The popular mobile and multi-platform messaging service, WhatsApp, was investigated recently by the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority for apparent violations of Canadian and Dutch privacy laws. The investigation found a number of violations and the Canadian Privacy Commissioner released an update on 28 January 2013 reporting back on the violations which have since been addressed and those which remain unresolved:
The investigation revealed that WhatsApp was violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data. For example:
In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.
At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. In September 2012, in partial response to our investigation, WhatsApp introduced encryption to its mobile messaging service.
Over the course of the investigation, it was found that WhatsApp was generating passwords for message exchanges using device information that can be relatively easily exposed. This created the risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened its authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC (Media Acess Control) or IMEI (International Mobile Station Equipment Identity) numbers (which uniquely identify each device on a network) to generate passwords for device to application message exchanges. Anyone who has downloaded WhatsApp, whether they are active users or not, should update to the latest version to benefit from this security upgrade.
If you are a WhatsApp user, you probably already know that the WhatsApp app lists all your contacts in your phone’s contacts list and reveals which of your contacts use WhatsApp. Aside from the authentication and encryption concerns the Canadian and Dutch authorities raised, this seems to be the source of the currently unresolved concerns the Canadians and the Dutch have.
Essentially, these concerns are that WhatsApp collects details of your contacts automatically (unless your phone is running iOS 6, in which case you would be prompted to allow WhatsApp to access your contacts’ details) and uploads that data to WhatsApp’s servers to be compared to its database of users so it can identify which of your contacts are using WhatsApp and allow you to message them using the app. So far, so good, but WhatsApp doesn’t subsequently discard the data pertaining to non-users after it has compared them to its database.
As the Canadian press releases mentions, this touches on two personal information processing limitations, namely purpose specification and related processing limitations. Specifically, WhatsApp is processing personal information for longer than it requires, given its intended purpose and may be collecting more than it requires. It seems that the concern is specifically about the non-user personal information and the expectation seems to be that WhatsApp discard non-users’ personal information once it establishes that they are, in fact, non-users and that the app prompt users to agree to submitting contacts’ details to WhatsApp when users want to check whether additional contacts are users.
The WhatsApp Privacy Notice deals with this in a couple sections:
The Information WhatsApp Collects
WhatsApp may obtain the following types of information from or concerning you or your mobile phone device, which may include information that can be used to identify you as specified below (“Personally Identifying Information”):
User Provided Information: You provide certain Personally Identifiable Information, such as your mobile phone number, push notification name (if applicable), billing information (if applicable) and mobile device information to WhatsApp when choosing to participate in various uses of the WhatsApp Service, such as registering as a user, updating your status or requesting status for your contacts. In order to provide the WhatsApp Service, WhatsApp will periodically access your address book or contact list on your mobile phone to locate the mobile phone numbers of other WhatsApp users (“in-network” numbers), or otherwise categorize other mobile phone numbers as “out-network” numbers, which are stored as one-way irreversibly hashed values.
The Information WhatsApp Does Not Collect
WhatsApp does not collect names, emails, addresses or other contact information from its users’ mobile address book or contact lists other than mobile phone numbers—the WhatsApp mobile application will associate whatever name the WhatsApp user has assigned to the mobile telephone number in his/her mobile address book or contact list — and this occurs dynamically on the mobile device itself and not on WhatsApp’s servers and is not transmitted to WhatsApp. This means that if you have your friend’s mobile phone number associated with the name “Shakespeare” in your mobile address book, that’s the name that will appear for that mobile phone number in your WhatsApp contact list. We do not collect location data, but users may voluntarily share their location with other users via the WhatsApp Service.
The big question is whether WhatsApp should retain non-user phone numbers after it has conducted its comparisons between the captured data through the app and its database?
South African law
At present the main issue in South Africa is whether transmitting your contacts’ personal information to WhatsApp violates their privacy. Our current privacy law is informed by the right to privacy in the Bill of Rights, prevailing case law developed by our courts and legislation like the Electronic Communications and Transactions Act and Consumer Protection Act. The Protection of Personal Information Bill has not yet been passed although I’ll deal with that below.
The answer to this lies in the implicit (or explicit, if you have it) consent you have from your contacts to take the personal information they give you and pass that on to WhatsApp and then contact them through WhatsApp if they are users? This is a tough question to answer in the absence of an explicit preference from your contacts one way or another. Presumably they gave you their contact details or made them available with the expectation that you contact them. Whether a contact would object to being contacted using WhatsApp is a secondary issue. Conceivably some users may object to their personal information being passed to WhatsApp due to concerns about its privacy practices or out of a desire to remain out of that system and where a contact expresses that preferences, you should certainly act appropriately. Absent that express preference, may users assume they have their contacts’ implicit consent? Perhaps.
Under the anticipated Protection of Personal Information Act (I refer to the “Protection of Personal Information Bill” interchangeably with “Protection of Personal Information Act” because it is still going through the legislative process of being passed as an Act of Parliament), the question is ordinarily what sort of consent is given and whether this covers the intended personal information uses. “Consent” is defined as –
any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information
When it comes to individual users, the Protection of Personal Information Act probably won’t require individuals to comply with its restrictions when it comes to compiling their contacts lists where doing so is “in the course of a purely personal or household activity”. WhatsApp wouldn’t be able to take advantage of this exclusion so it would be required to obtain its users’ consent to process their personal information.
Will the Protection of Personal Information Act apply?
You may have noticed that WhatsApp indicates that it stores non-users’ (or “out-network”) phone numbers as “one-way irreversibly hashed values” which, when coupled with improved encryption options make it practically impossible to resolve those hash values back to phone numbers (classified as “personal information” in most jurisdictions).
The Protection of Personal Information Act has a further exception to its application in that it does not apply to personal information “that has been de-identified to the extent that it cannot be re-identified again”. It would be interesting to test whether this exclusion would apply here and would probably be dependent on whether the hashed values could, somehow, be associated with individuals despite the encryption. WhatsApp only collects phone numbers and not names and other details (the association between a number and a name occurs on your device, not on the server) so this exclusion could well apply and get WhatsApp off the hook when it comes to potential Protection of Personal Information Act compliance. It would also likely address residual privacy concerns because the phone numbers will appear to have been practically and irreversibly anonymised.
Even if the Protection of Personal Information Act applies
If this exclusion does not assist WhatsApp, the Protection of Personal Information Bill contains a number of processing limitations along the lines of the limitations the Canadians and Dutch found were exceeded.
One processing limitation is “Minimality” which states that –
- Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
The Protection of Personal Information Bill requires that personal information be collected directly from what it refers to as “data subjects” (in other words, the people the personal information relates to) and one of the exceptions to this is where –
collection of the information from another source would not prejudice a legitimate interest of the data subject
Given the steps taken to disassociate the phone numbers collected and pertaining to non-users with the non-users’ identities, this may be an exception to the general rule that the personal information be collected directly from the non-users concerned. In this case the “other source” would be the WhatsApp user submitting the personal information.
The Protection of Personal Information Bill’s purpose specification limitations include the following which are more appropriate to what WhatsApp is doing:
Collection for specific purpose
- (1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
(2) Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.
Section 18 deals with the necessity for informed consent from data subjects and includes the following exclusion which is similar to the exclusion dealt with above:
non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act
Another processing specification limitation in the Protection of Personal Information Bill which relates to the Canadian and Dutch requirements is the following:
Retention and restriction of records
- (1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed …
Section 14(1) has a number of exclusions which probably won’t apply here but section 14(4) may assist WhatsApp:
A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).
Section 14(2) deals with personal information processed for “historical, statistical or research purposes” but may not apply here.
On the topic of this retention restriction, its not clear why WhatsApp retains “one-way irreversibly hashed values” based on non-users’ phone numbers? If “one-way irreversibly” means that these phone numbers are not capable of being translated back into phone numbers (as I have assumed) then its not clear what purpose is being served by retaining this data? If these “one-way irreversibly hashed values” can be translated back into phone numbers then the exclusions in the Protection of Personal Information Bill will probably not apply and WhatsApp will be, almost by definition, in violation of the Protection of Personal Information Bill’s processing limitations where it does not obtain consent from non-users to process their phone numbers.
On the other hand, if “one-way irreversibly hashed values” does, in fact, mean they can’t be translated back into phone numbers and will remain as seemingly random data strings, then they will likely not be regarded as “personal information” in the first place as personal information is defined, at least by the Protection of Personal Information Bill, as including “information relating to an identifiable, living,
natural person”. If that is the case then the debate about whether the Protection of Personal Information Act becomes largely academic from WhatsApp’s perspective as non-users’ phone numbers cease to be personal information when they are converted into “one-way irreversibly hashed values”.
Where does that leave WhatsApp?
So where does this leave WhatsApp? When it comes to South African law, there may be far less of an issue about WhatsApp’s retention of non-users’ personal information in South Africa than the Canadians and Dutch seem to have with the service although if their definitions of personal information are similar, it should, perhaps, be less of an issue for them too if these “one-way irreversibly hashed values” can’t be translated back into phone numbers and will remain as seemingly random data strings.
Is it safe to keep using WhatsApp? In light of the increased security added after the initial Canadian and Dutch investigations, it does seem to be safe to use WhatsApp. At least from this perspective.