May 07, 2021 / Alex LintonPrivacy
But WhatsApp is changing their policy for a whole bunch of important things like data processing, integration with businesses, and integration with other Facebook products.
The term ‘Services’ is often used throughout the policy to describe not only WhatsApp, but also the wider family of Facebook applications and services. The policy itself doesn’t give a specific definition for what it means by Services. We checked out the About Our Services section of WhatsApp’s Terms of Service to get some extra insight into what is covered by Services. Specifically, whether that is limited to WhatsApp as a service, or extends to other Facebook services as well. It has this tidbit:
Excerpt from ‘WhatsApp Terms of Service’ (accessed May 7 2021).
Sharing and receiving information to serve ads and sell products? Doesn’t sound super privacy preserving. But who exactly are these Facebook companies — according to this (Warning: link to Facebook) Facebook help article, it includes all this.
The Facebook Products include Facebook (including the Facebook mobile app and in-app browser), Messenger, Instagram (including apps such as Boomerang), Portal-branded devices, Oculus Products (when using a Facebook account), Facebook Shops, Spark AR Studio, Audience Network, NPE Team apps and any other features, apps, technologies, software, products or services offered by Facebook Inc. or Facebook Ireland Limited under our Data Policy. The Facebook Products also include Facebook Business tools.
Excerpt from ‘What are the Facebook Products‘ on Facebook Help Centre (accessed May 7 2021).
No surprises here: it’s ugly. Okay, so WhatsApp is definitely a part of Facebook’s weird data harvesting cabal — but what information does WhatsApp even have to share? Message contents are end-to-end encrypted after all. Let’s take a closer look at the kind of information WhatsApp has (and can share).
First, there is the information you give WhatsApp directly — things like phone numbers in your contact book, your payment details, and your account information, like your phone number and your name. WhatsApp does have your (encrypted) messages, but they delete them once they’ve been delivered — so only you and the people you talk to actually store messages. But there’s a catch — businesses on WhatsApp are free to store and repurpose messages you send them however they want to. This means targeting ads towards you, creating a profile of you, or anything else they see fit. On the surface, this seems reasonable. But here’s the sneaky part: businesses can elect to use Facebook to store these (unencrypted) messages — meaning Facebook would get access to all your message contents, and be able to do whatever they want with them.
Some businesses will be able to choose WhatsApp’s parent company, Facebook, to securely store messages and respond to customers.
Excerpt from ‘Privacy and security for business messages‘ on WhatsApp FAQ (accessed May 7 2021).
We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customize, support, and market our Services.
In case you don’t remember, misuse of third-party service data and information access by the app ‘This is Your Digital Life’ led to the Cambridge Analytica catastrophe, so this doesn’t inspire a lot of confidence.
There is also information that WhatsApp collects in the background. This list is LONG. It includes data about your location, the kind of device you’re using, your operating system, battery level, phone signal, what version of the app you’re using, browser information, what mobile network or ISP you’re using, language, time zone, IP address, and identifiers. Identifiers are used to connect your WhatsApp account with other Facebook accounts you might own based on all the information they collect.
WhatsApp also automatically collects and logs information about your usage habits, like when you are online, how long you spend online, when you message people, and how often you message them. This is more than enough to start profiling you, especially when you consider that it can be shared or cross-referenced with other user information that Facebook has.
Time to steer clear of WhatsApp
Hardcore privacy enthusiasts stopped recommending WhatsApp a long time ago. In the end, Facebook is a company built around profiting from data, so it’s hard to trust what WhatsApp is doing.
Of course, end-to-end encryption is an important part of both security and privacy, but don’t let E2EE buzzwords convince you that an app is impenetrable, has no vulnerabilities, or can’t be used to collect information about you. Unfortunately, the equation is much more complicated than that.
For now — don’t recommend using WhatsApp if privacy is a serious concern of yours.
Session Release Roundup #16: Trio of Changes
October 18, 2022 / Kee Jefferys
Update: Important Changes to Session
October 05, 2022 / Alex Linton
Upgrading open groups: Bringing back DMs from open groups
September 12, 2022 / Kee Jefferys
Target acquired: The increasing threat of targeted cyber-attacks
September 11, 2022 / Alex Linton
Session Release Roundup #15: 👍😈🔥
September 05, 2022 / Harris
Sim Swapping attacks: How to protect yourself from this common phone scam
September 05, 2022 / Wesley Sukh