The popular instant messaging application Whatsapp was recently dinged by two national privacy commissioners for violations similar to those that dogged the social network Path in 2012. The Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority said Tuesday that Whatsapp was “in contravention of Canadian and Dutch privacy laws.” But the two authorities said the company was taking steps to improve its privacy controls, a benefit for all Whatsapp users worldwide.
Whatsapp allows you to text message friends all over the globe for free by sending your messages over a data or Wi-Fi network similar to Facebook Messenger. You can also use Whatsapp to share your location on a map, send photos, short videos, audio messages, and contact data. The company recently announced a daily usage record of 7 billion incoming and 11 billion outgoing messages.
As a Whatsapp user myself, I was concerned to hear my favourite SMS app was a privacy bad boy. Let’s dive in to see what’s going on.
What’s up with Whatsapp
The biggest outstanding complaint the agencies have against Whatsapp is the way it handles your address book. Whatsapp copies your address book to its servers to find matches with other Whatsapp users so you can message one another.
The privacy authorities said that contact data for non-users is kept on Whatsapp servers in a hashed form, but didn’t identify whether Whatsapp was using a particularly weak hashing algorithm, such as plain vanilla MD5, or something stronger.
Holding on to data from users’ address books longer than necessary is what opened Path, and several other smartphone app makers, to privacy criticisms in early 2012. At issue with Path was that, unlike Whatsapp, the social network did not disclose that it was copying your address book and keeping it on its servers. Path, at the time, half-apologised for its actions, and explained it needed to do this to help users “find and connect to their friends and family on Path quickly and efficiently.” Shortly thereafter, Path deleted all contact data on its servers and began asking for permission before copying your contact database.
Whatsapp recently changed its app so that iOS 6 users are able to selectively choose contacts to add to Whatsapp instead of uploading their entire address book, according to the two privacy agencies.
Although the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority were unhappy with how Whatsapp handles user address books, the agencies praised Whatsapp for two improvements it made to how it handles messages. Whatsapp began encrypting user messages in September 2012 to keep personal communication private. Previously, all Whatsapp messages were sent as plain text, making them far more vulnerable to interception, especially over open Wi-Fi networks.
Even though you don’t have to use a password to sign-up for Whatsapp, the messaging service was using a password authentication mechanism for device-to-device communication, according to the agencies. These randomly generated passwords used your device’s Media Access Control address and International Mobile Station Equipment Identity number to create the passcodes.
The privacy agencies argued that this was not a secure way to generate passwords and could be easily exposed. Using the MAC and IMEI numbers could, at least in theory, make it possible to impersonate someone’s Whatsapp account to send and receive messages. Whatsapp now uses a stronger authentication process, but it’s not clear what that process is.
The privacy agencies urged all users to update to the latest version of Whatsapp to receive the latest security upgrades.