Why did WhatsApp change its mind over privacy? The EU wants answers

WhatsApp is in more hot water over its decision to start sharing user data with parent Facebook for marketing and advertising purposes.

The firm announced the change in August as part of an updated its Terms and Privacy Policy, which users had to accept to continue using the service.

At the time, it was widely criticised for a move that appeared to be about integrating the service’s hundreds of millions of messaging users into Facebook’s advertising platform.

Now the EU’s influential privacy body, the Article 29 Working Party (WP29), has published an unflattering open letter outlining its worries.

Isabelle Falque Pierrotin, who chairs the working party, explained the problem, which was that the new terms now contradict promises made to users when they signed up for the service. She added: “These changes have been introduced in contradiction with previous public statements of the two companies ensuring that no sharing of data would ever take place.”

The companies had also been vague about the precise nature of the sharing, she said, adding: “The Article 29 Working Party has serious concerns regarding the manner in which the information relating to the updated Terms of Service and Privacy Policy was provided to users and consequently about the validity of the users’ consent.”

She signs off with a warning to WhatsApp “not to proceed to ensure that the processing is compliant to the European legal framework”.

Should WhatsApp and Facebook executives be worried? It’s only a warning letter after all, and both companies will presumably already have started integrating their services as set out in its announcement. WhatsApp says: “[B]y coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp.”

More specifically, it adds: “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of.”

On the other hand, the Article 29 Working Party has been a big influence on privacy policy since being set up at the time of bloc’s first data protection directive, 95/46/EC, in 1995.

Mission creeps

At issue is what might be called privacy creep whereby a service starts off with a strong commitment to privacy which is later diluted for commercial reasons, or possibly – as is the case with WhatsApp – when it is taken over.

It is possible to opt out of some aspects of the new sharing arrangement but the onus is on the user to know how to do that.

The irony buried in all this is that both WhatsApp and Facebook Messenger (the latter’s messaging app, which pre-dates its purchase of WhatsApp) have been busy upgrading the underlying security of their messaging platforms.

Earlier this year, WhatsApp announced that it had started using the industry-leading Signal protocol from Open Whisper Systems offering full end-to-end message encryption with termed perfect forward secrecy (PFS). A couple of months later, Facebook started using the same technology.

This means that on both services the keys used to encrypt messages between two users are stored on their devices rather than the provider’s servers. PFS is a technique for changing those keys so that no single one can be used to unlock other messages.

But users want to find each other easily on these services and that means building a public directory of users and numbers which the company has access to.

What people message to each other is top secret but their associations and behaviour (especially if they are also Facebook users) are not. That is why users are valuable in the first place.

And so the paradox of messaging privacy reveals itself: we are becoming ever more secret but also ever more observed.