“Use Signal” Examining the Privacy Concerns Surrounding WhatsApp
Tech mega-mogul Elon Musk’s social media influence is undeniable, especially given the recent GameStop debacle. On January 7th he tweeted out the simple phrase, “use Signal". By January 11th, Signal had reached over 1 million downloads per day. The tweet created a perfect storm, as users had already been sceptical about WhatsApp’s recent announcement about the update to its terms of service allowing the sharing of user’s metadata with Facebook, which acquired WhatsApp back in 2014. This announcement urged users to switch to applications like Signal, that do not collect user data. This article will assess the privacy concerns surrounding WhatsApp while discussing the efficacy of applications like Signal in protecting user data.
Misconceptions and end-to-end encryption
Firstly, it is important to dispel some misinformation regarding WhatsApp’s terms of service update. The update does not grant WhatsApp the ability to share the content of users' messages with its Partners. WhatsApp’s messages will continue to use end-to-end encryption which means that an outside party is unable to intercept private user’s messages. End-to-end encryption means that if there is an attempt for message interception, the content will be viewed as fragmented and therefore unreadable. This prevents law enforcement, mobile carriers and all entities that would like to ‘eavesdrop’ on user messages from being able to intercept and read messages. WhatsApp’s use of end-to-end encryption is what led many of its 2 billion users to believe that it is a secure and private platform to use.
However, not all instances of communication on WhatsApp is encrypted; when users choose to back up their chat history on iCloud or Google Drive, they are stored on those respective cloud services without end-to-end encryption according to WhatsApp’s FAQ page. Those messages can then be intercepted. Only if users reject WhatsApp’s request to back up their data, can their messages truly remain end-to-end encrypted.
Changes to Terms of Service (ToS)
The main concern arising from the announcement surrounds the non-encrypted data that WhatsApp collects from users, known as metadata, and how it will now be shared with Facebook and its partners. This metadata list, includes but is not limited to, users’ unique device ID, IP addresses, information regarding usage, physical location, phone numbers, contact information, contact lists and how often one uses the app. Although this metadata may appear to be harmless, it can still be used to expose broader context and patterns of behaviour which may reveal more about the user than the user had intended to share when signing up to WhatsApp.
The ToS update will increase the extent to which this metadata will be shared with Facebook so that Facebook can use an even more expansive range of data for its consumer-targeted advertising. WhatsApp itself released that as part of the Facebook group of companies, "We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customise, support, and market our services and their offerings,". Therefore, simply put, Facebook cannot access what WhatsApp users are discussing, but they will be able to access how long they are discussing it for, who they are discussing it with, and how often.
While users of the internet are no strangers to the mass collection of user data from social networking and communication platforms, what has fueled outrage over WhatsApp’s new policies is that they will not allow consumers to reject the sharing of their metadata to Facebook. Should users want to continue using the app (who after the backlash has shifted their new update to the summer of 2021), they will have to accept these new terms, otherwise, they will no longer be able to use the app. This can be seen as an abuse of WhatsApp's and Facebook’s dominant position in the market as they are forcing consumers to accept these changes in the state of their privacy without any alternative.
Although millions of users have migrated to other apps, according to the latest numbers on Statista (2020), WhatsApp is still the most used messenger service in the UK, with 81% of the total, ahead of Facebook Messenger. Therefore, many users will be coerced into accepting, so as to avoid the fear of social seclusion that may come from avoiding the app. In Turkey, the announcement of the new terms sparked an antitrust investigation into both Facebook and WhatsApp. The FTC in the US has also launched an antitrust investigation surrounding Facebook’s 19-billion-dollar acquisition of WhatsApp. The results of these investigations against the tech giant remain to be seen.
General Data Protection Regulation
Another concern that has been highlighted during the WhatsApp panic was that WhatsApp users provide the phone numbers stored in their mobile phone contact list to WhatsApp. This means that individuals who do not use WhatsApp may, nevertheless, have their mobile phone, name and surname shared with WhatsApp without their consent just because they are the mobile phone contact of a WhatsApp user. The reason WhatsApp asks for users to consent to the uploading of all their phone contacts onto the app is so it can scan through their contacts to determine which have a WhatsApp account so they can be added to your list of contacts on the app.
Under the General Data Protection Regulation (GDPR), the processing of a user’s personal data without consent is considered unlawful. WhatsApp’s code is not open source, so without deep litigation investigations, we can only speculatively address this situation as a possible breach of GDPR. According to WhatsApp’s popup, the contact list is stored and recorded on its servers and then differentiated between WhatsApp and non-WhatsApp users. This type of action could amount to ‘data processing’ under the GDPR.
Moreover, under Art. 4(1) of the GDPR, personal data is enough to make one an identifiable natural person. It is clear that a name, surname and phone number is personal data, but that would depend on whether WhatsApp is actually processing all that information. The data then has to be lawfully processed, (Art 5(1)(a)) subject to exceptions (Art 6) which WhatsApp would not likely meet. There is no (non-WhatsApp) user consent; thus, they are not a party to a contract that needs to be performed on their behalf. The processing is also neither needed to perform legal obligations on the part of the app, nor is it necessary to protect public interest, user’s vital interests or having a legitimate interest in doing so.
Signal vs WhatsApp
Signal has been long celebrated by high-profile privacy icons such as Edward Snowden. It was co-founded and financially backed by Brian Acton, who left Facebook in 2017. It is a free to use messaging app, funded by the non-profit Signal Foundation and, unlike WhatsApp, it has an open-source code. Similarly, to WhatsApp, its messages are also end-to-end encrypted, but Signal provides a much-needed added layer of privacy since it does not store user data nor does it collect users’ IP addresses, while providing users with additional anti-surveillance tools like face-blurring and disappearing messages. Contrasting WhatsApp’s concerning obligatory collection of contact list data, Signal verifies users phone numbers and then lets them independently verify other Signal users’ identity.
The WhatsApp ToS update panic has alerted millions of users to the privacy concerns that they are subjected to when using platforms such as WhatsApp, Facebook and Instagram, contributing to the building scepticism surrounding large online platforms. WhatsApp’s attempts to ‘lock-in’ it’s users to data sharing with Facebook has sparked investigations by privacy watchdogs globally for potential breach of privacy regulations. Although most users may not believe that the kind of information that they will be unknowingly sharing will have any detrimental effects on their privacy, after close examination we at Law Forward have to agree with Elon Musk. For the more private and secure option, use Signal.