WhatsApp is making explicit clarifications around its updated privacy policy, after reports ran amok about the messaging app mandating all-encompassing data-sharing with parent company Facebook.
The app’s new privacy policy and terms of service, which will go into effect Feb. 8, says that WhatsApp will share certain data with Facebook, along with other Facebook products. These updates, announced last week, sparked widespread ire from users, who feared WhatsApp would mandate all data — including private user data — to be shared with Facebook – and caused a mass exodus from the app onto competing apps, including Telegram and Signal.
This week, WhatsApp in a new privacy policy FAQ posted to its website aimed to dispel the myth that all data – across the board – would be shared with Facebook. The updated privacy policies, it argued, are instead related to the data collection of WhatsApp users who message businesses on the platform. According to WhatsApp, the policy update changes began rolling out in December.
“As we announced in October, WhatsApp wants to make it easier for people to both make a purchase and get help from a business directly on WhatsApp,” a WhatsApp spokesperson told Threatpost. “While most people use WhatsApp to chat with friends and family, increasingly people are reaching out to businesses as well. To further increase transparency, we updated the privacy policy to describe that going forward businesses can choose to receive secure hosting services from our parent company Facebook to help manage their communications with their customers on WhatsApp. Though of course, it remains up to the user whether or not they want to message with a business on WhatsApp.”
However, WhatsApp stressed that neither WhatsApp – nor Facebook – can see users’ private messages or hear their calls. Similarly, WhatsApp (and Facebook) doesn’t keep logs of who everyone is messaging or calling.
WhatsApp also said in its privacy policy FAQ that it can’t see shared location of users; however, in a more detailed look at its privacy policy (under “Location Information”), the company says: “We collect and use precise location information from your device with your permission when you choose to use location-related features, like when you decide to share your location with your contacts or view locations nearby or locations others have shared with you.”
When asked for clarification by Threatpost, WhatsApp said in its privacy policy that the company asks for user permission to utilize their precise location – but it is important to point out that precise location information is end-to-end encrypted, so the company does not have access to it.
WhatsApp Business Privacy Policy
According to WhatsApp’s privacy policy, the data shared between WhatsApp and Facebook products aims to improve WhatsApp’s infrastructure and delivery systems; help understand how various services are used; and to provide further integrations between various products. As part of the new privacy policy, businesses that operate using WhatsApp as a communication method now have the option to utilize Facebook hosting services, said WhatsApp.
“Whether you communicate with a business by phone, email or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook,” said WhatsApp.
Another new data-sharing policy makes use of Facebook’s commerce feature, Shops, which lets users buy or sell goods. Businesses can display their goods on WhatsApp utilizing Shops – and if they do so, in WhatsApp, WhatsApp users’ shopping activity can be used to personalize ads on Facebook and Instagram.
“Features like this are optional and when you use them we will tell you in the app how your data is being shared with Facebook,” said WhatsApp.
Finally, WhatsApp said that “message” buttons for messaging a business using WhatsApp are shared with Facebook – “Facebook may use the way you interact with these ads to personalize the ads you see on Facebook,” said WhatsApp.
Beyond these newer updates, however, according to WhatsApp’s privacy policy webpage, it’s worth noting that WhatsApp currently shares “certain categories” of data with Facebook Companies. The Facebook Companies lineup includes Facebook Payments, Facebook-owned Israeli mobile web analytics company Onavo, Facebook Technologies LLC and Facebook Technologies Ireland Ltd., and content delivery and social-monitoring platform CrowdTangle.
“The information we share with the other Facebook Companies includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent,” according to WhatsApp.
Regardless of WhatsApp’s clarifications, the public reaction to WhatsApp’s change in data-privacy policies is likely due to the mistrust people have of Facebook and its rocky track record when it comes to privacy, Hank Schless, senior manager of Security Solutions at Lookout, told Threatpost.
“WhatsApp is doing the right thing by explaining the policy changes in plain language and acknowledging the importance of transparent data sharing and app permission policy,” Schless told Threatpost. “It’s going to be a challenge for WhatsApp to win users back who have already made the decision to move to other messaging apps, but their transparency is the right first step.”
WhatsApp Privacy Policy
Beyond its data-sharing with other companies, WhatsApp’s privacy policy on its website breaks down the data that is automatically collected by the company.
These include the shared location information mentioned above. “Even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location (e.g., city and country),” according to WhatsApp. “We also use your location information for diagnostics and troubleshooting purposes.”
WhatsApp also collects data about user activity on its services – including diagnostic and performance information. This includes the features that users utilize, including messaging, calling, status, groups (including group name, group picture and group description), payments or business features.
“This includes information about your activity (including how you use our services, your services settings, how you interact with others using our services (including when you interact with a business), and the time, frequency and duration of your activities and interactions), log files, and diagnostic, crash, website, and performance logs and reports,” according to WhatsApp.
The app also uses cookies, as well as device and connection-specific information (including hardware model, operating system information, battery level, signal strength, app version, browser information and mobile network).
Above all, “this incident shows that data privacy is now top-of-mind for the general public,” said Schless. “It also illustrates the importance of understanding how mobile apps collect and use your data. Looking forward in 2021, increased awareness around data privacy will drive changes in how consumers and organizations alike think about data sharing within mobile apps.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.