WhatsApp's privacy investigated by joint Canadian-Dutch probe

Filed Under: Featured, Law & order, Mobile, Privacy

WhatsApp logoWhatsApp, the popular instant messaging smartphone app, has been under investigation by governmental privacy authorities in Canada and The Netherlands for almost the past year for violations of both nations' privacy acts.

This is the first time countries have worked together to conduct a privacy investigation and it appears to have been a great success. As I don't read Dutch, I have only examined the Canadian report.

The first issue they looked into was the ability for someone to "spoof" or artificially register someone's smartphone for the service without their permission or to impersonate that person's phone to intercept their messages.

While some issues existed in this process previously, it was determined that the concerns were not well founded.

Another complaint against WhatsApp was that it requires users to upload their entire address book to determine which of their contacts are fellow users of WhatsApp.

The lack of an option to choose which contacts you want to upload to the service is considered a breach of privacy and an overreach by the company.

WhatsApp has updated its iOS app to allow manual uploading and intends to provide updates for its Android, Blackberry, Windows and Symbian clients as well.

shutterstock_bakelitephone170A bigger issue is that WhatsApp not only uploads the phone numbers of non-app users from your address book, but stores them perpetually. The company's defence is that it stores non-user numbers as MD5 salted hashes.

The Canadian Privacy Commissioner found that this is an unacceptable, unnecessary practice. In the case of a data breach, these numbers can be trivially brute-forced "in less than 3 minutes on a desktop computer," according to the report.

To comply with international privacy regulations, WhatsApp must stop retaining unnecessary personal identifiable information.

WhatsApp also broadcasts your status updates to everyone who has your number in their address book. It is not made clear to users that this will occur, and even worse, there are no controls.

Even someone who typo'd a friend's phone number would be granted access to your status updates without your knowledge.

The report details concerns over the lack of visibility of who can see your statuses and the lack of controls. The law states "Consent must be meaningful" when sharing personal information; a simple disclaimer in a EULA/ToS/privacy policy is not enough.

WhatsApp intends to include a pop-up in future versions of the software ensuring users understand who may see their statuses and allowing them to choose not to broadcast their status. They committed to providing this by September 30, 2013.

Another provision of the Canadian PIPEDA Act that was violated covered the lack of disclosure to users about the minimum and maximum times for retention of data collected. While it appears that WhatsApp had a policy, it was not presented directly to their users.

The company has agreed to update its privacy and terms of service policies to clearly outline its intentions by March 31, 2013.

shutterstock_CellPhoneSIM170At the beginning of the investigation, the company was not properly encrypting any of the communications of its users. Its initial attempt at encryption relied upon using IMEIs and MAC addresses as encryption keys.

The investigation determined this was inadequate and easy to defeat. WhatsApp has begun the transition to 160-bit randomly generated keys in its iOS app and will follow through on other platforms.

I think it is an excellent conclusion that two independent countries could work together to ensure the safety of their citizens while working in a cooperative manner with private enterprise.

Normally I would chastise WhatsApp for exposing sensitive information unnecessarily, but in this case I will give them some credit. They made mistakes, but are willing to work with authorities to make things right.

While anyone can create an "app" and be a smartphone superhero overnight, that does not exempt you from privacy regulations. Don't make the mistakes WhatsApp made, think things through from the point of your customer.

Phone image and mobile phone with SIM courtesy of Shutterstock.

, , , ,

You might like

4 Responses to WhatsApp's privacy investigated by joint Canadian-Dutch probe

  1. Richard Hipkin · 634 days ago

    As long as they don't deny their mistakes and that visible progress is being made to address the flaws I have no issues with WhatApp.

  2. Scott · 634 days ago

    IT is total bulls**t that whatsapp feels that they have the right do what they want. Hell for that matter Facebook isn't any different.

    • Nigel · 633 days ago

      No argument there, but then the fact that we're posting here likely means we're already aware of the need to take personal responsibility for our own security. How many of the nearly one billion Facebook users have a similar point of view?

      I haven't read the What’sApp user agreement, but it wouldn't surprise me to find that it notified users that What'sApp would do all of the things the Canadian-Dutch probe didn't like. And Facebook's boldface admissions of the liberties it takes with users' data are legendary. So, while I wholly disapprove of such predatory practices, the reality is that it’s incumbent upon What’sApp and Facebook users to know what they’re getting into BEFORE they become users.

      The larger point is that all this "free" stuff isn't free at all. People's expectation that they can get something for nothing is an epidemic mentality. Never mind that it violates the laws of thermodynamics; "It's my right, dammit..." is the attitude. But there is always a cost.

      That's no less true where information is concerned. Maxwell's Demon* cannot operate because information is not free, and can never be free (as in beer). And freedom isn't free either, especially freedom from exploitation by predators like What'sApp and Facebook. The price of that kind of freedom is taking personal responsibility for the so-called "free" software and services you use.

      *Google "Maxwell's Demon" if you're not familiar with the concept.

  3. Hans Schlotter · 632 days ago

    Almost all apts have the same submission rules. Why,why,why? You must have noticed. I don't understand NS has not commented on that issue. (As far as I know). Reason why I have almost no aps. But then NS is not a country.
    Please explain to me the philosophy of this kind of internet world. Must we all know about each other? Is it the CIA, Mossad, Russians?
    Millions of Nerds, programming like mad, hoping to get attention???

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.