WhatsApp’s Privacy U-Turn – It’s Been Sharing Data With FB for Yrs
WhatsApp’s 2016 privacy update had given users 30 days to opt out of data sharing with Facebook.
Announced on 5 January, WhatsApp has given its 2 billion users across the world time till 8 February to accept its updated policy or be unable to use the app. In reality, the ability of a user to refuse her data being shared with Facebook hasn’t existed for over four years now.
During its last privacy update in 2016, WhatsApp had given users 30 days to opt-out of some data sharing with Facebook.
Anyone who did not check that box within that brief period or joined WhatsApp after July 2016 has been sharing their WhatsApp metadata with Facebook and probably without knowing it.
WhatsApp’s inability to communicate its changes clearly, coupled with WhatsApp’s previous U-turn on data sharing with Facebook as well as an eroded trust in Facebook’s privacy assurances has triggered widespread concerns and confusion among its largest database of over 350 million Indian users.
To better understand how we got here, how the opt-out option hasn’t really existed for users for over four years now and Facebook’s volte face on data sharing by WhatsApp, three related issued need to be explored:
- WhatsApp’s merger with Facebook in 2014, it’s assurance of no data-sharing and U-turn in 2016.
- Fines imposed on Facebook by European Commission and its implications.
- Even though chats continue to remain end-to-end encrypted, it is the expansive metadata sharing that need to be focused on.
WhatsApp-Facebook’s U-Turn on Data Sharing
WhatsApp, in a bid to allay user fears about data sharing between the companies, publicly committed to never share data with Facebook and act as “standalone” products.
It was on the basis of this assurance that the US regulator, Federal Trade Commission and the European Commission greenlit the acquisition of WhatsApp by Facebook.
The first major privacy update came in 2016 and with that a U-turn on its 2014 assurance.
“WhatsApp announced that it would start sharing some data with Facebook including phone numbers and last seen activity,” the Internet Freedom Foundation states in its blog, adding “Users were given 30 days to opt-out of sharing data with Facebook for ad targeting purposes but if they failed to exercise that option within 30 days, they would have no choice but to consent to data sharing.”
The 2016 policy contained this provision that has been removed from the 2021 version: “If you are an existing user, you can choose not to have your WhatsApp account information shared with Facebook to improve your Facebook ads and products experiences.”
Any new users who joined after August 2016 would also not have the choice to opt out of sharing data with Facebook. Therefore, the current data sharing practice has been going on for over four years with no opt-out option.
“The promises made by WhatsApp at the time of its acquisition was that it won’t share its data with Facebook. It was one of the main promises of the acquisition. Breach of the data is primarily a competition issue,” said Anivar Aravind, a senior software engineer and public interest technologist.
110 Million Euro Fine in 2016
The regulators were not amused by this U-turn on privacy assurances. The European Commission fined Facebook €110 million for providing “incorrect or misleading information” during the Commission's 2014 investigation of Facebook's acquisition of WhatsApp.
“The Commission must be able to take decisions about mergers' effects on competition in full knowledge of accurate facts," Commissioner Margrethe Vestager, in charge of competition policy, had said.
The Commission had stated when Facebook notified the acquisition of WhatsApp in 2014, that it would be unable to establish automated matching between Facebook users and WhatsApp users. This, however, turned out to be untrue.
The Commission found that, contrary to Facebook's statements in the 2014 merger review process, the possibility of automatically matching Facebook and WhatsApp users' identities using their phone numbers already existed in 2014, and that Facebook staff were aware of such a possibility.
Aravind explains WhatsApp’s network power by virtue of its massive installed base, of over 2 billion users globally, in coercing people with an ultimatum to accept the terms.
“The market has now evolved and there are multiple players but what makes Facebook special is its user base,” he says. “India also has a Competition Commission but India hasn’t looked at this yet as a competition issue. I look at this primarily as a competition issue.”
Chats Encrypted But What About Metadata?
Metadata refers to data that describes and gives information about other data and includes information like IP address, transaction data, which users one chats with, how frequently one chats with a user, which groups a user is a member of.
While WhatsApp reiterated that its “policy update does not affect the privacy of your messages with friends or family in any way,” lawyers and activists point towards the expansive metadata collection.
“In many cases, meta data by itself can reveal very sensitive information about a person’s life. For instance, consider conversations with sexual and reproductive health services which now provide abortion related counselling via WhatsApp,” IFF states in its blog.
Mishi Choudhary, technology lawyer in New York and New Delhi and online civil rights activist, describes WhatsApp’s assurances about user privacy by pointing towards encrypted chats as a “deflection”.
“While it is important that end-to-end encryption stays and content of the messages is protected, any discussion about that is a deflection,” Choudhary said. “In the name of platform integration and interoperability, Facebook ensures that metadata is collected about all users whether they use its other services or not.”
“WhatsApp is great for protecting the privacy of your message content. But it feels like the privacy of everything else you do is up for grabs,” Johns Hopkins University cryptographer Matthew Green told WIRED in the context of WhatsApp’s latest update.
Speaking with The Quint, Choudhury also points out, “An opt-out choice was provided in 2016 and was regularly mentioned up until the recent update which has disappeared and there is no way to know whether users who had opted out, their choice will be honoured or not.”
The stakes for the WhatsApp user lies in understanding the expansive metadata collection that has grown over the years. This includes granular level metadata, including phone battery levels and even signal strength.
WhatsApp has already been sharing an array of metadata with Facebook since 2016. So, what exactly has changed in the latest update?
The biggest change is the fact that Facebook may now have access to messages that users share with businesses on WhatsApp. WhatsApp’s blog, on 12 January, specifies that ‘messaging with businesses is different than messaging with your family or friends’.
According to WhatsApp, what this means is whether a user communicates with a business’ WhatsApp account ‘by phone, email, or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook’.
Experts have spoken about the erosion of trust towards a product that has displayed anti-competitive behaviour and flipped on its assurances.
“For me, Facebook has only one business model, surveillance capitalism... and has never stuck to anything it has promised,” Choudhuri said.
“They make changes, there is brouhaha, everyone forgets and they go back to collecting more data. This cycle needs to stop and people need to choose services that stick to data minimization,” she added.
(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.