January 17, 2021
The Ugly Truth Behind WhatsApp's Data Privacy

Sasank and Prabir Purkayastha

WHATSAPP, a company owned by Facebook since 2014, has issued a new privacy policy changing its data-sharing rules, which will come into effect by February 8, 2021. In this new policy, WhatsApp has declared that it will share data with Facebook, its parent company, about users' chats, connections, location and device information, transactions and payments. It will also share data of our interactions with other businesses that use Facebook as a platform. The public outcry over the new privacy policy has prompted an exodus to much safer alternatives like Signal. The weekly downloads of Signal and Telegram, another popular messaging app, has increased by millions, coupled with a significant drop in WhatsApp's new downloads.

WhatsApp started sharing its user data with Facebook since 2016, violating the assurance it had given its users in 2014 when Face-book acquired the messaging platform. In 2016, it changed its policies of not sharing its users' data with Facebook and gave its then-existing users a very narrow 30-day to opt-out.

Since then, anybody joining WhatsApp has to read its 8,000-word user agreement and find the clause on sharing their data, and then opt-out of sharing their data with Facebook. As is well-known, virtually nobody goes through this tortuous exercise. The overwhelming number of its users have their data shared with Facebook. However, there was at least a provision for users to opt-out. The proposed policy obliterates even this choice. Brian Acton, a co-founder of WhatsApp, left Facebook following the 2016 change of policy and the violation of Facebook's assurances to WhatsApp users. He founded the Signal Foundation, a non-profit, to create the Signal app. Signal is now emerging as an alternate to WhatsApp on encrypted messenger services.

In India, Facebook has secured clearance for its payment app—WhatsApp UPI—in November last year. It was soon after Facebook pumped 5.7 billion dollars(US) in Reliance Jio platform. The Indian regulator—NPCI (National Payments Corporation of India)—had asked that WhatsApp data be kept separate from Facebook. It does not appear from its App store declaration that Facebook followed this regulatory requirement and its new policy of sharing data with Facebook is an explicit violation of the NPCI's direction.

Interestingly enough, under pressure from the EU and UK regula-tors, WhatsApp data is not shared with Facebook, a provision which Facebook says it will still follow. For the rest including the US, it is data enclosure on a massive scale. And as we know, data is the lifeblood of the digital economy.

Spooked with the mass exodus from WhatsApp, Facebook is in damage control mode. It has assured its users that WhatsApp en-crypted message content will not be read or shared with Facebook or other businesses. In an attempt to stem the tide of WhatsApp departures, WhatsApp has taken the costly route of taking out full-page advertisements in major newspapers in the country. It is reminiscent of its failed attempt to sway the people with misleading information at the time of Free Basics. What it forgets to mention is what it does with the whole host of data apart from the content of its messages. This data, as its app policy indicates, is shared with others including its parent company, Facebook.

Before we check its other claims, let us see how WhatsApp de-scribes its sharing of data policies in the Apple App Store.

In other words, WhatsApp has officially declared that it collects your personal data, and as per its new privacy policy, will be shared not only with Facebook but also with other businesses that use the Facebook-WhatsApp platform.

What are the claims that Facebook has made and what is the real-ity?

1.WhatsApp cannot see your private messages, therefore it cannot share them with Facebook or any other third-party: WhatsApp claims that as the content of the messages is end-to-end encrypted, only the sender and receiver can see them. Then the grand fudge: they collect information used to 'personalise features', 'show relevant offers and ads', 'make suggestions' etc. So, they use a range of meta-data as declared in their App Store declaration. Meta-Data is as crucial as the real data because it monitors our behaviour on the platform and violates our privacy.

2. WhatsApp cannot see your shared location: This is another bla-tant lie. Even if you do not give WhatsApp the location permission, it will estimate your geographical location by using an IP Address and then share it with Facebook.

3. WhatsApp does not share your contacts: According to WhatsApp, the contacts' phone number and your phone number are stored in the form of a 'cryptographic hash'. In theory, it means that they are not stored in the raw form but in a format that makes it difficult to identify the phone number. However, this is a duplicitous declaration because your phone number is part of your account information which is stored by WhatsApp and shared with Facebook. So, even if the phone numbers of your contacts are stored in hashed form, WhatsApp can still identify the person, as their account information isn't encrypted. Moreover, Facebook, Instagram, WhatsApp accounts running on the same device are linked as soon as you install those apps on your phone.

4. WhatsApp groups remain private: This claim rests on the proposition that phone number and any associated information used to identify individuals is stored only in the form of a cryptographic hash. We have seen that this is not the case and that personally identifiable information is being shared with Facebook. We have recently seen that the group invitation links were used to extract group membership information and made accessible to search engines.

5. Sharing data of ourBusiness interactions: WhatsApp claims that only the interactions with business accounts will be affected by the new privacy policy. This confirms that not only will WhatsApp collects and stores information about our interactions with these business accounts but it will also share them with Facebook. Even sharing an article to somebody by clicking a WhatsApp share button on a news site is counted as interaction. It separates 'chats with friends and family' and 'chats with businesses' and deems the former to be 'private' and the latter not. This betrays the thinking of Facebook, it considers all your data to be fair game for surveillance and making money.

The Supreme Court of India has affirmed privacy as a fundamental right of all the citizens of India. Unfortunately, a new data protection Act that will enable this fundamental right is yet to be framed by the Modi government. It is worth reiterating that even the interaction we have with any business is just between the two parties and unwarranted access to such information is a violation of privacy.

By monitoring our interactions with business accounts, WhatsApp aims to collect not just our chats but all the related information about our activity on various third-party apps/sites. For example, if a ticket booking site sends you confirmation about a movie, or if you buy something from an e-commerce app which sends you an invoice, it will be collected by WhatsApp. All this data will also be shared with Facebook and then be used to show you related ads when you’re on WhatsApp or Facebook. WhatsApp will be the sole entity in deciding which businesses are permitted to show ads. In doing so, WhatsApp will be able to force these businesses into sharing our data with Facebook and enable Facebook to capture even more data about us.

Facebook's acquisitions—Instagram, WhatsApp—has built a social media monopoly. It had done this by exploiting the data of individuals and communities for profit. Its growth is directly proportional to the systematic erosion of the privacy of its user base. Linking WhatsApp data with Facebook for no apparent reason than monitoring our social media behaviour and controlling it, would further strengthen this monopoly. It will also allow Facebook to exploit our data for micro-targeting. Weakening users' privacy is the major ground of the anti-monopoly lawsuits filed by the Federal Trade Commission and 46 state governments against Facebook.

We have also seen significant data leaks from Facebook (Cambridge Analytica) and WhatsApp (Pegasus) individually. Linking all the users' data only increases the risk of these leaks even more so. This data sharing between WhatsApp, Facebook and other businesses only increases the threat manifold. Once linked, it will set in an irreversible process and there would be no way to decouple the data.

By using peoples' profiles, interests and conversations to categorise them into micro-targeted groups and then suggesting groups and ads for behavioural modification, Facebook is already subverting our democratic process. Along with the US elections, Brexit campaign, Facebook data has been used to disrupt elections in India too. If WhatsApp data is coupled with the existing data that Facebook has, it would create an even bigger threat to our sovereignty and national security.