Grenoble à propos de WhatsApp
Did you know?
- A small group of privacy activists created Signal in 2013, and it has grown tremendously in recent years. In 2018, WhatsApp founder Brian Acton donated $50 million to create the Signal Foundation, which now runs Signal. Acton embarked on the mission to create a truly private messaging service after Facebook bought WhatsApp and Acton left the company amidst confrontations with Facebook over how it was eroding WhatsApp’s privacy.
- The end-to-end encryption protocol used by WhatsApp, Signal and supported by Telegram was developed by Open Whisper Systems in 2013 and was originally called the Signal Protocol on which several open-source applications, including the Signal messaging system, are based. The company is funded by donations and is supported by the Open Technology Fund, an organisation funded by the US government to promote freedom on the Internet.
Want to read more about the subject?
- WhatsApp cède sur sa politique, craignant l’exode vers Signal (FR)
- Signal : La messagerie chiffrée a été téléchargée 47 millions de fois en deux semaines (FR)
- Faille de sécurité dans WhatsApp : les numéros de téléphone des utilisateurs apparaissent (FR)
- L’Inde demande à WhatsApp de renoncer à son nouveau règlement (FR)
- Comment passer de WhatsApp à Signal facilement ? (FR)