Explainer: WhatsApp Privacy Policy Changes #SaveOurPrivacy

Hi everyone,

TL;DR: We put together a simple explainer about what’s going on with the new WhatsApp privacy policy, why it matters, what we’re doing about it, and what you can do about it. If you found this explainer useful, please consider supporting us by becoming an IFF member so we can continue making conversations about data privacy more accessible.

Recently, WhatsApp released an in-app notification forcing users to accept its revised privacy policy by 08 February 2021 or stop using its service entirely. The new privacy policy confirms that Facebook may now have access to messages shared with businesses on WhatsApp and it provides more insight into expansive meta data collection by WhatsApp. The latest changes to WhatsApp’s privacy policy cement the problematic status quo which has existed since the privacy policy was first updated in 2016. The changes to WhatsApp’s privacy policy in 2016 are also the subject of pending litigation before the Supreme Court of India in Karmanya Singh Sareen v. Union of India, where IFF is an intervenor.

Background

WhatsApp is currently witnessing a mass exodus of privacy concerned users after it released an in-app notification forcing users to accept its revised Privacy Policy by 08 February 2021 or stop using its service entirely. However, this is not the first time WhatsApp has changed its Privacy Policy to facilitate sharing of data with its parent company, Facebook. To understand what is happening, we must rewind the clock and take ourselves back to February 2014 when WhatsApp was first acquired by Facebook for USD 22 billion.

When Facebook was considering acquiring WhatsApp, privacy activists read the writing on the wall and warned about potential data sharing between WhatsApp and Facebook. To allay these concerns, executives from WhatsApp publicly committed to never share data with Facebook. Based on these assurances, regulators such as the European Commission and the Federal Trade Commission greenlit the acquisition of WhatsApp by Facebook.

Volte Face in 2016

Fast forward to August 2016, WhatsApp announced that it would start sharing some data with Facebook including phone numbers and last seen activity. At that time, WhatsApp stated that the changes in its privacy policy would allow Facebook to offer better friend suggestions and more relevant ads to its users. Users were given 30 days to opt-out of sharing data with Facebook for ad targeting purposes but if they failed to exercise that option within 30 days, they would have no choice but to consent to data sharing. Any new users who joined after August 2016 would also not have the choice to opt out of sharing data with Facebook.

The regulators who had approved Facebook’s acquisition of WhatsApp based on its commitments about preserving user privacy did not take to this volte face kindly. In 2017, the European Commission fined Facebook 110 million Euros for providing misleading information during the WhatsApp acquisition about its technical inability to link the identities of users across WhatsApp and Facebook. Prior to this in 2016 itself, data protection authorities in Germany and the United Kingdom also directed Facebook to stop collecting data of WhatsApp users.

Legal Proceedings in India

The changes to WhatsApp’s privacy policy in August 2016 became the subject of litigation before the Delhi High Court in Karmanya Singh Sareen & Anr. v. Union of India & Ors. [W.P. (C) No. 7663 of 2016]. In a judgement delivered on 23 September 2016, a Division Bench of the Delhi High Court declined to grant the reliefs sought by the petitioners which included a complete and meaningful opt-out option for users even beyond the initial 30 days. A Special Leave Petition was filed by the petitioners before the Supreme Court challenging the Delhi High Court’s order and IFF is also an intervenor in these proceedings.

During the course of hearings before the Supreme Court in Karmanya Singh Sareen & Anr. v. Union of India & Ors. [S.L.P. (C) No. 804 of 2017], IFF has advanced arguments about the need to preserve privacy of meta data even if the actual content of messages is encrypted. Meta data means data about data and includes information like which users do you chat with, how frequently do you chat with a user, which groups you are a member of etc. In many cases, meta data by itself can reveal very sensitive information about a person’s life. For instance, consider conversations with sexual and reproductive health services which now provide abortion related counselling via WhatsApp.

The case is still pending before the Supreme Court and it was last listed in March 2020 but it did not come up for hearing. You can read more about the history of the case here.

Latest Changes to the Privacy Policy

The latest changes to WhatsApp’s privacy policy cement the problematic status quo which has existed since the privacy policy was first changed in 2016. As TechCrucnch explained back in 2016, Facebook is particularly keen to collect phone numbers of users through WhatsApp because it cannot do so through its own service. An individual can make a Facebook account by just using an email ID but providing one’s phone number is necessary to create a WhatsApp account. Therefore, phone numbers are the final piece of the puzzle in building a 360 degree profile of users, and linking identities across both platforms would certainly enhance Facebook’s ability to influence the behaviour of its users through personalized and targeted advertising. This explanation seems plausible especially in light of Facebook’s unsavoury track record of using phone numbers shared by individuals for security purposes like 2 factor authentication for advertising.

According to a statement by WhatsApp, the main change introduced by the new privacy policy released on 04 January 2021 is clarifying that “going forward businesses can choose to receive secure hosting services from our parent company Facebook to help manage their communications with their customers on WhatsApp.” This means that Facebook may now have access to messages that users share with businesses on WhatsApp. This has been admitted by Facebook and the company claims that it “will not automatically use messages to inform the ads that a user sees” but “businesses will be able to use chats they receive for their own marketing purposes, which may include advertising on Facebook.” Considering Facebook’s past record on privacy, we will let you decide whether these assurances can be trusted.

In addition to this, the new privacy policy also confirms expansive data collection by WhatsApp, which is evident from the following:

  • The new policy provides more details about the usage and log information and device and connection information collected by WhatsApp which demonstrate the highly invasive and granular nature of meta data collection by WhatsApp. For instance, the updated policy clarifies that WhatsApp is also collecting information like battery levels and signal strength.
  • The new policy reveals that even if a user does not use their location-relation features, WhatsApp collects their IP addresses and other information like phone number area codes to estimate general location (city, country).
  • The new policy states that for users of their payment service, WhatsApp will start processing payment account and transaction information which includes information about payment method, shipping details and transaction amount.

What’s the worst part? There is no option to users, except to click on, “I Agree.” If you don’t want to give in, we suggest you consider switching to a more secure platform like Signal and also join us in pushing for enactment of a strong data protection legislation in India.

Important Documents

  1. WhatsApp Privacy Policy dated 04 January 2021 (link)
  2. Previous post regarding Karmanya Singh Sareen v. Union of India (link)
4 Likes