As most of us might be frequent users of WhatsApp, it is important for us to know what kind of information is being shared and how?
WhatsApp has defined the shared information into 2 categories in their policy:
1) The information you provide them
2) The information that is collected automatically
Information You Provide
There are several pieces of information that you need to provide to WhatsApp in order to use the gain the basic functionalities of the application and use it efficiently.
Account information: Some basic information is collected and is mandatory for the creation of account like phone number and the name you choose to keep. Further, you can add some additional information and a profile picture, but that’s completely optional!
Messages: WhatsApp says it does not retain any of your messages in the services provided to you. So, the messages you will sending are stored on your device and not on their servers.
During the process of delivery of the messages, WhatsApp and other third parties cannot read the messages as WhatsApp uses end-to-end encryption.
For the messages that could not be delivered ie: if the receiver is not online, the messages stay in their server in encrypted form for up to 30 days in order to attempt the delivery of messages and if still not delivered the message get deleted by WhatsApp.
Media forwarding messages are stored temporarily in encrypted format in their servers when a user attempts to send them.
Well! this seems quite secure!
Transactions and payment data
If you use their payment services or services for any kind of financial transactions, WhatsApp says, “we process additional information about you, including payment account and transaction information. Payment account and transaction information includes information needed to complete the transaction (for example, information about your payment method, shipping details and transaction amount.”
And a few other information like your connections on WhatsApp, status information (only if you wish to share it!), and Customer Support and Other Communications like email address for services.
Automatically Collected Information
WhatsApp also collect some information automatically like Usage and Log Information, Device and Connection Information, Location Information, Cookies.
WhatsApp has mentioned “Third- Party Information” in its new policy. Now this is something “Alarming!”
Third-Party Service Providers: WhatsApp says “We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customize, support, and market our Services.”
Third-Party Services: WhatsApp says “We allow you to use our Services in connection with third-party services and Facebook Company Products. If you use our Services with such third-party services or Facebook Company Products, we may receive information about you from them.”
Further, WhatsApp has also mentioned in their new policy about how they work with other Facebook companies
Being a part of the Facebook companies, WhatsApp exchanges information with them in several aspects one of which is marketing and their offerings, including the Facebook products.
Further WhatsApp explained in one of its key points stating that “improving their services and your experiences using them, such as making suggestions for you (for example, of friends or group connections, or of interesting content), personalizing features and content, helping you complete purchases and transactions, and showing relevant offers and ads across the Facebook Company Products.”
Well not just limited to sharing information but an integration of your WhatsApp experiences with Facebook company products. So, a person will be conducting its payments for WhatsApp from its Facebook Pay account. Hmm…Sounds great!
Looking at the policy updates and the addition of third-party interference into the one of the most used applications in world which is sharing sensitive information, leaves us with several concerns in regards to an individual’s privacy!
Although the messages we share are encrypted and none can view them, there are several other pieces of information that can disclose a lot about a person. The Account information reveals a person’s name and phone number. Meanwhile the transactions and payment data can be easily used to identify what kind of purchases a person does and how often! The frequencies of the transactions can be used to predict and asses a person’s expenditure and later on can be used to display ads accordingly! Further the automatically collected information reveals a person’s device information, usage and exact location. So, combining all the information being shared, a person’s complete identity and behaviour is being revealed! Which might be okay for people if it was limited to sharing it with WhatsApp as it is only a chat application but providing this information to third-party providers can be worrying!
We tried to highlight some questions regarding possible outcomes of giving away information in the hands of third-party providers!
1) Facebook have 88 acquisitions including WhatsApp: Having a wide spread hold in the shares of companies how will Facebook use the WhatsApp customer data to benefit its other investments?
3) How will the privacy of the users will be affected if the information collected by Facebook is further processed by other third-party companies?
Well, until now consequences of information sharing with third-party can only be predicted but the actual impact of this action will be seen only after the policy is implemented.
Author: Mohammad Usman Rais (Cyber Security intern)