Categories
Social Media

Whatsapp’s New Terms of Service Explained

Whatsapp’s new terms of service update has caused a fair amount of confusion. This is understandable; the update does not remove the existing end-to-end encryption of Whatsapp messages and, for many people, it will not result in any immediate new privacy risks.

However, claims that the update is entirely cosmetic and/or only concerns new Whatsapp business features are incorrect. The changes to the terms of the privacy policy are significant. Less than half of the text of the new policy appeared in the old one, and the update does appear to create new contractual rights and obligations for the parties. This post will help you to evaluate how you will be affected by the update. We will also look at the reasons for why some privacy advocates are concerned about what the update could mean for corporate surveillance more generally.

Overview:

  1. Will Whatsapp start sharing your data with Facebook after this update?
  2. Will Whatsapp increase data sharing with Facebook after this update?
  3. Further notable changes to the privacy policy.
  4. Understanding the background of this update and why privacy advocates are concerned.
  1. Will Whatsapp start sharing your data with Facebook?

The first update to the Whatsapp privacy policy to introduce data

sharing with Facebook was the August 2016 privacy policy. At the time, users were given 30 days to opt out of the policy. If you joined Whatsapp after August 2016, then you would have automatically opted-in to the policy. If you joined before then, then you would have had a 30 day window to opt out. The first thing that you should do is find out whether you opted out in 2016. To do this, click on the settings menu in the top right of Whatsapp, select account, and then select the “request account info” button. Finally, click to confirm your request of your account information.

Open the settings menu
Select “Account”
Select “Request account info”
Confirm that you would like to request your account information.

Your report will take 2 days to be sent. Once you have received your report, navigate to the “Terms of Service” sheet, and check whether or not you opted out of data sharing with Facebook.

Screenshot of my Terms of Service information from my Report.

If you opted out of data sharing in 2016, then you will be directly affected by this update, and it will result in more of your data being shared with Facebook.

It has been reported by wired and memeburn that Facebook will continue to honour the 2016 opt-out even after this latest update. However, there is not much evidence for this, and it is no longer a contractual requirement.

2. Will Whatsapp increase data sharing with Facebook after this update?

Probably not immediately. However, the changes to the privacy policy do expand on permissible data collection by Whatsapp, which could result in additional data collection in future, data which can be shared with Facebook. These changes are detailed in the next section.

3. Further noticeable changes to the privacy policy

In a post on WeLiveSecurity, writer Amer Owaida suggests that the new Whatsapp update has included some “unfortunate phrasing that raised questions among users about what kinds of data would be shared with the chat app’s parent company, Facebook”. Whatsapp has further released a new FAQ section to present their interpretation of the new terms. They argue that:

We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. The changes are related to optional business features on WhatsApp, and provides further transparency about how we collect and use data.”

This is, of course, just Whatsapp’s own legal interpretation of their new terms and not a legally binding clause of those terms. In order to test whether this is a fair assessment of the update, I went back to the 2016 terms of service to see exactly what changed.

The first noticeable change to the privacy policy is the increased difficulty of reading it. The 2016 privacy policy was approximately 2500 words, requiring the average reader about 10 minutes to read and comprehend. The new policy is more than double this length.

To get a better feel for where the changes in the policy are, I began by putting the old policy and the new policy through a text difference-finder engine. For this I used both textcompare and diffchecker. The results reveal a scattering of updates throughout the document.

The text on the left is extracted from the 2016 privacy policy. The text on the right is extracted from the new privacy policy. Highlighted terms and phrases represent differences between the two documents.

So what are some of the more noteworthy changes?

“Information you provide”

  1. The new privacy policy has significantly expanded the preamble. Whereas the 2016 policy consisted mostly of substantive contractual terms, the new policy includes several paragraphs of preamble highlighting privacy features such as end-to-end encryption that Whatsapp does still provide. It appears as though the new privacy policy was written on the assumption that it would be read by a larger general audience.
  2. The word “must” has been added to the clause concerning phone numbers. Phone numbers are a strategically important data point for Facebook to collect, because they do not have high quality phone number data from Facebook, and phone numbers provide a unique identifier which can be used to connect your Facebook data withdata from other databases.
  3. Additional detail has been added to explain how Whatsapp’s end-to-end encryption of content works.
  4. A new section has been added regarding payments and transactions data. This is presumably also in reference to upcoming features.
  5. The new policy makes references to signing up for groups and broadcast lists. I assume this will be among the new business features. The groups and broadcast lists that you subscribe to will be associated with your account.
  6. The section now explicitly makes provision for profile name, email address, and about information. It no longer makes reference to status updates.

Automatically collected information

  1. The section on collection of service-related information has been expanded to list in detail the information being provided. The ammended text now refers to the following data collection:

“your Services settings [how you interact with the service] (including when you interact with a business), and the time, frequency, and duration of your activities and interactions), log files, and diagnostic, crash, website, and performance logs and reports. This also includes information about when you registered to use our Services; the features you use like our messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” information; whether you are online, when you last used our Services (your “last seen”); and when you last updated your “about” information.

2. A new section has been added detailing the collection of location information:

“Location Information. We collect and use precise location information from your device with your permission when you choose to use location-related features, like when you decide to share your location with your contacts or view locations nearby or locations others have shared with you. There are certain settings relating to location-related information which you can find in your device settings or the in-app settings, such as location sharing. Even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location (e.g., city and country). We also use your location information for diagnostics and troubleshooting purposes.”

Whatapps FAQ has a new entry about location information as well, but it surprisingly only makes reference to location sharing:

We can’t see your shared location and neither can Facebook: When you share your location with someone on WhatsApp, your location is protected by end-to-end encryption, which means no one can see your location except the people you share it with.”

Since location sharing is only one of many ways listed above that Whatsapp determines your location, the FAQ appears to be attacking a red herring.

Free
Source: xkcd

4. Understanding the background of this update and why privacy advocates are concerned.

The common wisdom is that privacy and security of communications is only really a concern for people who are activists/ dissidents/ journalists and/ or criminals and don’t want the government to have access to their messages because of fear of reprisal. It’s no wonder this is the case – we are constantly fed messaging that if we have nothing to hide, we have nothing to fear.

But of course this is a strawman. Privacy and security can be particularly important for the ‘innocent’. Here are some other reasons you may be concerned about what is happening to your data:

  1. Data breaches occur often. You may be comfortable with the government or Facebook having access to your information. But are you okay with criminals having access to it?
  2. You want to minimize the risk of identify theft and protect the security of your online accounts.
  3. You want to prevent nation state actors, politicians, and other groups from using your personal data to form a psychological profile of you, and using this profile to artificially influence your personally held beliefs in a way that is adverse to your own best interests.
  4. You want to prevent content creators from trying to drive engagements by feeding you content aimed at making you angry and driving division in society.
  5. You are concerned about the health of society and democracy at large, and believe that monopoly control of large quantities of personal data poses a risk to their health.

A brief history of the Whatsapp acquisition

October 2013: Facebook acquires the VPN company Onavo. Onavo is able to gather application usage statistics from its users, giving Facebook a way to monitor its competitors. Source: TechCrunch

October 2013 – 2014: Facebook uses data collected by Onavo to monitor its competitors, and discovers that Whatsapp has a higher engagement time and higher number of daily messages sent than Facebook Messanger, by quite a large margin. Source: mashable

“we built WhatsApp around the goal of knowing as little about you as possible: You don’t have to give us your name and we don’t ask for your email address. We don’t know your birthday. We don’t know your home address. We don’t know where you work. We don’t know your likes, what you search for on the internet or collect your GPS location. None of that data has ever been collected and stored by WhatsApp, and we really have no plans to change that.” – Whatsapp CEO Jan Koum, March 2014

February 2014: Facebook acquires Whatsapp. At the time it was unclear why Facebook had bought whatsapp, and how it could be monetized. In fact this was a set question in Stellenbosch University Competition Law exam in 2016.

As concerns rose that that the acquisition would result in data sharing with Facebook, What’sapp’s CEO Jan Koum penned a commitment to privacy on the Whatsapp blog. The post begins by stating that there has “been a lot of inaccurate and careless information circulating about what our future partnership would mean for WhatsApp users’ data and privacy.” Jan then recounts his own personal experiences of living in Ukrain under the USSR and trying to conduct private communications, before explaining how privacy, and specifically the principle of minimising data collection, were part of the DNA of Whatsapp. He said that Whatsapp had no plans to change this. Finally, Jan addressed the elephant in the room: the Facebook acquisition. He argued that the acquisition would have no effect on Whatsapps principles and commitments, would not result in increased data collection and that speculation to the contrary was “irresponsible”.

2016: Whatsapp announced that it would start sharing data with Facebook including phone numbers and last seen activity. Users were given a 30 day window to opt-out. New users had no option to opt-out. The policy changed resulted in the European Commission fining Facebook 110 million Euros for providing misleading information about the ability to link profiles across Whatsapp and Facebook during the acquisition. Germany and the UK also separately directed Whatsapp to cease data sharing with Facebook (source: Internet Freedom Foundation).

2016-2018: Facebook pays people as young as 13 to directly install a research application based on Onavo which is used to collect information about their devices and app usage.

2018: Jan Koum resigns as CEO of Whatsapp over disagreements with Facebook about privacy.

“Jan: I will miss working so closely with you. I’m grateful for everything you’ve done to help connect the world, and for everything you’ve taught me, including about encryption and its ability to take power from centralized systems and put it back in people’s hands. Those values will always be at the heart of WhatsApp.” – Mark Zuckerberg, responding to former Whatsapp CEO Jan Koum’s announcement of his resignation due to unaddressed security and privacy concerns with Whatsapp’s business model, in 2018 (source: the verge).

August 2018: Apple bans Onavo from its app store. Apple spokesperson reported that “We work hard to protect user privacy and data security throughout the Apple ecosystem. With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing[…]”

“A lot of us got into technology because we believe it can be a decentralizing force that puts more power in people’s hands […] Back in the 1990s and 2000s, most people believed technology would be a decentralizing force.

But today, many people have lost faith in that promise. With the rise of a small number of big tech companies — and governments using technology to watch their citizens — many people now believe technology only centralizes power rather than decentralizes it.” – extract from Marc Zuckerberg’s 2018 new year’s resolution

Feburary 2019: Facebook shuts down what remains of the Onavo project.

The consolidation of personal data into centralised pools creates inherent risks. Data leaks are able to affect a greater number of people and expose more of their data. It is common now days for a single data breach to expose the personal information of hundreds of millions of people. Facebook has certainly played it’s role. In 2019 more than half a billion Facebook user records were exposed and about 50 million Instagram accounts were compramised.

Your online persona will now reveal a much more complete psychological profile of you. Communications metadata contains troves of information that, when combined with Facebook data, will give data scientists a very granular understanding of what you fear, what you hate, and what makes you angry. The proximate impact will simply be better targeted advertising. But this information is also used indirectly to drive engagement, getting you to spend more time online and interacting with posts, or even to change your personal beliefs, as happened with Cambridge Analytica.

Competition will likely be reduced as Facebook further consolidates it’s data monopoly. This can have long term detrimental impacts on the quality of products available to you.

It is time. #deletefacebook.” – Brian Acton, Whatsapp cofounder. source: forbes

Leave a Reply

Your email address will not be published. Required fields are marked *