Popular cross platform instant messaging client WhatsApp is accused of breaking privacy laws because it requires its users to give to the service their entire contact list. This was announced recently by The Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority. Both were working on a collaborative effort to investigate the handling of personal information of the California based app developer WhatsApp Incorporated.
This is the first time that two national data protection authorities have teamed up to investigate the privacy practices of a company with well over 200 million users from around the world.
According to Jennifer Stoddart, Privacy Commissioner of Canada, “Our Office is very proud to mark an important world-first along with our Dutch counterparts, especially in light of today’s increasingly online, mobile and borderless world. Our investigation has led to WhatsApp making and committing to make further changes in order to better protect users’ personal information.”
Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, also added that “But we are not completely satisfied yet. The investigation revealed that users of WhatsApp – apart from iPhone users who have iOS 6 software – do not have a choice to use the app without granting access to their entire address book. The address book contains phone numbers of both users and non-users. This lack of choice contravenes (Dutch and Canadian) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.”
The key findings of the investigation are as follows
- In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.
- At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. In September 2012, in partial response to our investigation, WhatsApp introduced encryption to its mobile messaging service.
- Over the course of the investigation, it was found that WhatsApp was generating passwords for message exchanges using device information that can be relatively easily exposed. This created the risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened its authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC (Media Acess Control) or IMEI (International Mobile Station Equipment Identity) numbers (which uniquely identify each device on a network) to generate passwords for device to application message exchanges. Anyone who has downloaded WhatsApp, whether they are active users or not, should update to the latest version to benefit from this security upgrade.
Although both national agencies worked together in the investigation they had separate reports in respect to their respective country laws. Under the Dutch Privacy Law WhatsApp could be facing legal sanctions. Canadian law on the other hand requires that the offending company works out a solution to the problem and WhatsApp has signified that they are willing to cooperate on this matter.
Have you ever used WhatsApp or are you using it right now? You might want to take into consideration this privacy concern.