APPREHENSION over an update to the privacy policy of the popular messaging application WhatsApp has been rife on social media. It is enco­uraging to see such widespread concern for users’ privacy and data protection. At the same time, it is important to track how secure messaging has evolved over time, what this update in the priv­acy policies of a popular messaging application entails, and what our takeaway from this fiasco can be.

WhatsApp was founded in 2009 by two former Yahoo employees, and slowly evolved into the most popular mobile phone messaging application. The salient advantage of WhatsApp was that one could sent unlimited free messages with an internet connection, ending the reliance on SMS that are charged at a per message rate by telecom operators. Though iMessage existed for Apple customers and Blackberry messenger for Blackberry customers, these could only be used if both parties communicating owned a device of the same company. With the advent and increased popularity of the Android operating system developed by Google, anyone could have access to encrypted private messaging through WhatsApp, which previously only Apple and Blackberry customers could enjoy, by downloading the application on any kind of device.

This freedom from SMS costs and secure messaging made WhatsApp wildly popular, and by 2014, Facebook bought it for a staggering $19 billion, the highest amount ever paid for an acquisition till then. For the sake of comparison, Facebook had bought Instagram for $1bn just two years before buying WhatsApp.

It is indeed a blunder by WhatsApp to move towards a model that is less private than before.

WhastApp’s end-to-end encryption has meant that nobody other than the sender and recipient of the chat can see the contents of the message. This applies to messages, phone calls, photos, videos, documents, location pins, etc, including in group chats. The new privacy policy does change the privacy of messages exchanged with a WhatsApp business account, which can now be shared with third-party applications, including Facebook. The privacy policy states that “if you choose to interact with Shops, your shopping activity can be used to personalise your Shops experience and the ads you see on Facebook and Instagram”, referring to the Facebook Shops feature that is now also connected to WhatsApp business accounts. This only applies when one is interacting with WhatsApp business accounts.

However, what this change in privacy policy has also highlighted is the other vast amount of data WhatsApp, owned by Facebook, collects about its users which is linked to their identity. This includes purchases, location based on IP address, contacts, device and internet service identifiers, financial information if interacting with a business account, contact information, usage data such as time when users use the app the most, names of groups that a user is a part of, status updates, profile display pictures and online status. All of this data is not encrypted on WhatsApp.

Known as metadata, this provides information about the data of a user and is also very helpful in advertising, though WhatsApp claims they do not share all of the metadata with its parent company Facebook. The new privacy policy also says that there are currently no advertisements on WhatsApp, but if they do start, the privacy policy will be updated. This could be a hint about future plans of the messaging application. Considering that so much of personally identifiable data is not encrypted and available to the company, it also makes it vulnerable to hackers, no matter how strong the existing security protocols are at the company. Perhaps this explains the massive $19bn investment Facebook made, and it is ready to reap benefits of this investment now.

There has also been mass migration towards more secure applications. It is pertinent to note that currently the application that is considered most secure is the Signal application, which is run by a nonprofit venture called Signal Foundation started by cofounder of WhatsApp Brian Acton who had left WhatsApp in 2017. In 2018, WhatsApp’s CEO and cofounder had also left the company, allegedly due to disagreements with the direction in which Facebook was taking the application.

Signal is an open source application, which means no corporation has total control over the software, and all user information is end-to-end encrypted, except for the contact information required to sign up for the application, which is also not kept as personally identifiable information by the application. The other application is Telegram, where the data collected includes contacts and device and network identifiers.

In a world where there is a push towards greater privacy, it is indeed a blunder by WhatsApp to move towards a model that is less private than before. Furthermore, WhatsApp’s new privacy policy update is applicable all over the world except for the European Union owing to stricter privacy and data protection laws there. This is an important lesson for governments: if they promulgate legislation that upholds pro-privacy rights and ensure higher security of data, companies will respect individual privacy rights. This does not mean greater powers for the government to have access to user data as the Pakistani government has attempted through the Removal and Blocking of Online Content Rules, 2020, but respecting the dignity of citizens to have their data secure and encrypted even when held by the government. Responsible business practice by WhatsApp would be to apply the highest privacy standards across the globe.

The conversation on the WhatsApp privacy policy has also led the Pakistani IT ministry to announce that it is moving forward with its data protection and privacy law, a draft of which was introduced in March 2020. It is important that all feedback from stakeholders is taken into consideration, that consultations are held with all stakeholders that provided this feedback, and that a justification is provided for not including feedback that is going to be ignored.

Corporations and governments must move towards more secure data protection and privacy regimes as the number of internet users increases. This can only start with a rethink of business models that accrue profit from the data of users, and laws that protect citizen privacy rather than demand a chunk from corporate-enabled surveillance.

The writer is director of Bolo Bhi, an advocacy forum for digital rights.

Twitter: @UsamaKhilji

Published in Dawn, January 16th, 2021