WhatsApp’s privacy troubles a warning for all app developers
By Chantal Tode
January 29, 2013
WhatsApp is a popular messaging app
In a reflection of the growing scrutiny on the privacy practices of app developers, Canadian and Dutch data protection authorities recently joined forces to investigate the activities of mobile messaging application WhatsApp.
The coordinated investigation revealed that the app violates the countries’ privacy law because most users of WhatsApp do not have a choice to use the app without granting access to their entire address book, which contains both users and non-users. Under Dutch and Canadian privacy laws, both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.
“It is a big milestone – it is the first time that we are working on both sides of the ocean with two data protection agencies on this issue,” said Lysette Rutgers, a spokeswoman for the Dutch Data Protection Authority, The Hague, Netherlands.
“We both of us had signals that the way WhatsApp treated their data might be contravening privacy laws,” she said.
“We thought it would be very effective if both sides of the ocean worked together.”
WhatsApp did not respond to a request for comment.
The coordinated Dutch, Canadian investigation is a global first and reflects the growing influence that mobile apps have, as WhatsApp has hundreds of millions of customers worldwide.
As the influence of mobile apps is growing, so, too, is regulatory concern over the privacy practices of some developers.
In the United States, concern over how app developers use the data they collect has been growing over the past year. The Federal Trade Commission recently updated rules governing how children’s personal data is protected in the online world to include mobile apps for the first time.
Taken together, these developments point to an increasingly strict regulatory environment for mobile app developers and the need to ensure their privacy practices are up to snuff. If they are not, developers increasingly face the risk of legal actions and fines.
More work to do
WhatsApp Inc., a California-based mobile app developer, makes the popular WhatsApp mobile messaging app that enables users to send and receive instant messages over the Internet across various mobile platforms.
As a result of the coordinated investigation, WhatsApp has committed to making changes in order to better protect users’ personal information and has already taken steps to implement many of the recommendations put forth by the privacy authorities.
For example, at the time that the investigation began, messages sent via WhatsApp were unencrypted. In September 2012, WhatsApp introduced encryption.
Additionally, the company strengthened the authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC or IMEI numbers.
However, some of the issues revealed in the report have not been fully addressed yet, according to the privacy organizations.
For example, WhatsApp retains all the phone numbers transmitted to it when a user signs-up, even non-user phone numbers that are in a user’s address book. This violates Canadian and Dutch privacy law, which holds that information may be retained only if it is required for fulfillment of an indentified purpose.
Only iPhone users running iOS6 have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.
The Canadian and Dutch privacy authorities will pursue any outstanding privacy issues independently of one another going forward.
The Dutch authority will examine whether the breaches of law continue and will decide whether it will take further enforcement actions, which could include imposing sanctions.
“We are very interested in the app industry,” Ms. Rutgers said. “It is relatively new and that is a lot of data that is being processed.
“We want to make sure it is done in the way that European Union law says it should be,” she said.
Chantal Tode is associate editor on Mobile Marketer, New York
- Trackback url: http://www.mobilemarketer.com/cms/trackback/14670-1