On August 25, WhatsApp published a blog post detailing its new terms of use. These types of posts rarely generate buzz, but this post detailed end-to-end encryption, exploration of business, and connecting your phone number with Facebook’s systems.
Hang on. Connecting with Facebook? Let’s read that bit again:
“But by coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook’s systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of. You can learn more, including how to control the use of your data, here.”
Shortly after reading that, my colleague Serge penned a blog post about how existing users could opt out of the new terms and conditions. New users, however, will not have that option.
Since we're talking #Allo and #privacy shortcomings, time is ticking for you to opt out of Whatsapp data sharing https://t.co/KCt4qlGvlw pic.twitter.com/Un3NXVW95W
— Kaspersky (@kaspersky) September 22, 2016
It did not take long for US privacy groups to broadcast their disdain and concern. The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) filed a complaint on August 29 and called for an investigation from the Federal Trade Commission (FTC).
In a discussion with Mike Mimoso from Threatpost, EPIC’s Consumer Protection Counsel Claire T. Gartland noted:
“EPIC will be keeping the pressure on the Commission to act, since this is such a clear violation of their numerous statements on the issue. If and when the FTC acts, they have the power to stop the proposed changes from going forward and/or enter into a settlement agreement with the companies — similar to the 2012 consent order with Facebook.”
In the weeks leading up to the policy ratification date of September 25, the chatter surrounding WhatsApp’s new terms seemed to die down. However, in the past week, governing bodies in both India and Germany have stepped up against Facebook and WhatsApp.
In India, a chief justice of the Delhi High Court issued an order to WhatsApp to delete the data collected from users opting out of the company’s new Terms and Conditions prior to September 25. The court added a request for Whatsapp also not to share the pre-September 25 data of customers who did not opt out of the new changes.
Similar to the privacy concerns in India, the German data and protection agency has ordered WhatsApp to stop collecting data from its users in Germany and to delete any information already collected.
#Germany orders @facebook to stop collecting data on @WhatsApp Users: https://t.co/Ohe3tQcrMQ #Privacy #mobile #regulation via @threatpost pic.twitter.com/saJBsZnJwx
— Kaspersky (@kaspersky) September 28, 2016
“It has to be the 35 million WhatsApp users in Germany’s decision whether they want to connect their account with Facebook,” said Johannes Caspar, the data protection commissioner for Hamburg. “Facebook has to ask for their permission in advance. This has not happened.”
A spokesman from Facebook noted that the social media juggernaut will appeal the decision: “Facebook complies with EU data protection law. We will appeal this order and will work with the Hamburg DPA in an effort to address their questions and resolve any concerns.”
The question now is if other countries will follow the path of Germany and India. Reports from the BBC and Telegraph indicate that governing bodies in the United States and the European Union may investigate the changes, and the UK is looking into it. In the UK, Information Commissioner Elizabeth Denham noted at the time of the change in T&C:
“Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed.
“We’ve been informed of the changes. Organizations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this.”
This story will more than likely evolve in various ways around the globe in coming weeks. Stay tuned to both Kaspersky Daily and Threatpost for updates.