WhatsApp, the popular instant messaging smartphone app, has been under investigation by governmental privacy authorities in Canada and The Netherlands for almost the past year for violations of both nations’ privacy acts.
This is the first time countries have worked together to conduct a privacy investigation and it appears to have been a great success. As I don’t read Dutch, I have only examined the Canadian report.
The first issue they looked into was the ability for someone to “spoof” or artificially register someone’s smartphone for the service without their permission or to impersonate that person’s phone to intercept their messages.
While some issues existed in this process previously, it was determined that the concerns were not well founded.
Another complaint against WhatsApp was that it requires users to upload their entire address book to determine which of their contacts are fellow users of WhatsApp.
The lack of an option to choose which contacts you want to upload to the service is considered a breach of privacy and an overreach by the company.
WhatsApp has updated its iOS app to allow manual uploading and intends to provide updates for its Android, Blackberry, Windows and Symbian clients as well.
A bigger issue is that WhatsApp not only uploads the phone numbers of non-app users from your address book, but stores them perpetually. The company’s defence is that it stores non-user numbers as MD5 salted hashes.
The Canadian Privacy Commissioner found that this is an unacceptable, unnecessary practice. In the case of a data breach, these numbers can be trivially brute-forced “in less than 3 minutes on a desktop computer,” according to the report.
To comply with international privacy regulations, WhatsApp must stop retaining unnecessary personal identifiable information.
WhatsApp also broadcasts your status updates to everyone who has your number in their address book. It is not made clear to users that this will occur, and even worse, there are no controls.
Even someone who typo’d a friend’s phone number would be granted access to your status updates without your knowledge.
WhatsApp intends to include a pop-up in future versions of the software ensuring users understand who may see their statuses and allowing them to choose not to broadcast their status. They committed to providing this by September 30, 2013.
Another provision of the Canadian PIPEDA Act that was violated covered the lack of disclosure to users about the minimum and maximum times for retention of data collected. While it appears that WhatsApp had a policy, it was not presented directly to their users.
The company has agreed to update its privacy and terms of service policies to clearly outline its intentions by March 31, 2013.
At the beginning of the investigation, the company was not properly encrypting any of the communications of its users. Its initial attempt at encryption relied upon using IMEIs and MAC addresses as encryption keys.
The investigation determined this was inadequate and easy to defeat. WhatsApp has begun the transition to 160-bit randomly generated keys in its iOS app and will follow through on other platforms.
I think it is an excellent conclusion that two independent countries could work together to ensure the safety of their citizens while working in a cooperative manner with private enterprise.
Normally I would chastise WhatsApp for exposing sensitive information unnecessarily, but in this case I will give them some credit. They made mistakes, but are willing to work with authorities to make things right.
While anyone can create an “app” and be a smartphone superhero overnight, that does not exempt you from privacy regulations. Don’t make the mistakes WhatsApp made, think things through from the point of your customer.