Whats that? Whatsapp?!

Author: Gary Hibberd

Date: 12th January 2021

If you’re not in Cybersecurity, or the Data Protection industry, then you may have missed something quite interesting that happened in the last seven days that got this industries respective nickers in a bit of a twist!

WhatsApp people?!

This week, millions of people logged on to their WhatsApp, app to be faced with a new privacy policy that they had to accept. Users didn’t have to accept it there-and-then, but ultimately they will have to accept it if they wish to continue to use the platform. Although the platform claims that Privacy is not affected, the truth of the matter is a little more nuanced than ‘Your messages are private”.

It caused such a stir that they had to take to Twitter to defend their position, stating

“We want to be clear that the policy update does not affect the Privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data,”

Now, I often debate security professionals about Privacy and Security and how I believe they are fundamentally different. You can have a ‘Secure’ system, but does that mean your data is Private? I don’t believe so, and I believe WhatsApp just helped to prove my point.

End-to-End security (but not Privacy)

WhatsApp themselves has stated that your messages are secure, and they are quick to tell you they can’t access your messages. But although they tell you what they can’t see, they’re not very open (transparent?) about what they can see. For example, they can see the images and attachments you send and the links you share. They know who is in your contact lists, who you’re communicating with, how long, how often, and where you’re located (But don’t worry… they can’t read your messages(!))

When it comes to your location data, they state that they “collect and use precise location information from your device with your permission when you choose to use location-related features.” And they go on to say that “even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location.”

Now I don’t know about you, but if someone in the physical world said they would like to know where my precise location was, I would want to know why and have a clear understanding of what they’re going to do with that information.

But of course, we do know what they’re going to do with it. They’re going to share it with ‘third-parties’, and others… like their parent company.

“WhatsApp currently shares certain categories of information with Facebook Companies. The information we share with the other Facebook Companies includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent.”

Facesuckers

Before we begin it’s worth knowing two things; the first is that WhatsApp is owned by Facebook. The second is that back in 2004, Facebook was nothing more than a dream and idea by its founder Mark Zuckerberg. But in a conversation with a fellow college student he reportedly said the following;

Zuck: Yeah so if you ever need info about anyone at Harvard. Just ask. I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend’s Name]: What? How’d you manage that one?

Zuck: People just submitted it. I don’t know why. They “trust me”. Dumb f***s.

In 2010 he went on record to state that Privacy is “No longer a social norm”. He believes that due to the increased use of social networking, people no longer expect Privacy. He believes because many people are willing to share pictures of their children, pets, dinners and workouts that we have ALL given up on the concept of Privacy.

By agreeing to the new WhatsApp privacy policy, you agree to have your data automatically shared with Facebook and other third-party providers.

What’s the issue?

The issue is that when these apps are downloaded, rarely if ever do people read the Terms and Conditions (T&Cs) of use. Even if you did try and read them, quite often they’re so complex or vague that they would take a herculean effort to understand what is being agreed to, or not.

This is hardly in the spirit of being open and transparent. Something we know that many social networking sites have a problem with. But this is their business model; We are the product.

Unless you’re a business owner, and you’re paying for ads, the likelihood is that you’ll never receive a bill from Facebook, Instagram (also owned by Facebook), Twitter, LinkedIn, TikTok, WhatsApp, etc. And while all of our data is being sold off, it is actually the ability to know who we are, what we’re thinking, and how we behave which is of greatest value. This is where we saw issues related to Cambridge Analytica and Facebook back in 2017.

Privates on parade

Perhaps Zuckerberg is right; Perhaps Privacy is no longer a social norm. Certainly, when I speak to people about the use of social media, many dismiss any concerns with a sweep of their hand, stating “Oh yeah. I know. But it’s not like I’ve got anything to hide.”

On the odd occasion they state this, I’ll ask them the following questions;

• How much do you get paid, and what’s in your bank account right now?
• When was the last time you visited a pornography site?
• Can I take a look at your call logs?

Of course, these questions may be seen as intrusive, or not, dependent upon your views on Privacy. But most people would have some ‘gut reaction’ to at least one of these questions. If you have, then clearly, Privacy is a concern.

Conclusion

In the new T&Cs presented by WhatsApp, they state that they “may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings.”

Notice the wording, and note that when they say they will use the information to ‘market our services and offerings’; They’re talking about using your data. They’re talking about your employees. They’re talking about your children, and your loved ones.

Of course, if you want to keep on using WhatsApp, I’m sure everything will be fine, and your data is being kept securely… even if it’s not being kept privately.

Post Script; Each time I ran the grammar tool across this blog, it complained that two sections were “Hard to read”. Both sections are direct quotes from the Whatsapp T&Cs. Makes you think, doesn’t it?