In a collaborative investigation by Canadian and Dutch data privacy officials, it was determined that app users “do not have a choice to use the app without granting access to their entire address book.”
While the focus by privacy officials was around WhatsApp’s violations, the committee did note that the company had taken steps to implement many of its recommendations in order to comply with Canadian and Dutch privacy laws, of which was the basis of the charges. And while some of the privacy issues have been resolved, a statement revealed that there are other outstanding issues that have yet to be fully addressed.
The Office of the Privacy Commissioner of Canada cited examples that it believes shows WhatsApp’s lax privacy enforcement:
- In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form).
- At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks.
- Over the course of the investigation, it was found that WhatsApp was generating passwords for message exchanges using device information that can be relatively easily exposed. This created the risk that a third party may send and receive messages in the name of users without their knowledge.
The investigation has already resulted in some reforms. WhatsApp has introduced encryption in its platform that it says will prevent anybody from intercepting or eavesdropping. What’s more, the company says it has strengthened its authentication process in its latest version — it uses a “more secure randomly generated key instead of generating passwords from Media Access Control (MAC) or International Mobile Station Equipment Identity (IMEI) numbers.”
Although both countries have conducted a joint investigation, they have issued separate reports, respecting each of their data protection laws. However, both say that they will be monitoring WhatsApp’s progress to ensure that it is fulfilling its commitment towards user privacy.
We’ve reached out to WhatsApp for comment and will update this if we hear back.
This investigation comes at a time when WhatsApp has achieved enormous popularity. Earlier this month, it announced that it has processed 18 billion total messages in a single day, exceeding an August 2012 record of 10 billion messages — this surpasses Apple’s iMessage service, which generated more than 1 billion a day.
Additionally, WhatsApp has partnered with Hong Kong operator Three as its first carrier roaming deal giving customers unlimited access to the app in Hong Kong and 78 other countries.
Photo credit: MEHDI FEDOUACH/AFP/Getty Images