Get Status

WhatsApp & Facebook are taking your privacy

WhatsApp & Facebook are taking your privacy

Ditch WhatsApp, protect the privacy of your friends and family. Use a real private messenger.

Whatsapp needs little introduction, it's a data harvesting company that extracts personal information via widespread application of social incentives on behalf of its owner, Facebook. It's also allegedly a messaging and VoIP app.

Whatsapp has, for the last several months, been the subject of some contentious discussion for proposed changes to its Privacy Policywell, not really that contentious, pretty much everyone is in agreement that WhatsApp messed up.

The opening statement of WhatsApp's old privacy policy:

Respect for your privacy is coded into our DNA. Since we started WhatsApp, we’ve aspired to build our Services with a set of strong privacy principles in mind.

has been removed entirely in the new version. Sentiment isn't worth much in documents like this, when a sentence or two can jeopardize the privacy of billions of users, but this change might be foreshadowing. A bit.

Briefing

Whatsapp recently updated their privacy policy (archive link). Even if this was one of the boring updates, WhatsApp handles the data of more than 1 out of every 4 humans, so any changes in the data collected or what is done with it have widespread consequences.[1][2]

This was not one of the boring updates.

Tl;dr The Our Global Operations section of WhatsApp's new privacy policy includes language suggesting WhatsApp shares user info with Facebook (and the "Facebook Companies").

The previous version of their privacy policy can be found here (archive link). A complete diff is included in the endnotes.

Here's the exact differences:

2019/12/19
Current
You agree to our information practices, including the collection, use, processing, and sharing of your information as described in this Privacy Policy, as well as the transfer and processing of your information to the United States and other countries globally where we have or use facilities, service providers, or partners, regardless of where you use our Services. You acknowledge that the laws, regulations, and standards of the country in which your information is stored or processed may be different from those of your own country.WhatsApp shares information globally, both internally within the Facebook Companies and externally with our partners and service providers, and with those with whom you communicate around the world, in accordance with this Privacy Policy. Your information may, for example, be transferred or transmitted to, or stored and processed in, the United States; countries or territories where the Facebook Companies’ affiliates and partners, or our service providers are located; or any other country or territory globally where our Services are provided outside of where you live for the purposes as described in this Privacy Policy. WhatsApp uses Facebook’s global infrastructure and data centers, including in the United States. These transfers are necessary to provide the global Services set forth in our Terms. Please keep in mind that the countries or territories to which your information is transferred may have different privacy laws and protections than what you have in your home country or territory.

(emphasis added)

This is unambiguous: WhatsApp is going to share user data with Facebook. Some more troubling details are found in the new version's Automatically Collected Information section:

Usage And Log Information. [...] This includes information about your activity (including how you use our Services, your Services settings, how you interact with others using our Services (including when you interact with a business), and the time, frequency, and duration of your activities and interactions), log files, and diagnostic, crash, website, and performance logs and reports. [...]

Device And Connection Information. [...] This includes information such as hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account).

Location Information. We collect and use precise location information from your device with your permission when you choose to use location-related features, like when you decide to share your location with your contacts or view locations nearby or locations others have shared with you [....] Even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location (e.g., city and country). [...]

(emphasis added)

This sort of information is not necessary for a messaging applicationhave a look at Status's privacy policy for an example of how little data really is needed. Even discounting the Facebook identifiers, and other extremely personalized data points, the information that WhatsApp is demanding surrendered to them should be cause for suspicionit is disturbingly easy to go from "anonymous" data to uniquely identifying individuals (e.g. birthday, gender, and postal code uniquely identify ~87% of people, based on the 1990 US Census). Data sharing is not an innocuous practice.

We store information for as long as necessary for the purposes identified in this Privacy Policy, including to provide our Services or for other legitimate purposes, such as complying with legal obligations, enforcing and preventing violations of our Terms, or protecting or defending our rights, property and users.

WhatsApp siphoning and storing your personal data is for your protection, apparently.

The saga of WhatsApp's privacy misadventures would be sorely incomplete without mention of the coercive approach they've taken toward the new privacy policy. They initially held that, after a grace period, users would have to accept the new privacy policy to continue using WhatsApp at all. They have since delayed the deadline (February -> May) and are now merely restricting app functionality for users who do not agree.

Apple Scoop recently reported that this forced approach to privacy policy acceptance violates Apple's App Store policies. Here is a relevant excerpt from the App Store FAQ:

Can I gate functionality on agreeing to allow tracking, or incentivize users to agree to allow tracking in the app tracking transparency prompt?

No, per the App Store Review Guidelines: 3.2.2 (vi).

Perhaps we will see WhatsApp LLC vs. Apple, Inc. in the near future.

Facebook

People just submitted it. / I don't know why. / They "trust me"  / Dumb fucks.

- Mark Zuckerberg, source

Facebook has shown that they can influence your emotions, your political activity, your purchasing habits, its use is negatively correlated with political awareness and knowledge,[3][4][5][6] they have demonstrated that privacy laws won't get in their way (and that users are not intelligent enough to understand their own data[7]).

Facebook is hoarding data, from users and non-users alike[8][9][10]. It's not at all dystopian that a social media company maintains profiles on people that have never used it, right?

Facebook can hardly be called a data broker; they are a data harvester. Companies and applications like WhatsApp hand your personal info to companies like Facebook, who use it to exert greater and greater degrees of control over your life. Or, at least, to extract greater and greater amounts of money from you, the loss of agency is a side effect.

When you use Facebook, you are surrendering your data, privacy, your emotional agency, your political agency and awareness, your financial agency, and the data and privacy of anyone that Facebook can get to through your data.

Facebook is antithetical to privacy. WhatsApp furnishes your data to Facebook, so WhatsApp is antithetical to privacy. Naturally, we of the Status community and organization think this is not cool.

Status

Our privacy policy is less exciting than this fiasco of WhatsApp's, but it's still a little exciting.

WhatsApp is disrupting privacy policies by taking out the "privacy" element. Signal is trying to cut down on the "policy", i.e. less legalese obscuring the important parts, more straightforward explanation.

Guided by our principles, Status is designed to protect your privacy and process as little personal data as possible for the network to thrive; Status enables pseudo anonymity, strives to provide the right of total anonymity, and offers ways to selectively reveal oneself to the world.

Status also has a new and improved ToS, that, we'd like to think, is fairly readable. You don't have to trust that you're not agreeing to more than you bargained for, because the whole document is only a few pages of easily digested sections.

WhatsApp Alternatives

Unfortunately, privacy and convenience are often at odds, and big tech is incentivized to keep it that way.

WhatsApp is "optimizing" human communicationby extracting more value from it. If you don't want your data harvested for Facebook to abuse, check out some of the privacy-forward alternatives out there. Of course, there's own secure messaging app Status, or even Signal - we love Signal, but for now they still require phone numbers, so if you're looking to preserve your privacy to the maximum possible extent, get Status.

For more information, check out this feature-based comparison of popular messaging apps, including WhatsApp, Signal, Status, and more, or this deep dive between Signal, Status, and Telegram.

Also, here are some resources for getting friends and family to ditch WhatsApp.

https://www.androidcentral.com/6-tips-getting-your-family-switch-another-messaging-app

https://www.cnet.com/news/why-whatsapp-users-are-moving-their-family-members-to-signal/

https://news.ycombinator.com/item?id=25673441

Endnotes

1: www.worldometers.info/world-population/

2: blog.whatsapp.com/two-billion-users-connecting-the-world-privately

3: doi.org/10.1080/10584609.2020.1784328

4: doi.org/10.1177%2F1077699018770447

5: doi.org/10.1080/10584609.2016.1154120

6: doi.org/10.1016/j.chb.2018.08.006

7: In an incredible quest to retrieve personal data from Facebook, Facebook decided that, because the GDPR mandates information be in "a concise, transparent, intelligible and easily accessible form, using clear and plain language", that their obligations per the GDPR only cover data that is "concise, transparent, ..."

At its most basic, this means that the information Facebook provides in response to a request should be capable of being understood by the average person. Highly technical data in its original form is likely to be meaningless to the average Facebook user and providing such data would be inconsistent with Facebook’s GDPR obligations.

- Alex, Privacy Operations at Facebook

8: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5544396/

9: https://www.zdnet.com/article/anger-mounts-after-facebooks-shadow-profiles-leak-in-bug/

10: https://www.theverge.com/2018/4/11/17225482/facebook-shadow-profiles-zuckerberg-congress-data-privacy

WhatsApp privacy policy diff: https://paste.debian.net/plain/1197494

Recommended additional reading:

https://academic.oup.com/jcmc/article/15/1/83/4064812

https://en.wikipedia.org/wiki/Criticism_of_Facebook

Download Status

Get Status