WhatsApp Inc. the company behind the hugely successful cross (mobile) platform messaging app have been hauled over the coals subsequent to a joint investigation by the Dutch Data Protection Authority and The Office of the Privacy Commissioner of Canada. Their joint news release from the 28th January finds that WhatsApp is guilty of
“violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data“.
These findings reinforce the conclusions that David Sancho came to last year when researching the security of mobile apps, and also the conclusions of a recently released Ponemon study into data privacy
The investigation ran over several months and resulted in three key findings, two of the issues have already been substantially resolved by WhatsApp Inc. but a third remains outstanding.
The two issues which WhatsApp Inc. have already taken steps to resolve hinge on the security of their internet communications. The investigating organisations found that all messages sent using WhatsApp were sent unencrypted, meaning that it was trivial to intercept private communications. These communications can often contain not only text based messages, but also images, sound, video and location information. In September 2012, in partial response to the investigation, WhatsApp introduced encryption to its communications.
On a related point, the investigation also found that WhatsApp was using a weak methodology when generating “passwords for message exchanges”. In essence the identity of the message sender was being asserted using either the MAC address or IMEI number of the sending device. The investigation (rightly) concluded, as this information could be relatively easily exposed or stolen, that it was unreliable as an authentication mechanism and that spoofing the sender of a WhatsApp communication was too simple. Since this finding, WhatsApp Inc. have improved the technology behind message sender authentication and now use randomly generated keys for signing.
To benefit from both of these important security enhancements, user of WhatsApp, whether active or not are strongly encouraged to make sure that they are running the latest version.
Finally the investigation concluded that WhatsApp Inc. were not being transparent enough in how they handle their users’ address books. In order to populate the WhatsApp address book on the user device, and to identify new users as they sign up for the service, once the user gives consent the entire address book from a customer device is uploaded to WhatsApp Inc’s servers. This step is a prerequisite to use the service on every mobile platform with the exception of Apple’s iPhone running iOS 6, where users have the option of adding contacts manually. In addition, rather than deleting the uploaded data once it has been processed, it is retained in hashed form, in order to help WhatsApp identify new users as they sign up for the service.
The retention of data in this was contravenes Canadian, Dutch and European data protection legislation, which states that data should only be retained for as long as is necessary for the fulfilment of an identified purpose. This last issue has yet to be fully resolved by WhatsApp Inc.
Dutch authorities have warned that they will continue to monitor WhatsApp Inc’s progress on this issue and may enforce sanctions if required.
This joint investigation by sovereign data protection agencies is a very welcome global first. As communication becomes more cross-jurisdictional and cross-border and services continue their inexorable march to the cloud and the mobile platform, regular users need to know that there are investigative bodies, with real teeth, whom they can approach in the case of privacy concerns and who will effectively collaborate to reach a successful conclusion.