whatsapp

Whatsapp gets thumbs down from privacy hawks

The popular instant messaging application Whatsapp was recently dinged by two national privacy commissioners for violations similar to those that dogged the social network Path in 2012. The Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority said Monday that Whatsapp was “in contravention of Canadian and Dutch privacy laws.” But the two authorities said the company was taking steps to improve its privacy controls, a benefit for all Whatsapp users worldwide.

Whatsapp allows you to text message friends all over the globe for free by sending your messages over a data or Wi-Fi network similar to Facebook Messenger. You can also use Whatsapp to share your location on a map, send photos, short videos, audio messages, and contact data. The company recently announced a daily usage record of 7 billion incoming and 11 billion outgoing messages.

As a Whatsapp user myself, I was concerned to hear my favorite SMS app was a privacy bad boy. Let's dive in to see what's going on.

What's up with Whatsapp

The biggest outstanding complaint the agencies have against Whatsapp is the way it handles your address book. Whatsapp copies your address book to its servers to find matches with other Whatsapp users so you can message one another.

The problem, however, from the point of view of the agencies is that Whatsapp copies your entire address book on its servers and doesn't delete the numbers of non-users. “This practice contravenes Canadian and Dutch privacy law, which holds that information may only be retained for so long as it is required for the fulfillment of an identified purpose,” the two organizations said. Whatsapp discloses in its privacy policy how it handles your contact list.

The privacy authorities said that contact data for non-users is kept on Whatsapp servers in a hashed form, but didn't identify whether Whatsapp was using a particularly weak hashing algorithm, such as plain vanilla MD5, or something stronger.

Whatsapp’s privacy policy says it keeps non-users on its servers as “one-way irreversibly hashed values.” It's not clear why Whatsapp feels it necessary to keep contact data of non-Whatsapp users, but it's pretty clear this is a bad idea and, in all likelihood, unnecessary.

Holding on to data from users' address books longer than necessary is what opened Path, and several other smartphone app makers, to privacy criticisms in early 2012. At issue with Path was that, unlike Whatsapp, the social network did not disclose that it was copying your address book and keeping it on its servers. Path, at the time, half-apologized for its actions, and explained it needed to do this to help users “find and connect to their friends and family on Path quickly and efficiently.” Shortly thereafter, Path deleted all contact data on its servers and began asking for permission before copying your contact database.

Whatsapp recently changed its app so that iOS 6 users are able to selectively choose contacts to add to Whatsapp instead of uploading their entire address book, according to the two privacy agencies.

Thumbs up

Although the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority were unhappy with how Whatsapp handles user address books, the agencies praised Whatsapp for two improvements it made to how it handles messages. Whatsapp began encrypting user messages in September 2012 to keep personal communication private. Previously, all Whatsapp messages were sent as plain text, making them far more vulnerable to interception, especially over open Wi-Fi networks.

Even though you don't have to use a password to sign-up for Whatsapp, the messaging service was using a password authentication mechanism for device-to-device communication, according to the agencies. These randomly generated passwords used your device's Media Access Control address and International Mobile Station Equipment Identity number to create the passcodes.

The privacy agencies argued that this was not a secure way to generate passwords and could be easily exposed. Using the MAC and IMEI numbers could, at least in theory, make it possible to impersonate someone's Whatsapp account to send and receive messages. Whatsapp now uses a stronger authentication process, but it's not clear what that process is.

The privacy agencies urged all users to update to the latest version of Whatsapp to receive the latest security upgrades.

For comprehensive coverage of the Android ecosystem, visit Greenbot.com.

Subscribe to the Smartphone News Newsletter

Comments