Dissecting MASSIVE WhatsApp privacy policy change

23 mins read

Hello! It is time to discuss this big banner that WhatsApp threw at us a month ahead of their drastic privacy policy changes. I am sure we all saw it. Facebook has updated the policy in advance, which has not yet been enforced. So, what I am going to do is analyse the “key changes” Facebook has made that will have privacy and security implications on us users.

Old Privacy Policy w.e.f July 20, 2020: https://archive.vn/KSl9r New privacy policy w.e.f due February 8, 2021: https://archive.vn/Fmj1C

Now that we have the meat in focus, filler aside, let us dive into it.

Change in the Attitude (Legal Information)

Old: Respect for your privacy is coded into our DNA. Since we started WhatsApp, we’ve aspired to build our Services with a set of strong privacy principles in mind.

New: DELETED_STATEMENT

Explanation: This statement disappearing clearly demonstrates the same kind of paradigm shift in data treatment that Google did with ethics with their removal of “Don’t be evil” phrase. Except, this is much worse, because Google products are not used to chat daily about our personal lives, that way

Old: When we say “WhatsApp,” “our,” “we,” or “us,” we’re talking about WhatsApp LLC. This Privacy Policy (“Privacy Policy”) applies to all of our apps, services, features, software, and website (together, “Services”) unless specified otherwise.

New: We are one of the Facebook Companies. You can learn more further below in this Privacy Policy about the ways in which we share information across this family of companies. This Privacy Policy applies to all of our Services unless specified otherwise.

Explanation: This makes it clear what ride we are in for in the future, if we use WhatsApp without any precautions. It will be about as pervasive as Instagram or Facebook, and arguably only better than Facebook Messenger or Apple’s iMessage.

Information You Provide

Old: Your Account Information. You provide your mobile phone number to create a WhatsApp account. You provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts. You confirm you are authorized to provide us such numbers. You may also add other information to your account, such as a profile name, profile picture, and status message.

New: Your Account Information. You must provide your mobile phone number and basic information (including a profile name of your choice) to create a WhatsApp account. If you don’t provide us with this information, you will not be able to create an account to use our Services. You can add other information to your account, such as a profile picture and “about” information.

Explanation: What is “basic information” that is a newer necessity? We have to wait and see, and I will update this post if anything new comes up, but it looks very suspicious to me. Is this going to be a need for government or legal ID proof? Some form filling?

Old: We do not retain your messages in the ordinary course of providing our Services to you. Once your messages (including your chats, photos, videos, voice messages, files, and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device. If a message cannot be delivered immediately (for example, if you are offline), we may keep it on our servers for up to 30 days as we try to deliver it. If a message is still undelivered after 30 days, we delete it. To improve performance and deliver media messages more efficiently, such as when many people are sharing a popular photo or video, we may retain that content on our servers for a longer period of time.

New: We do not retain your messages in the ordinary course of providing our Services to you. Instead, your messages are stored on your device and not typically stored on our servers. Once your messages are delivered, they are deleted from our servers. The following scenarios describe circumstances where we may store your messages in the course of delivering them: Undelivered Messages. If a message cannot be delivered immediately (for example, if the recipient is offline), we keep it in encrypted form on our servers for up to 30 days as we try to deliver it. If a message is still undelivered after 30 days, we delete it. Media Forwarding. When a user forwards media within a message, we store that media temporarily in encrypted form on our servers to aid in more efficient delivery of additional forwards.

Explanation: Nothing changed here.

Automatically Collected Information

Old: Usage and Log Information. We collect service-related, diagnostic, and performance information. This includes information about your activity (such as how you use our Services, how you interact with others using our Services, and the like), log files, and diagnostic, crash, website, and performance logs and reports.

New: Usage And Log Information. We collect information about your activity on our Services, like service-related, diagnostic, and performance information. This includes information about your activity (including how you use our Services, your Services settings, how you interact with others using our Services (including when you interact with a business), and the time, frequency, and duration of your activities and interactions), log files, and diagnostic, crash, website, and performance logs and reports. This also includes information about when you registered to use our Services; the features you use like our messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” information; whether you are online, when you last used our Services (your “last seen”); and when you last updated your “about” information.

Explanation: IMPORTANT! Earlier, metadata of messages used to be a commodity to WhatsApp. However, now, the following will be additionally unencrypted exploitable commodities for Facebook Inc.: “messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” information; whether you are online, when you last used our Services (your “last seen”); and when you last updated your “about” information.”

Old: We collect device-specific information when you install, access, or use our Services. This includes information such as hardware model, operating system information, browser information, IP address, mobile network information including phone number, and device identifiers. We collect device location information if you use our location features, such as when you choose to share your location with your contacts, view locations nearby or those others have shared with you, and the like, and for diagnostics and troubleshooting purposes such as if you are having trouble with our app’s location features.

New: We collect device and connection-specific information when you install, access, or use our Services. This includes information such as hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account).

Explanation: Lots of little additions yet heavy damage to privacy. Battery level, signal strength, app version, language, time zone, device ops information. This makes WhatsApp incredibly beyond problematic for any journalist, whistleblower or activist.

Old: MISSING USER REPORT FEATURE

New: User Reports. Just as you can report other users, other users or third parties may also choose to report to us your interactions and your messages with them or others on our Services

Explanation: I talked about this sometime ago here: https://old.reddit.com/r/privatelife/comments/k0u1el/writeup_something_horrible_has_pulled_up_whatsapp/ . This should be the least of your concerns.

Old: Third-Party Services. We allow you to use our Services in connection with third-party services. If you use our Services with such third-party services, we may receive information about you from them

New: Third-Party Services. We allow you to use our Services in connection with third-party services and Facebook Company Products. If you use our Services with such third-party services or Facebook Company Products, we may receive information about you from them

Explanation: This makes it incredibly dangerous to use any Facebook service except WhatsApp, if you choose or need to use WhatsApp on one or more devices.

Old: Third-Party Providers. We work with third-party providers to help us operate, provide, improve, understand, customize, support, and market our Services.

New: Third-Party Service Providers. We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customize, support, and market our Services.

Explanation: The addition of “Facebook Companies” makes it clear what they are wanting to achieve with multiple data grabbing micro Facebook brands they have. This is not looking good at all.

Old: WHATSAPP_BUSINESS_DID_NOT_EXIST

New: Businesses you interact with using our Services may provide us with information about their interactions with you. We require each of these businesses to act in accordance with applicable law when providing any information to us.

Explanation: Beware of WhatsApp business contacts and treat them as Facebook comments in public mode. These will not be private, knowing how companies of all scale are controlled by governments around the world. Even if they are E2EE, companies will abuse report feature and comply and give your texts away for plainchat processing.

Old: No Third-Party Banner Ads. We do not allow third-party banner ads on WhatsApp. We have no intention to introduce them, but if we ever do, we will update this policy.

New: No Third-Party Banner Ads. We still do not allow third-party banner ads on our Services. We have no intention to introduce them, but if we ever do, we will update this Privacy Policy.

Explanation: No change, yet important. This means that they are commodifying data mined on you to subsidise WhatsApp for free. Their old policy was in effect since 2016, post the 2014 Facebook buyout, and somehow still stays free. Magical. Zuckerburg surely is not a benevolent philanthrophist, last I knew.

Old: Safety and Security. We verify accounts and activity, and promote safety and security on and off our Services, such as by investigating suspicious activity or violations of our Terms, and to ensure our Services are being used legally.

New: Safety, Security, And Integrity. Safety, security and integrity are an integral part of our Services. We use information we have to verify accounts and activity; combat harmful conduct; protect users against bad experiences and spam; and promote safety, security and integrity on and off our Services, such as by investigating suspicious activity or violations of our Terms and policies, and to ensure our Services are being used legally.

Explanation: Integrity is the word they added, and “combat harmful conduct” means a form of censorship, or some form of processing of messages sent. This likely refers NOT to backdooring E2EE, BUT to the news forwarding mechanism they introduced last year to inhibit spamming of fake news messages.

Information You And We Share

Account information, contacts and all that remains same.

Old: Third-Party Providers. We work with third-party providers to help us operate, provide, improve, understand, customize, support, and market our Services.

New: Third-Party Service Providers. We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customize, support, and market our Services.

Explanation: “Facebook Companies” is the one key addition almost everywhere.

Old: Third-Party Services. When you use third-party services that are integrated with our Services, they may receive information about what you share with them.

New: Third-Party Services. When you or others use third-party services or other Facebook Company Products that are integrated with our Services, those third-party services may receive information about what you or others share with them.

Explanation: Once again, “Facebook Companies” is the addition here. They are clearly communicating the idea that WhatsApp is one of them, not much different.

Old: “Affiliated Companies” section

New: “How We Work With Other Facebook Companies” section

Explanation: Both sections are almost identical and worded to act as catalyst for FUD among masses. Most privacy advocates and alarmists might fail to notice this. It is created to try and persuade you that your thinking can be wrong, and create uncertainty on what you concluded by reading privacy policy down till here. Psychological tactics.

Our Global Operations

Old: You agree to our information practices, including the collection, use, processing, and sharing of your information as described in this Privacy Policy, as well as the transfer and processing of your information to the United States and other countries globally where we have or use facilities, service providers, or partners, regardless of where you use our Services. You acknowledge that the laws, regulations, and standards of the country in which your information is stored or processed may be different from those of your own country.

New: WhatsApp shares information globally, both internally within the Facebook Companies and externally with our partners and service providers, and with those with whom you communicate around the world, in accordance with this Privacy Policy. Your information may, for example, be transferred or transmitted to, or stored and processed in, the United States; countries or territories where the Facebook Companies’ affiliates and partners, or our service providers are located; or any other country or territory globally where our Services are provided outside of where you live for the purposes as described in this Privacy Policy. WhatsApp uses Facebook’s global infrastructure and data centers, including in the United States. These transfers are necessary to provide the global Services set forth in our Terms. Please keep in mind that the countries or territories to which your information is transferred may have different privacy laws and protections than what you have in your home country or territory.

Explanation: Some key changes. WhatsApp’s message metadata, messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” information; whether you are online, when you last used our Services (your “last seen”); and when you last updated your “about” information stuff will all be shared not just with USA government, NSA/CIA but also within Facebook Companies where this data will be linked with other Facebook services you use.

Conclusions and Solutions

Key takeaways are:

  • The following in addition to message metadata is now exploitable commodity for Facebook Inc.: messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” information; whether you are online, when you last used our Services (your “last seen”); and when you last updated your “about” information.
  • All the above data will be shared with all Facebook Companies and brands, and this data interlinked to create a detailed profile on your life forever. This creates a bigger problem than just message metadata they used to have.
  • Usage of WhatsApp needs to be treated with much more care now. You cannot just use it for communications with anyone at any time.

So, what are the solutions? Deleting WhatsApp is unreasonable for most, and I do not want to address them here.

  • Talk exclusively to closest friends and family on WhatsApp, and I mean EXCLUSIVELY
  • Avoid WhatsApp business contacts to talk about any personal life or personal details
  • Shun as many WhatsApp contacts as you can. Block, delete, do whatever.
  • Encourage use of Signal over WhatsApp for contacting you. Tell them to keep both Signal and WhatsApp on their phone. They need NOT delete WhatsApp to use Signal.
  • Treat WhatsApp as a gateway to social life, but still avoid it for ANY sensitive information sharing.
  • Avoid giving WhatsApp permissions other than Contacts or Storage. No location, no telephone, no camera, no microphone, no SMS.
  • If you want to post a picture or video status, HIGHLY CONSIDER using aluminium foil with tape to cover front and rear cameras. Why? Take a look yourself: https://twitter.com/joshuamaddux/status/1193434937824702464

REMINDER, THIS IS DIFFERENT FROM THE USER REPORT FEATURE I COVERED HERE: https://old.reddit.com/r/privatelife/comments/k0u1el/writeup_something_horrible_has_pulled_up_whatsapp/

Latest from Jottings

Cistercian numerals

The medieval Cistercian numerals, or “ciphers” in nineteenth-century parlance, were developed by the Cistercian monastic order…

The Will to Doubt

“The protection of minorities is vitally important; and even the most orthodox of us may find…

The Allegory of the Cave

The Allegory of the Cave is a story from Book VII in the Greek philosopher Plato’s masterpiece “The…

Calendar Drift

What is today’s date?  If you answer that question, most likely you are giving an answer…