Yet another analysis of WhatsApp’s Privacy Policy
On 8th Jan 2021, WhatsApp rolled out its updated Privacy policy and mandated all the users to accept it on or before 8th February 2021 failing which the user would be forced to leave the service. This has caused a lot of stir among netizens.
First, let’s see what WhatsApp officially and openly declares the data it is going to collect and what it might be used for.
SMS permission
It might be observed while performing a new installation of WhatsApp, it asks permission to read SMS. The reason behind it is to autofill the OTP which is being sent to the device. One can deny this and choose to manually enter the password as the app would never ask for this permission again
Camera
As one might know that WhatsApp has an inbuilt camera feature which could be used to take photos and instantly share it with contacts, groups or put as a status. The camera would also be used while on a video call.
Microphone
The voice-call, video recording and the voice message features of WhatsApp demand access to the microphone.
Location
The feature which lets the users share a location to their contacts would need access to the GPS module of the device.
Storage
There are various reasons why WhatsApp would need storage access. To save the backup data of the chats, the media files you send and receive (might be in groups or personal chats or perhaps the media you download in status). This requires storage access of the device.
Contacts
The feature where the user saves the phone number in contacts and the contact directly indexes to the contact list of the WhatsApp. This requires permission to access contacts.
Phone
The access to phone app is necessary as WhatsApp would need to inherit various features and privileges that of the phone app. The notification when someone is calling which draws over the foreground app, the use of primary and secondary mics to subvert the ambient noises, to suppress the secondary sounds and notifications while on call, prioritise the call over other apps etc.
Notifications
It is pretty obvious that WhatsApp would need notification permission to display the message updates. It is a matter of another discussion that the whole point of notification is to get the users hooked to the app and use the app for a maximum of their time.
Account information
The information like phone number, profile name and photo, online status and status message, last seen status and receipts are the bare essentials for the functioning of the app and its features, provided that these data are used for what they are said to be used for.
Device information
Hardware model, operating system information would be necessary for diagnostic requirements in case of failure or perhaps for a test operation of a new feature.
Browser information would be necessary in the case of WhatsApp web for smooth and error-free functioning of features and delivery of services.
IP address and device identifiers are necessary to redirect the message to the intended destinations. That is basically how a chat application works.
Battery information is collected for a specific feature in WhatsApp web where it pops up a notification if the battery of the mobile is below 15%.
Purchase information
After a long battle with RBI, WhatsApp finally got a nod for WhatsApp UPI payment integration. In order to securely perform transactions, the app would need details such as location which is a norm to be collected in UPI apps such as PhonePe or Google Pay. And keeping a track of transactions would also be a requirement for obvious reasons.
Advertising IDs
Many people accuse WhatsApp of spying on chats alleging that they saw ads online which were linked to the private conversation they had on WhatsApp. Chats on WhatsApp are end-to-end encrypted which means there are only 2 entities which can read the message in its original form: the sender and the intended receiver. One possibility for this experience of users could be the keyloggers in the keyboards they use. Third-party keyboard applications tend to spy on what their users type and this creates a massive privacy breach which no one talks about.
So where is the problem?
Subordinate companies of Facebook
The privacy policy of WhatsApp states that it would be obliged to share the user data with any of the companies owned by Facebook.
And, this document also mentions that the data stored about the user will be deleted if the user deletes the account using in-app account delete feature.
But, one of the companies owned by Facebook, namely Onavo, retains the data unless a written request is submitted to them to do otherwise. Now, that is what you call a masterstroke.
Flexibility to the amendments of the privacy policy
The privacy policy also states that the privacy policy itself could be changed at any point in time if deemed necessary.
Even if today everything is safe and the privacy is being guarded with almost priority, there is no guarantee that the privacy policies would be amended to act otherwise especially in the countries like India and South Africa where there are no rigid digital laws. The users will be forced to accept the terms and conditions due to the established relations on the platform.
Change of ownership
In the privacy policy, it is clearly mentioned that the data will be accessible to anyone who would acquire the company. As the future is very uncertain, “Future owner” of the company might not respect the privacy of the users and might exploit the data available at their disposal.
Protection against malicious code
As said earlier, the messages are end to end encrypted and there is no way for any middlemen, including WhatsApp to intercept the messages and decrypt unless the encryption key is available. This may not ensure the privacy of the users.
Many forms of malicious code which infect the users’ devices can monitor messages at the sender’s or receiver’s end. These malicious code generally are from apps downloaded and installed from outside of play store, or from sites of copyright infringement such as torrents or online illegal music download websites. By a process called steganography, it is easy to inject a malicious code into a file of interest and when that file is opened at the target’s device, the code starts its execution compromising the privacy of the user. This is just a small example out of hundreds, if not thousands of ways to infect the user’s device.
WhatsApp has clearly safeguarded itself in any such cases of virus-induced privacy breaches.
We debate so much about Facebook stealing our data but little do we talk about the abundance of Chinese mobiles in the market whose firmware is never checked for malicious code.
Chinese companies have all the user data at their disposal and the Chinese government can walk into any company in their territory in broad daylight and take the data. No questions asked.
Our data is being stolen right under our noses and frankly, we are doing nothing about it but to buy cheap Chinese products till they sell out under seconds they are rolled out.
Drive Backup
The chat contents are backed up to the google drive of the user. The backup file is not encrypted which makes it prone if google account security is breached.
Data centre hack vulnerability
All the security of user data is subjected to the security of data centres of Facebook. And history has been proof that the risk of a security breach in a data centre is considerable.
So what is the solution?
- In the recent update of android, one can set up permission in such a way that the location is being shared by the device to app only when the app is in use.
2. An app called “Access dots” could be installed which would pop up a green dot on the notification bar every time there is camera access.
3. Access dots app displays an orange dot in the notification bar if the microphone is being used by any app. This can be used to trace the microphone access activity.
4. An app called “Bouncer” provides a feature wherein the user can give temporary permissions to apps and once the app is closed, Bouncer would turn off the permission granted in that session.
5. A government regulatory body needs to be set up which scrutinises all the closed and proprietary softwares available to the general public. This is of national importance as the security of the nation could be compromised if let loose.
6. OPEN SOURCE.
True privacy could be achieved only when the code in deployment is available for public scrutiny. No matter how stricter laws come into action, it's a highly complicated process to trace 0s and 1s. One can never know what is going on under the hood. When there is a product in existence with such high importance and sensitiveness of the data it holds, a transparent system always should be a choice of preference.
Conclusion
A robust digital ecosystem needs to be built which checks the companies for their activities and keep ethics always on the table.
“There are no limits to what free men, free women, and free markets can accomplish.” –Jack Kemp
It should always be ensured that the accomplishment of the free market should always weigh positive and make the world a better place to live.
