WhatsApp privacy policy teardown: This is where it ends

WhatsApp privacy policy teardown: This is where it ends

May 07, 2021 / Alex LintonPrivacy

Accepting the new WhatsApp privacy policy by May 15 is mandatory. This is the final nail in the coffin of the world’s most popular ‘private’ messenger. The Facebook-owned platform has often found itself reassuring everyone they can’t read messages sent using WhatsApp. Although there are technically ways Facebook might be able to read WhatsApp messages  — they don’t need to. WhatsApp can learn lots about you using nothing but metadata. That’s why the latest privacy policy changes are so concerning.

WhatsApp’s decision to disable your account if you don’t agree to their upcoming privacy policy changes has gotten a lot of people up in arms, but if you’re wondering what about the WhatsApp privacy policy itself, we’ve got all the details you need.

WhatsApp privacy policy explained

Everything in this article is drawn from WhatsApp’s English privacy policy as published here. WhatsApp maintains it can’t see your private messages, hear your calls, doesn’t store logs for messages or calls, and doesn’t share your contacts or location data with Facebook. 

But WhatsApp is changing their policy for a whole bunch of important things like data processing, integration with businesses, and integration with other Facebook products. 

The term ‘Services’ is often used throughout the policy to describe not only WhatsApp, but also the wider family of Facebook applications and services. The policy itself doesn’t give a specific definition for what it means by Services. We checked out the About Our Services section of WhatsApp’s Terms of Service to get some extra insight into what is covered by Services. Specifically, whether that is limited to WhatsApp as a service, or extends to other Facebook services as well. It has this tidbit:

As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the Facebook Companies as described in WhatsApp’s Privacy Policy, including to provide integrations which enable you to connect your WhatsApp experience with other Facebook Company Products; to ensure security, safety, and integrity across the Facebook Company Products; and to improve your ads and products experience across the Facebook Company Products. Learn more about the Facebook Companies and their terms and policies here.

Excerpt from ‘WhatsApp Terms of Service’ (accessed May 7 2021).

Sharing and receiving information to serve ads and sell products? Doesn’t sound super privacy preserving. But who exactly are these Facebook companies — according to this (Warning: link to Facebook) Facebook help article, it includes all this.

The Facebook Products include Facebook (including the Facebook mobile app and in-app browser), Messenger, Instagram (including apps such as Boomerang), Portal-branded devices, Oculus Products (when using a Facebook account), Facebook Shops, Spark AR Studio, Audience Network, NPE Team apps and any other features, apps, technologies, software, products or services offered by Facebook Inc. or Facebook Ireland Limited under our Data Policy. The Facebook Products also include Facebook Business tools.

Excerpt from ‘What are the Facebook Products‘ on Facebook Help Centre (accessed May 7 2021).

No surprises here: it’s ugly. Okay, so WhatsApp is definitely a part of Facebook’s weird data harvesting cabal — but what information does WhatsApp even have to share? Message contents are end-to-end encrypted after all. Let’s take a closer look at the kind of information WhatsApp has (and can share).

First, there is the information you give WhatsApp directly — things like phone numbers in your contact book, your payment details, and your account information, like your phone number and your name. WhatsApp does have your (encrypted) messages, but they delete them once they’ve been delivered — so only you and the people you talk to actually store messages. But there’s a catch — businesses on WhatsApp are free to store and repurpose messages you send them however they want to. This means targeting ads towards you, creating a profile of you, or anything else they see fit. On the surface, this seems reasonable. But here’s the sneaky part: businesses can elect to use Facebook to store these (unencrypted) messages — meaning Facebook would get access to all your message contents, and be able to do whatever they want with them. 

Some businesses will be able to choose WhatsApp’s parent company, Facebook, to securely store messages and respond to customers. 

Excerpt from ‘Privacy and security for business messages‘ on WhatsApp FAQ (accessed May 7 2021).

They claim Facebook won’t automatically use this information to advertise to you, but that can change at any time. On top of this, the WhatsApp privacy policy allows for information sharing with third-party service providers and businesses.

We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customize, support, and market our Services.

Excerpt from ‘WhatsApp Privacy Policy‘ (accessed may 7 2021).

In case you don’t remember, misuse of third-party service data and information access by the app ‘This is Your Digital Life’ led to the Cambridge Analytica catastrophe, so this doesn’t inspire a lot of confidence. 

There is also information that WhatsApp collects in the background. This list is LONG. It includes data about your location, the kind of device you’re using, your operating system, battery level, phone signal, what version of the app you’re using, browser information, what mobile network or ISP you’re using, language, time zone, IP address, and identifiers. Identifiers are used to connect your WhatsApp account with other Facebook accounts you might own based on all the information they collect. 

WhatsApp also automatically collects and logs information about your usage habits, like when you are online, how long you spend online, when you message people, and how often you message them. This is more than enough to start profiling you, especially when you consider that it can be shared or cross-referenced with other user information that Facebook has. 

Time to steer clear of WhatsApp

Hardcore privacy enthusiasts stopped recommending WhatsApp a long time ago. In the end, Facebook is a company built around profiting from data, so it’s hard to trust what WhatsApp is doing. 

Of course, end-to-end encryption is an important part of both security and privacy, but don’t let E2EE buzzwords convince you that an app is impenetrable, has no vulnerabilities, or can’t be used to collect information about you. Unfortunately, the equation is much more complicated than that. 

For now — don’t recommend using WhatsApp if privacy is a serious concern of yours. 

Join the movement to keep the internet private!

Chat with like-minded individuals in the Session Community.

Friends don’t let friends use compromised messengers.

Sign up to the mailing list and start taking action!