Reading between the lines of WhatsApp’s new privacy policy (+Alternatives)

Reading between the lines of WhatsApp’s new privacy policy (+Alternatives)
Contents

A bit of history

How it all started

WhatsApp was created in the 2010’s by Jan Koum and Brian Acton, 2 employees of Yahoo, the famous American search engine company.

At the time, WhatsApp wanted to replace text messages with an ad-free application based on a few simple text and image exchange functionalities. Remember that, at the time, phone bundles were extremely limited and sending text messages and images could end up being very expensive.

Even though in the years 2009-2012 other competitors appeared such as Viber, Facebook Messenger and LINE, WhatsApp Messenger was the first and its success was such that the number of users climbed very quickly to reach 450 million active users by its 5th anniversary.

It should also be noted that the 2 partners, who grew up in Ukraine (at the time still attached to the USSR), were familiar to the phone spying carried out by the Soviet authorities through the generation of their parents. After being refused a job at Facebook, they registered the company Whatsapp Inc. on 24 February 2009 in order to create an application that would only require a phone number, and wouldn’t imply creating a profile (which could be resold). Above all, the application would not store any personal information such as the messages sent.

Facebook

Let’s talk about Facebook now. Even though the different download platforms show that WhatsApp still seems to be owned by “WhatsApp Inc” and that the additional mention “from Facebook” on WhatsApp only appeared about a year ago, the buyout of the company was made in 2014 after being turned down by Google.

The philosophy of “No Ads! No Games! No Gimmicks! ” changed very quickly as a consequence. Although the takeover may have seemed beneficial for Facebook, the company was actually losing money. In 2018, as Facebook wanted to increase profits by using personal data, Jan Koum, WhatsApp’s boss and co-founder, resigned.

Privacy and encryption

Although this part will be discussed in more detail in a future article, it should be noted that many of the applications we have in our phones contain trackers, including WhatsApp. These trackers usually do not transmit your personal data per se (we don’t know what WhatsApp was actually collecting). Traditionally they included usage statistics, sometimes anonymized or pseudonymized, but still data about you. All of this data ends up being shared with Facebook and third party publishers (Google and others) without any real control.

Let’s now look at the issue from an encryption perspective. Many people think that WhatsApp is secure, because it shows everywhere that conversations are encrypted from end to end. This means that someone hacking into the network would not be able to intercept your conversations, and in theory this is indeed quite correct (see appendices).

From this moment onwards, WhatsApp and Facebook could know information such as the number of people you talk to on Facebook, the number of messages you send to your contacts, but also the type of message, the size of the photos, the duration of the audio files, etc. All of this was hidden behind unique identifiers, but thanks to which both companies could very easily get an idea of your habits, build a digital identity and therefore a profiling of its users.

What will change in May 2021

Before getting to the heart of the matter, I would like to point out that the information presented below is retrieved from the different versions of the conditions and policies directly provided by WhatsApp and available online (see Sources & Appendices). There are only 4 versions in total: 07/07/2012, 25/08/2016, 24/04/2018 and 04/01/2021.

Over the past few weeks we have all noticed a message inviting us to accept new terms and conditions, and I am sure that many of you may have already clicked to give your consent. Of course you are not to blame, we all do it!

The message seems innocent since it talks about “the way WhatsApp processes our data”. You could then think that Facebook and WhatsApp care about our data.

I therefore suggest that we put these infamous Conditions under the microscope and dissect them together. The first thing we notice is that if we do not accept, we will no longer be able to use the application.

The first link that we see is “Key Updates” which brings us on a page (see Sources & Appendices) where we can read that “The respect of your confidentiality is anchored in our DNA” which could be enough for many to accept the new conditions:

An important piece of information to note is that WhatsApp seems to take into account the GDPR regulation (General Data Protection Regulation) and has therefore separated these general conditions and security policies in two for people residing in the European area and for others.

If you would like to see the “Terms of Use” or “Privacy Policy” applied to the rest of the world, please follow the following link.

Source: https://www.whatsapp.com/legal/updates/terms-of-service-eea

In the rest of this article, we will discuss WhatsApp’s new conditions and policies applied to the countries of the European region on 04 January 2021. However, be careful if you interact with people and companies outside the European area.

Terms and conditions of use

The first point that is important to note is that WhatsApp seems to give us the choice by asking for our consent (in accordance with the GDPR and the agreements detailed here), to access our data, which is a rather good thing:

Sources: https://www.whatsapp.com/legal/updates/terms-of-service-eea (WhatsApp Privacy Policy)

On the other hand, and as we saw in the previous chapter, this is not what is stated on the notification we received. We will get more information in the coming weeks and in particular on May 2021 for those still concerned.

Here we do not find much new information compared to the old conditions, but what is important to note is that here you will have to validate in order to continue using the services. For some people who would continue to use the service, there will be new things that will come into effect. We can read in particular that WhatsApp collects data to help companies using the service better target their customers, and that they use other third-party companies for this purpose:

Source: Our Services https://www.whatsapp.com/legal/terms-of-service-eea (WhatsApp Privacy Policy)

Regarding third-party companies, WhatsApp does not hide its link to Facebook by saying that the two platforms are connected and exchange information not only together, but also with all Facebook entities (detailed here):

Source: https://faq.whatsapp.com/general/security-and-privacy/the-facebook-companies (WhatsApp Privacy Policy)

As the conditions of use for the European zone are very controlled, we do not find any more information that could infringe our personal data. I am therefore interested in the privacy policy, still concerning the European zone.

Privacy policy

Along with the terms of use, a new privacy policy also comes into effect. As the new version will be mandatory to use the WhatsApp services, even within the European zone, you will allow new exchanges with Facebook entities. It is therefore important to analyse the situation and what is said.

As you know, in order to communicate with your contacts WhatsApp needs access to your contact book, which seems logical given that the service is based solely on phone numbers. Unfortunately WhatsApp doesn’t seem to stop there since it says :

“We collect device-specific information […] such as hardware model, operating system information, battery level, signal strength, application version, browser information, mobile network, connection data (including phone number, mobile operator or ISP), language and time zone, IP address, information regarding activity on the device and identifiers (including unique identifiers on Products from Facebook entities associated with the same device or account)”

If you use other services belonging to the group such as Facebook and Instagram, your information is centralized and associated with each other. In addition, we can read a little further on:

“When other people you know use our Services, they may give us your phone number, name and other information (such as information from their mobile address book), just as you can give us theirs.”

WhatsApp states in its Privacy Policy that you are not required to give WhatsApp access to your entire address book and that you may provide WhatsApp with the contact file of your choice, however, once you remove contact authorization (at least on Android), you lose any ability to identify who is behind the phone numbers. This may be a feature to come from February 9th but none of my research has been able to clarify this point.

For an email service that only needs your number, it turns out that WhatsApp and other Facebook entities know all the information you have brought to their attention about you.

You may have already noticed that although you block access to your contacts and delete your phone number from the privacy settings on the Facebook application, you still receive friend suggestions from people in your address book or from people you follow on Instagram.

To conclude

To conclude on these new conditions, it could be said that there is not much that is really new for European users who would have already accepted the previous conditions (then prior to the GDPR). For the others the questioning is very legitimate, as acceptance is for the moment still mandatory.

Indeed, until now, and as mentioned in last summer’s privacy policy (July 20, 2020), WhatsApp still gave its users the choice to share or not share their information: “You can choose not to share your WhatsApp account information with Facebook to enhance your experience with Facebook products and ads. Users […] will have an additional 30 days to make this choice by going to Settings > My Account”. In the new terms, this mention has of course disappeared.

I pointed out that acceptance was “for the moment” mandatory, because according to many legal experts specialising in the GDPR regulation, forcing a user to accept strongly endangers the concept of “free consent”.

Will WhatsApp and Facebook maintain this obligation? A question that will be of interest, especially since, according to my analysis of the security policy, the deletion of a WhatsApp account results in the deletion of all your data. This would in turn prevent you from reopening an account with the same number, which is another abusive practice.

Source: https://www.whatsapp.com/legal/updates/privacy-policy-eea (WhatsApp Privacy Policy)

Of course, I don’t want to be paranoid, so everyone is free to check for themselves and make their own interpretation, especially since WhatsApp’s privacy policy justifies the use of data to serve the interests of its users and help them use their services.

What are the alternatives?

If you decide to stop using WhatsApp after you read this, there are alternatives. As I didn’t want to switch to an email service with questionable and unclear terms of use and security policies, I have done some research to provide you with information on both functionalities and privacy. Unfortunately, there are a lot of them, so I focused on the 6 main ones:

Comparative table

Comparison Table Whatsapp Alternatives Privacy Policy vs Ovid_Whatsapp Alternatives Telegram Signal Viber Olvid Threema
Comparison Table Whatsapp Alternatives Privacy Policy vs Ovid_Whatsapp Alternatives Telegram Signal Viber Olvid Threema

Pros and cons analysis

WhatsApp

Whatsapp privacy policy - Pros & Cons
WhatsApp Pros & Cons

Telegram

Whatsapp privacy policy - Telegram Alternative
Telegram Pros & Cons

Signal

Whatsapp privacy policy - Signal Alternative
Signal Pros & Cons

Viber

Whatsapp privacy policy - Viber Alternative
Viber pros & Cons

Olvid

Whatsapp privacy policy - Olvid Alternative
Olvid Pros & Cons

Threema

Whatsapp privacy policy - Threema Alternative
Threema Pros & Cons

Sources & Appendices

Did you know?

Want to read more about the subject?