WhatsApp and the Vacuous Privacy Statement

Since I am studying privacy, I was really curious when I saw an article in the Auburn, Indiana newspaper The Star on August 26, 2016. The title is “WhatsApp is going to share your phone number with Facebook.” It says that WhatsApp will start sharing the phone numbers of its users with Facebook. It also says that WhatsApp is giving users a limited time to opt out of sharing their information with Facebook.

By reading the new WhatsApp privacy policy, it shows that opting out is meaningless. They can do trivial data aggregation and find your number without you, as a user, giving it to them.

The promise is “If you are an existing user, you can choose not to have your WhatsApp account information shared with Facebook to improve your Facebook ads and products experiences.” [1] However, to show how they can get your phone number without you giving it, look at this second statement from “Information You Provide” section: “You provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts.”  [1]

Put this together: they have your contact list. They have the contact list of the friends from your contact list. It’s simple to triangulate that back to your phone number. They know your name, and that name or something similar to it will be in multiple contact lists referencing your number. In addition, they can correlate that with the friend lists on Facebook to tie in your actual Facebook account. They can be confident of that well enough to act on the information.

One cannot know what secondary uses Facebook and its family of companies have for the information, nor what they may do with the information in the future.

They make it explicit that they can do the triangulation by saying “when other users you know use our Services, they may provide your phone number from their mobile address book” [1, Third Party Information] They can also triangulate the numbers of people who do not currently have a WhatsApp account, but that is a separate issue.

They haven’t shared your account information with Facebook, but having the phone number anyway benefits WhatsApp/Facebook. They can use the number as another identifier to connect your Facebook and WhatsApp profile with additional advertisers. The information also allows them to be more targeted in their Facebook advertising processes. Since their targeting process is not transparent, one cannot disprove that they use the information this way.

Looking at this from the point of view of Fair Information Practices, there are several problems here. The issue of preventing the transfer of account information to Facebook doesn’t affect the FIP problems.

  • The user has no notice or awareness of what the uses for the information of them, who receives the information, and what steps are taken to insure confidentiality and integrity of the data.
  • Current users don’t have an (actual) ability to choose whether WhatsApp/Facebook has your phone number. New users have no choice at all.
  • The user can’t view the data and verify it’s accuracy. Once contacts have been retrieved from the contact list, they can’t be removed from their records.
  • They don’t indicate that they keep the data accurate or secure. They don’t indicate any attempt to prevent other entities from getting the information.

The situation is even more troublesome from the perspective of the EU Data Protection Directive. However, the WhatsApp privacy policy acknowledgement that the information may be stored in the U.S. may be enough to short-circuit the directive’s protections.

[1] WhatsApp Legal Info https://www.whatsapp.com/legal/ Retrieved September 28, 2016.


One thought on “WhatsApp and the Vacuous Privacy Statement

  1. Solid analysis, Bill. Your tie to the FIPs is astute–the setup seems to circumvent common privacy principles. Regarding the ability to inspect and review one’s data, as well as to request amendments, I find that this is the most clearly violated principle in most social software terms of service. And because of this situation, that’s why there are a number of active conversations around who owns data participants create/provide when interacting with these technologies.


Comments are closed.