Categories
Computer Tech Mobile Security

Storm in a WhatsApp teacup?

Facebook’s recent update of the Terms of Service for Whatsapp has got a lot of people riled up. And quite rightly so. The core of this issue is not privacy of information as many believe, but rather pure business economics – let’s cover the basics first.

There are 2 primary considerations for using cloud services (of which Whatsapp is one).

The first is the security aspects of the service (and associated applications/websites). This part is about how the service works from a technical aspect. Does it have known vulnerabilities? Is the service coded securely? What information (about you) is required to use the service? Do you exchange information securely on the service?

The 2nd aspect is the privacy of information of the service users, and how the service makes use of its users’ data. If encryption it used, who retains the keys? How is the data stored? Which jurisdictions have legal action over this data? How is the data used?

Privacy frameworks have been all the rage in recent years, and all across the world too. The EU’s GDPR may be the most famous (I’ve written about this extensively in previous articles) however even us southerners here at the bottom of the world have POPI (also discussed previously). A privacy framework by the way, is a legal framework that provides for protection of the information of people that need to interact with commercial, public and government entities.

Examples would be how the data/information you’ve supplied to a retailer, might be used. Or which 3rd parties your bank shares your spending patterns with. Or how an online service targets ads at you based on your information.

So what’s the problem?

Why is Facebook/WhatsApp now sending you an updated Terms of Service?

Many think this is because of the abovementioned privacy frameworks and Whatsapp’s requirement to step in line with those frameworks. But Whatsapp has in fact been compliant since the legal introduction of the respective frameworks, in the countries they operate in. To operate otherwise would have left them open to significant fines, potentially in the 10’s of millions of Euros.

In reality, this all started a month ago when Apple introduced mandatory privacy labels on their messenger service, iMessage. Of course Facebook is unhappy with this because they choose to be as opaque as possible. Facebook is after all, and at the heart of it, a data collection machine. With you as the target. Doing anything to limit their ad machine is self-defeating. (There’s echos of Google’s treatment of Chrome here).

WhatsApp, which has arguably been hit hard by these privacy labels, complained that its data collection was misrepresented, and that Apple’s own iMessage was not subject to the same scrutiny, which was unfair.

Let’s take a look at the collection data for each system:

iMessage Vs WhatsApp

Is it really unfair to call Whatsapp overzealous now?

To confirm, Whatsapp’s updated ToS is there to clarify the privacy labels that Whatsapp is using. This isn’t about WhatsApp sharing any more of your general data with Facebook than it does already, this is about using your data and your engagement with its platform to enable shopping and other business services, to provide a platform where businesses can communicate with you and sell to you, all for a price they will pay to WhatsApp. The fact that the changed terms of service were mandatory, that users would need to accept the change or lose their accounts, is what has made headlines globally and caused a viral stir on social media.

Economics

Facebook spent $19 Billion on the purchase of Whatsapp. And there’s only one reason to spend this amount of money – to monetize and commercialise the platform. What is surprising is how long Facebook has taken to do it, however the deal is done and it’s now to be seen if WhatsApp has shot itself in the foot or not. It’s unlikely even though no one likes forced acceptance … But, the reality is that WhatsApp can afford to lose millions of concerned users as a trade-off to its commercial plans, knowing that it will retain the vast, indifferent majority.

Question: Do you think you’re Facebook’s customer or it’s product?

Remember, there is precedence for this regarding Facebook specifically. The Cambridge Analytica scandal is arguably the largest data heist in history perpetrated by a commercial company. All for profit. And Facebook stood by and let it happen.

So what to do?

Should you stop using Whatsapp? The quick answer is no. Facebook already has all the information you’ve previously given it, and this update in the ToS is not going to change that. Also, considering that Whatsapp uses the open source Signal protocol for encrypted messaging (albeit a customised proprietary version), your unimportant casual chats are reasonably secure.

The longer answer is more complicated and requires more thought than most are willing to give the topic (remember the indifferent majority). It’s regarding whether you’re concerned about what Facebook and Whatsapp do with your data. And whether you specifically need a greater degree of privacy and security. A large proportion of people do not consider the ramifications of being pawns in the global social media advertising machine. Your data could become fair game as the platform builds its commercial offerings and risks falling to the temptation that data might provide as it looks to accelerate those revenue models. Unfortunately, no one can be surprised at this move – it was inevitable the moment Facebook purchased Whatsapp.

And if you think the data labels are poor with WhatsApp, you need to take a look at Facebook’s other properties, Instagram and Messenger. Facebook Messenger specifically makes Whatsapp look positively tame by comparison.

If you’re going to make a move from WhatsApp, then you need to take a long look at everything else you use and do online. And make a change there too. Moving from WhatsApp and continuing to use Messenger or Facebook defeats the point …

Another option is to check the privacy controls of the applications you use carefully and adjust them for maximum protection. But online platforms limit how much privacy you can enable, for obvious reasons.

Alternatives

There are many alternatives and some have even been around for longer than WhatsApp. Some solutions are based on the open source Signal protocol, which WhatsApp itself uses. Others use proprietary mechanisms. The advantage of using an open source solution is that the code can be audited for vulnerabilities or potential privacy pitfalls on the part of the vendor.

Popular systems that come to mind are:

  • Threema
  • Signal
  • Telegram

Threema is a commercial solution based on the open source RTSP framework providing a rich set of messaging features. It does not require the linking of a phone number or email address when joining so is considered high in terms privacy.

Signal as a service, is offered by the Signal Foundation, a not for profit organisation. The Signal service makes use of the Signal protocol, which is also used amongst others, by Whatsapp and Telegram.

Telegram is another not for profit service based in Dubai that offers a strong messaging service with a focus on programmatic extensions (API) that allows interaction with applications. It also uses Signal as it’s messaging protocol.

Summary

Facebook is moving ahead with its plans to monetise WhatsApp, something that has been brewing since the initial purchase. Your public and private information is at stake. In the end, it’s your decision as to whether you want to sell yourself or not.