WhatsApp: You are the Product
Given the wide distribution of WhatsApp and their parent company Facebook’s pathetic record on privacy I thought it might be fun to unpack the WhatsApp privacy policy in layman’s terms. I should caveat that no matter what we find, WhatsApp is not the worst messaging platform out there. It is far preferable, for instance, to WeChat which is just spyware with some convenience sprinkled on top. Personally, I wouldn’t use a phone that had or ever had WeChat on it. Same goes for TikTok. Stop using Tiktok. It’s the Gremlins of social media apps: looks cute, actually very dangerous.
As of October, 2019 WhatsApp was still by far the most heavily used commercial messaging app (CMA) on the planet with 1.6bn monthly active users. Second on the list is…Facebook Messenger with 1.3bn users. Likely there’s heavy overlap between the two user groups but there are probably some unique users in each group so by any metric Facebook dominates the CMA marketplace. Third on the list is China’s WeChat which you practically have to download to do anything on the mainland yet they still fall a good bit short at 1.1bn monthly active users.
All policy quotes below come from: https://www.whatsapp.com/legal/#privacy-policy and https://www.whatsapp.com/legal/commerce-policy/
The opening line in the WhatsApp privacy policy is “WhatsApp cares about your privacy.” This sounds to me like when a teenager promises not to share a big juicy secret they just stumbled on with the rest of the school. Of course, they are going to share the info, it’s what teenagers do. Founded sixteen years ago in 2004, it turns out Facebook is also a teenager and we should render them the same level of trust with our data. Let’s see how much WhatsApp cares about our privacy.
In the “Information You Provide” section they call out a few categories of items shared: Your Account Information, Your Messages, Your Connections, & Customer Support. These are four areas in which WhatsApp users volunteer personal data. A major part of this is giving WhatsApp your cell phone number and access to the native address book on your phone. Let’s not gloss over that. To use WhatsApp, I have to tell them my cell phone number, and it can’t be a VoIP number, they require a real cell phone number, and they request ALL the information in my address book. For me that’s 896 people wherein I’ve saved their contact info and that includes cell phone numbers, work numbers, addresses, birthdays, notes and more. It’s a non-trivial amount of data and it allows a sophisticated platform like WhatsApp the ability to map my entire personal network. When was the last time you actually pruned your phone’s address book? Might you have an ex in there? A competitor? Someone who’s profession is, uh, less than legal? Guess what? WhatsApp has that information now too.
When was the last time you actually pruned your phone’s address book? Might you have an ex in there? A competitor? Someone whose profession is, uh, less than legal?
WhatsApp says they have access to your messages though they are “end to end” (e2e) encrypted so they can’t see the content and they don’t retain them on their servers unless pending delivery. Let’s just go ahead and accept that the platform is actually e2e encrypted. To their credit they started off with the Open Whisper Systems (same as Signal) crypto libraries. Real security concerns, however, have been raised around WhatsApp e2e encryption (https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats/) but that’s a separate topic. Even without the content of our messages, WhatsApp has all the metadata. You may not think it’s that much information, but don’t forget, Facebook paid $19,000,000,000 to buy WhatsApp in 2014 when they only had 450m monthly active users. That’s $42 PER USER. Surely this wasn’t altruism. The metadata is valuable.
So, what can they do with metadata and what is metadata anyways? In short, metadata is all the information about a call or text that is not the actual content. WhatsApp defines the collected metadata as: “information such as hardware model, operating system information, browser information, IP address, mobile network information including phone number, and device identifiers.” They also collect location information “if you use [their] location features” which is probably most users. Based on no actual information or research, I would bet its over 99% of users. The metadata is usually anonymized but that’s the biggest joke in the business. If they know your location, they can easily correlate it to publicly available databases and determine your identity with a high likelihood. Most people create their WhatsApp accounts in their true names anyways. If you think that it doesn’t matter because you aren’t that interesting, think again. Let’s say you use WhatsApp to contact your Oncologist once a week for a couple months. You may feel good about the data being encrypted but does WhatsApp really need the content of your messages to know what is going on? Over time your metadata populates a unique user profile on you. It reveals socioeconomic status, creditworthiness, health profiles, spending habits and more. This is why WhatsApp is valuable. It’s marketing data. Its packaged up and sold over and over again by your privacy loving friends at Facebook. If the product is free, then you are the product.
If the product is free, then you are the product.
Think about a couple astounding factoids about WhatsApp usage as of Jan 2019 per https://www.businessofapps.com/data/whatsapp-statistics/:
· 65 billion WhatsApp messages sent PER DAY. That’s 29 million per minute.
· 2 billion minutes spent making video and voice calls per day
· 1 billion DAILY active users
The sheer volume of user data (and metadata) they are collecting is staggering. Imagine knowing where a billion people are at any given time. And remember, this is just one Facebook property. Here’s what it looks like when you include all of their major platforms:
Is there a fee to join any one of these platforms? No. They are all free. Yet Facebook’s market cap at the time of this article is roughly half a trillion dollars. WhatsApp’s opening line to its privacy policy should more accurately read “WhatsApp cares about your privacy…as long as it’s subordinate to us invasively monetizing your user data.”
Another area worth discussing is WhatsApp’s Commerce Policy. They have cleanly abstracted it away from their Privacy Policy, but they are inextricably linked. The Commerce Policy covers the acceptable uses for WhatsApp for public and private commerce. I’m in violent agreement with part of the sentiment in the policy. WhatsApp should not be used for the “sale of human body parts“ or “wiretapping” or “to sell…equipment to create counterfeit currency.” But, the WhatsApp Commerce Policy also explicitly prohibits transacting in the following items:
· Tobacco
· Paintball guns
· Sex toys
· Contact lenses
· Thermometers
· Bandages and braces for physical injuries
· Implied nudity
· Cryptocurrency
The above is just a selection of items from their list. None of it is illegal and in the case of nudity they really roll out the red carpet for the thought police by covering implied nudity as well. I’m sure, somewhere, sometime, someone scammed someone for some contact lenses and now the rest of the billion users can’t even talk about contact lenses or else be kicked off of WhatsApp. If you claim to care about privacy then you have to treat it as a right, like freedom of speech. If a platform is truly private, then you are free to do all the terrible and wonderful things you want on it because its liberating not restricting. Here’s the gotcha, WhatsApp is under no obligation to make their platform available to the world for free so that we can do whatever we want on it. We do, however, have the choice not to use it. What is objectionable is not that WhatsApp is actually porous, but rather that they intentionally market themselves as a privacy friendly, encrypted messaging application. Its not. It’s a data sucking surveillance machine. Feel free to use it but do so knowingly. I’ll close with a quote from WhatsApp founder Brian Acton, who in addition to donating $50m to the nonprofit and WhatsApp rival Signal Foundation, responded to the Cambridge Analytica scandal with this:
