WhatsApp has been found guilty of breaching international privacy laws because it forces customers (bar those using iOS 6) to grant it access to their entire address book. It indiscriminately retains all that information, meaning millions of non-consenting, non-users have had their data given up over the years.
The announcement was made by the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority, which both maintain WhatsApp directly breached its privacy laws. However, the joint investigation took place in 2012, giving the company time to make some adjustments before the public ever found out -- it has encrypted messages (from September 2012), strengthened its authentication process and also plans on developing manual addition of contacts. There are, however, still "outstanding issues" that the authorities intend to follow-up on, despite the instant messaging provider claiming non-users' numbers are encrypted and that they don't store corresponding names and emails.
WhatsApp has been dogged with security flaws since its launch, with one hacker releasing a Windows tool to show how easy it is to change user statuses in early 2012. This latest find, with even non-users being drawn into a privacy data dispute, has somewhat irked the authorities since international law clearly states data should only be kept "for so long as it is required for the fulfilment of an identification purpose". "This lack of choice contravenes privacy law," said Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, in a statement. "Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp."
It flags up an issue Facebook, Google and others are currently having to deal with: user consent, or the lack thereof. "This case puts the spotlight on a key issue within privacy law: can the use of a service be made conditional on access being given to personal data?" Stewart Room, a partner at Field Fisher Waterhouse specialising in privacy law, told Wired.co.uk. "On my reading of the law, the EU data protection regime does recognise the legitimacy of making service use conditional in this way, but the law will expect sufficient mechanisms to be put in place to draw the user's attention to the data access before the service commences. In other words, people need to know what they are signing up for in advance."
It's taken the Dutch and Canadian authorities a good few years, and plenty of warnings from the public over the app's security issues, to carry out its investigation and apply some pressure on the US-based company. So what other less high-profile apps are getting away with more? "I suspect that these breaches are much more common than we think, with many businesses not paying due attention to their data collection practices when developing or deploying their services," Daniel Cooper, head of global privacy and data security at Covington and Burling, told Wired.co.uk. "Many companies simply collect data, despite having no clear business need for it, on the basis that it may be useful in the future [WhatsApp says it keeps the data on file to populate its own contact list]. This situation has not been helped by the relatively limited amount of regulatory enforcement that has occurred to date."
So we'll probably start seeing more cases such as these arise as attention is drawn to the issue.
With that in mind, Stewart says: "I would encourage all app developers to look at how they bring key privacy issues to the attention of users during signing-up... I expect that where there are problems these are more often the result of a lack of focus or clarity of thought, rather than a deliberate attempt to have people over. I do expect that many app developers are in a similar position to WhatsApp."
This article was originally published by WIRED UK
