There has been a massive outcry about WhatsApp changing their privacy policies and sharing data with Facebook. While there is cause for concern, I don’t believe that it is the end of the world. And, if we talk a calm, rational approach to it, we can see that it’s perhaps not a new thing…
What is happening?
The changes to the privacy notices mainly relates to new WhatsApp business features that are coming up, where you can purchase within the app and make use of a number of other functions. When you deal with a business that is registered on WhatsApp for Business, they may receive additional information about you for targeted marketing and their own use, and the business that you deal with could opt to manage the messages on Facebook’s business platform.
What is not happening?
There are a few things that I’ve seen out there where people are spreading misinformation or simply a little bit of ignorance driven by fear. Some of the concerning lines in the policy refer to “transactions and financial information” as well as other bits and pieces. Here are some of the myths about the change:
- Can WhatsApp access your banking? Nope, it can’t. What this “financial data” is referring to is the upcoming payment functionality within WhatsApp, similar to what we have seen with WeChat. Your bank account is still your bank account, and you are the one with the access to it. WhatsApp will not have this, though you may enter payment card information in future to make purchases from businesses on WhatsApp.
- Can Facebook read all your messages? Nope, it can’t (at least not easily). WhatsApp uses a technology called end-to-end-encryption (E2EE for short) which means that your messages are encrypted and are only readable by the sender and the recipient’s devices. That said, WhatsApp backups are unencrypted when backing up to your Google or iCloud accounts, and if I understand correctly, this is what gets subpoenaed if there is an investigation by the authorities (my forensic friends can perhaps correct me here!).
- Is my data now going to be leaked everywhere? Not likely by Facebook, but likely if you have poor security habits – which is totally unrelated to this update and applies to almost any service you use. You should always use multifactor authentication, strong passwords, and unique passwords on your accounts. Facebook has the budget to protect your information, but breaches are often caused by end users not following secure practices.
- Am I going to get ads in WhatsApp? Nope, at least not yet. Facebook has said that they do not intend to introduce ads into WhatsApp, but if they did, they would notify you.
How dare they!?
The fact is, if you are using the Facebook app, or Instagram, or Facebook Messenger, chances are you have sent all of the information being requested (and much more) to Facebook already. The apps collect a phenomenal amount of information about you. Most of this is what we call metadata – it’s not the actual content of what you’re sending, but the info around that, like where you are when you’re sending it, who you’re sending it to, what the state of your device is, where you’ve been browsing and so on. This allows for profiling and data science around marketing predominantly, though there are certainly risks of someone having this aggregated information. We have a saying that if a service is free, YOU are the product. This very often applies in the software world. By using YouTube, you are also giving away tons of metadata, you just may not realise it.
What are the alternatives?
There are two main contenders out there as alternatives to WhatsApp: Telegram and Signal (as endorsed by Edward Snowden and Elon Musk). Sidenote: I know there are folks that will mention other platforms, and sure, there are many. There are, however, only two with the volume of users to make them convenient alternatives.
This seems to be the most popular alternative at the moment. It is a good alternative, but I don’t believe it’s necessarily the best one. Technically, it can be less secure than WhatsApp if you’re not paying attention.
An important distinction I want to draw at this junction is that Security and Privacy are two different concepts. Security deals with how well the content of your messages is protected, and Privacy deals with whether someone is tracking what you do and your metadata (as mentioned earlier). One is about accessing the information itself (your messages), and the other is about information around what you do that can identify or profile you (metadata).
With the above said, Telegram is a private platform, in that they don’t collect a lot of metadata about you. What they don’t have though is end-to-end encryption by default. Instead of the encryption being from the sender to the receiver directly where the platform cannot read your messages, Telegram has client-server encryption. This means that your messages are secure between you and Telegram, and the recipient and Telegram, but if Telegram wanted to decrypt your messages they could technically do so. That is not to say they are going to, and client-server encryption is still encryption.
This does not mean Telegram is bad, in fact they have a great feature called “Secret Chat”
Secret Chat is end-to-end encrypted. It also has a bunch of other great features, such as self destruct on messages, warnings if someone takes a screenshot, and nothing being stored on Telegram’s servers. If you are discussing something really private, this is the way to go when using Telegram.
If you want to do without having to remember to enter secret chats, and still have great, easy-to-use messaging, use Signal. This would be my preferred, though not as popular, choice. Signal has a fair amount of history (even though you’ve probably not heard of them), but most interesting is from 2018, when the Signal Foundation was jointly formed and funded by one of WhatsApp’s co-founders. The co-founder, Brian Acton, left WhatsApp after Facebook’s acquisition as he was against the monetisation of WhatsApp and Facebook’s plans for the platform.
Signal Messenger evolved out of this partnership and foundation as an open-source and audited platform, that is both secure and private. In fact, it’s predecessors and prior forms means that it has been around for 11 years already, in some form or another! WhatsApp itself even adopted Signal’s encryption to secure your messages. It supports many of the features of WhatsApp, and in my view is a superior platform to Telegram (Telegram’s servers are not open-source, so we’ll never know precisely what is in the code behind the platform). I also find Signal easier to use than Telegram for a number of functions. You can install Signal from the links below:
Should you remove WhatsApp?
There is always a danger in someone having loads of information about you, and personally, I feel that as a stand against this kind of behaviour – much like Apple is standing against Facebook currently – one would perhaps want to remove WhatsApp. That said, it does come down to your personal preference and knowing that what they’re doing is not uncommon.
There is always a balance between privacy and convenience, and WhatsApp is incredibly convenient at the cost of privacy. I firmly believe that a company can have too much information about you, but with a cautionary caveat that this is not the first time nor the last time that we’ll see this. Companies like Google are known for collecting loads of information too, so this is just one of many.
What if I’m a company using WhatsApp?
Company communication is governed by different laws and approaches than personal communication between individuals. This is where laws like POPIA (Protection of Personal Information Act in South Africa) and GDPR (General Data Protection Regulation in Europe) come into play. Something that is very telling is that WhatsApp does not have the same terms for users in Europe, where the GDPR is in place, and where Facebook has run into significant legal challenges on how they handle data.
By all means use the WhatsApp for Business platform for receiving communications from customers (with the necessary consents and safeguards required by the law). I would certainly suggest though that using WhatsApp between employees in a company as a communication platform is a bad idea. Public services (like WhatsApp) are out of your control and hosted in foreign countries, and are a breeding ground for breaches, data loss, and leaks (often in the form of screenshots of private conversations). As a business, you should use a paid for service that does not rely on data as its currency – something like Microsoft Teams within Microsoft 365, or the messaging functionality across the Google Workspace platform. Other tools like Slack (recently acquired by Salesforce) are also very good platforms that far outstrip free public messenger services in functionality and security.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.