Business Today 15 Jan 2021

BT Buzz: Why WhatsApp’s clarification on privacy policy is misleading 

by Sonal Khetarpal

Instant messaging app WhatsApp recently announced the updating of its privacy policy terms from February 8, 2021. After this date, users will have no choice but to accept these terms to use the app.

This has led to a backlash with many users migrating to alternate platforms. A survey by LocalCircles finds that WhatsApp is likely to see 15% of users in India move away, while 36% will reduce usage drastically.

To clear its stand, the Facebook-owned messaging app has released a clarification explaining that the policy update doesn’t compromise the privacy of messages with friends and family. It also says that the update includes changes related to business accounts on WhatsApp which too are optional for users.

Experts feel the statements made by WhatsApp are misleading. Tripti Jain, a lawyer, researcher at Internet Democracy Project says, “This clarification/FAQ by WhatsApp aims to re-instil trust in people that they have lost because of the new privacy policy, however, it has proven to be counterproductive. In fact, what should be noticed is that the clarification briefs only about things WhatsApp cannot do. It fails to delineate what WhatsApp can do with personal data of individuals and how it does.”

“Technically the statement may be correct but it’s cleverly worded,” says Aniruddh Nigam, Research Fellow at Vidhi Centre for Legal Policy. Nigam explains that their privacy policy still states that all the data under the “Information we collect” section may be shared with other Facebook companies, which includes other kinds of metadata like frequency and duration of activity, group names, battery level, location identifiers (which might technically be different from ‘shared location’) and the numerous other information listed therein. A lot more details have been added here from before, he says. (See image above from WhatsApp privacy policy)

Nigam says, “While it is not reading actual messages per se but in its privacy policy WhatsApp has now confirmed that it collects a lot of metadata which is fairly invasive and would allow WhatsApp and the Facebook ecosystem apps to make precise inference about one’s activities: such as it collects information about the time and frequency of interactions on WhatsApp. It’s collecting the group names when you’re a part of some groups.”

The reason is Facebook’s business model. “Facebook has only one business model surveillance fueled Ad-sales, although this change in the policy keeps end to end encryption sacrosanct, that is, nobody can still read the content of the messages on WhatsApp including Facebook but from now on in the name of interoperability far more metadata will be shared between Facebook and WhatsApp,” says technology lawyer Mishi Choudhary, legal director at SFLC New York (Software Freedom Law Centre).

In the third quarter 2020, Facebook’s revenue was $21.47 billion, almost all of which came from ads, and there are none in WhatsApp. “The rationale is that Facebook group wants to serve more targeted ads to people on Facebook, Instagram by knowing more about their usage habits on WhatsApp and enable payments in WhatsApp for items that were clicked through Instagram ads.,” she says.

She adds that this has been forced by Apple’s labeling policy for all apps in App store. “Facebook was recently forced by Apple to provide a privacy “nutritional label” on its iOS app which told us about 100 different pieces of data that may be collected, many of which are directly linked to user profiles, including health and fitness data, “sensitive info” and search histories.”

Nigam says while it may not share ‘contacts’ of a person, WhatsApp will be sharing a lot more information with other Facebook companies (includes Facebook and Instagram). “While WhatsApp has been sharing data with Facebook earlier, now the exact scope of the data being shared has been confirmed, he says. (See image above from Privacy Policy)

“The likely result of that is Facebook and Instagram will be able to use data about how people use WhatsApp to target ads/ services to them and made inferences about their behaviour. And, in some sense, what this is doing is integrating WhatsApp even deeper within the Facebook and Instagram ecosystem,” says Nigam.

“It is important to understand that Facebook as a company is built around the business model of advertising, specifically of targeting ads and has clearly declared its intention to control the entire journey of a customer and the brand: the customer sees the ad on Facebook and Instagram and pays on WhatsApp. Its new payment gateway WhatsApp Pay will strengthen its position in retail and commerce, on both the advertising front and also the payment front. Earlier, WhatsApp’s Chief Operating Officer Matt Idema himself had said that, “Instagram and Facebook are the storefront. WhatsApp is the cash register.”

It is also interesting to note WhatsApp has a different policy for European and non-European users where EU citizens are better protected than their Indian counterparts. “A comparison of these two policies has revealed that for non-European regions, this data might be used for the Facebook Companies’ own purposes, most likely to improve its targeting of ads, which is specifically prohibited in the European policy,” says Nigam.

The lack of our data protection bill in India contributes to this as well. “If we did have strong data protection regulations, there are aspects of this move that might have been moderated or mitigated. The new privacy policy is sort of exploiting that regulatory arbitrage,” says Nigam. In 2017, European Union antitrust regulators had fined Facebook 110 million euros for misleading the regulators regarding information about acquisition and data sharing with WhatsApp.

CLAIM - WhatsApp cannot see your shared location and neither can Facebook

Tripti Jain of Internet Democracy Project says, “When you share your location with someone on WhatsApp, it is sent as an encrypted message and hence is not shared. In that sense, this claim may be correct, however WhatsApp collects your location data at various instances; when the location service is turned on the phone, WhatsApp is taking your IP address and your location. For certain services it is also using your location even when the location feature is turned off. This part is missing from their explanation.”

CLAIM - You can download your data

Tripti Jain says, “When I download my WhatsApp data, all I can see is what data does WhatsApp have about me but it is not enough. A user should also know what WhatsApp has been doing with my data, whether that they have shared it with other apps or not, but the current feature fails to provide that.”

She explains, “By offering users to download what data WhatsApp has about users, WhatsApp aims to make users believe that they have user rights and autonomy over their data that has been shared with WhatsApp. However, if one reads the fine print, all that users can download and see is what data is with WhatsApp, this is incomplete information.”

To enable user autonomy and control, a user should be able to learn what data does WhatsApp has, has it been shared further, if yes with whom, and for what purpose, how long will that data be stored among other things. “Unless, this ability is provided, this feature that allows users to download their data is nothing but merely an illusive practice in the name of privacy,” she says.

Choudhary of SFLC New York says it seems WhatsApp and Facebook are leveraging their dominant position and imposing a fairly serious bargain on its users without giving them a choice. “When WhatsApp launched a major update to its privacy policy in August 2016, it started sharing user information and metadata with Facebook. At that time, the messaging service offered its billion existing users 30 days to opt out of at least some of the sharing, if you chose to opt out at the time. Now with the change in policy there is no option to opt-out, a choice that was available in earlier versions.”

So, is the brouhaha over moving to alternative apps like Signal legitimate? “Absolutely! Anyone who cares even a little bit about their privacy should abandon all Facebook products,” she says.

Originally published in Business Today.