Recently, WhatsApp updated its privacy policy. The company communicated the policy to its users via an in-app notification. This notice prompted users either to accept or to reject the policy. Notably, the policy contained an ultimatum paraphrased as: “accept this policy by 8 February 2021, or we’ll delete your account”.
Across the world, this event triggered a public outcry over social media. Several governments, privacy activists, and ordinary civilians expressed outrage at the policy and its audacious ultimatum. SA’s Information Regulator then approached WhatsApp to engage with it about the policy. Shortly afterwards, the company decided to extend the ultimatum date to 15 May 2021.
You’re probably wondering what’s caused the uproar and if people are exaggerating. Perhaps you need to decide whether to continue using WhatsApp Messenger or move to a different messaging app. Maybe you’ve already accepted the policy. Whatever your prompt might be, this post explains the controversy caused by the policy and the concerns that flow from it.
People value their privacy and take action when they know a company doesn’t care about it. Privacy is power, especially when you’re two billion users. However, to exercise this power, companies need to be transparent about how and why they process personal information. Further, privacy covers the content of messages and metadata because they can be equally damaging.
This event has also highlighted the fragmented nature of data protection laws across the world. You can glean this from the fact that WhatsApp will not share EU citizens’ data with Facebook. If data protection laws had applied consistently across jurisdictions, WhatsApp probably wouldn’t have created the policy.
How do I make the best possible decision?
To start, you need to ask yourself if you can leave WhatsApp messenger.
- In SA, WhatsApp messenger is a crucial part of the government’s communication media when it comes to COVID-19.
- Generally, the country’s government departments depend on WhatsApp messenger to communicate with people.
- Many businesses use it as the central means to keep in touch with their clients.
- I think it’s also important to be mindful of how unsettling the pandemic has been for everyone. So, it may be difficult for you to disconnect with your loved ones and move to a new platform.
However, if you can choose, I suggest you consider three factors: privacy, security, and governance.
Who are the role players that I need to be aware of?
- WhatsApp users: you, other people, businesses, and governments;
- WhatsApp: the company itself;
- Facebook: the parent company that owns WhatsApp;
- Third-party businesses: advertisers or brands (e.g. Wish, Takealot, KFC); and
- Other applications or online platforms (e.g. Spotify or Tinder).
WhatsApp’s latest privacy policy
What data will WhatsApp collect from its users?
What information will WhatsApp share with the Facebook ecosystem?
WhatsApp may share any of the information that the policy mentions or that it brings to its users’ attention.
How will they use my personal information?
WhatsApp and Facebook may use your information for several purposes, including to:
- provide you with services;
- ensure safety and security;
- facilitate communication between third-party businesses and users;
- communicate about WhatsApp and Facebook services; and
- advertise and market to you.
Will WhatsApp share my messages with Facebook?
WhatsApp says that it will not share the messages of users with Facebook. They’ve repeatedly said that the messages will remain encrypted and secure. However, it’s vital to note that encryption doesn’t extend to the backups of messages to iCloud or Google Drive.
Will WhatsApp retain my messages?
The policy states that WhatsApp doesn’t retain messages in providing its services to users. Instead, the company stores messages on the user’s devices. But, WhatsApp does store messages sometimes:
- it will keep undelivered messages for up to 30 days;
- it stores media temporarily to help efficient delivery.
Why are we concerned about WhatsApp and its privacy policy?
WhatApp’s lip service about protecting users’ privacy
In 2014, when Facebook bought WhatsApp, WhatsApp promised to protect its users’ privacy. However, it had taken back this promise in 2016 with an update to its privacy policy. Ever since this change, WhatsApp has been sharing your personal information with the Facebook ecosystem.
The previous owner of WhatsApp, Brian Acton, regrets the sale. In an interview, he mentioned:
“I sold my users’ privacy to a larger benefit. I made a choice and a compromise. And I live with that every day…”
Some writers believe that the agreement of sale between WhatsApp and Facebook contains a sunset clause preventing extensive privacy exploitation. They think this clause has recently come to an end, hence the update to the policy.
The policy has an extensive scope
The scope of the latest policy is extensive. I would go so far as to say it goes against the data-protection principles of purpose limitation and data minimisation.
- Purpose limitation means that WhatsApp must unambiguously set out why it collects your personal information and what it intends to do with the information.
- Data minimisation means that WhatsApp must identify the minimum amount of personal information it needs to provide its services; it should hold the necessary information and nothing more.
The real reason for the update to the latest privacy policy
So why is WhatsApp changing its privacy policy now? The answer is simple: so that Facebook can gain revenue from in-app ads. Facebook is determined to turn WhatsApp into an e-commerce service. Currently, it’s running trials of this service in IND with Jio.
The risk: behavioural data, profiling, modification
Linked to the policy scope is how WhatsApp, Facebook, and third-party businesses plan to use your personal information.
If you use platforms in the Facebook ecosystem (Facebook, Messenger, Instagram), the company intends to combine the data they have on you with the information they get from WhatsApp. They’ll use the combined data to create a comprehensive profile of you.
This profile details the type of person you are, your interests, desires, political affiliations, and many other inferences. In other words, the profile captures how you experience reality and how the world experiences you.
With this profile, they want to modify your behaviour in favour of their commercial interests. In simple terms, they want to ensure you buy the products of their advertisers and brands. More ads equal more profits. Shoshana Zuboff calls the thinking that underlies this business model “surveillance capitalism”.
Behavioural profiling is dangerous for several reasons. For example, it can influence whether someone votes in an election. Further, there are no measures to detect if Facebook targets voters to get a specific political party elected because that party promotes Facebook’s interests. Related to this point is the Cambridge Analytica scandal. There are allegations that “digital consultants to the Trump campaign misused the data of millions of Facebook users” to manipulate them to vote for him.
WhatsApp conflates privacy and security
I’ve noticed how WhatsApp continuously refers to its end-to-end encryption in response to the public outcry. But, I believe the company has missed the point. The point of concern is not the security of data; it’s the privacy of personal information.
Consent is not enough to protect our privacy
For consent to be meaningful, you need to know what you’re consenting to when you accept a privacy policy. How can you agree if you don’t understand what inferences Facebook can draw from your data? Not even data scientists can answer this question.
Specifically, the Facebook ecosystem contains advanced algorithms. They’re so advanced that we can’t understand how they reach decisions to predict their inferences about us.
Facebook and WhatsApp display anti-competitive behaviour towards the SA Government’s initiatives
Facebook intends to monetise WhatsApp, but it’s already blockading businesses who use the platform for their business infrastructure. They’re doing so even when companies have legitimate socio-economic benefits and provide fundamental infrastructure for government initiatives.
Consider GovChat, SA’s “largest civic engagement platform accessible online, on any mobile handset and feature phones.” It offers a chatbot on WhatsApp that the SA government uses to engage with citizens. WhatsApp wants to prevent GovChat from using its messenger to pursue “commercial interests”.
On Friday, 22 January 2021, the country’s Competition Commission ordered that WhatsApp and Facebook may not delete GovChat from the WhatsApp site. The Commission also ruled that they shouldn’t do anything to disrupt GovChat and its users’ relationship.
What about the POPI Act?
In the EU, EEA, and post-Brexit UK, WhatsApp can’t share its users’ personal information with the Facebook ecosystem. So, WhatsApp has created a different privacy policy for that region. The reason is that the GDPR protects the region, and WhatsApp has undertaken not to share the personal information of EU citizens with Facebook.
The SA Legislature modelled our data protection law, the POPI Act, on the EU Directive and OECD guidelines. Hence, SA’s Information Regulator questions why we’re treated differently to the EU.
