WhatsApp in violation of privacy law.

Some very sensitive communications

Some very sensitive communications happen over WhatsApp

WhatsApp Inc. the company behind the hugely successful cross (mobile) platform messaging app have been hauled over the coals subsequent to a joint investigation by the Dutch Data Protection Authority and The Office of the Privacy Commissioner of Canada. Their joint news release from the 28th January finds that WhatsApp is guilty of

violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data“.

These findings reinforce the conclusions that David Sancho came to last year when researching the security of mobile apps, and also the conclusions of a recently released Ponemon study into data privacy

The investigation ran over several months and resulted in three key findings, two of the issues have already been substantially resolved by WhatsApp Inc. but a third remains outstanding.

The two issues which WhatsApp Inc. have already taken steps to resolve hinge on the security of their internet communications. The investigating organisations found that all messages sent using WhatsApp were sent unencrypted, meaning that it was trivial to intercept private communications. These communications can often contain not only text based messages, but also images, sound, video and location information. In September 2012, in partial response to the investigation, WhatsApp introduced encryption to its communications.

On a related point, the investigation also found that WhatsApp was using a weak methodology when generating “passwords for message exchanges”. In essence the identity of the message sender was being asserted using either the MAC address or IMEI number of the sending device. The investigation (rightly) concluded, as this information could be relatively easily exposed or stolen, that it was unreliable as an authentication mechanism and that spoofing the sender of a WhatsApp communication was too simple. Since this finding, WhatsApp Inc. have improved the technology behind message sender authentication and now use randomly generated keys for signing.

To benefit from both of these important security enhancements, user of WhatsApp, whether active or not are strongly encouraged to make sure that they are running the latest version.

Finally the investigation concluded that WhatsApp Inc. were not being transparent enough in how they handle their users’ address books. In order to populate the WhatsApp address book on the user device, and to identify new users as they sign up for the service, once the user gives consent the entire address book from a customer device is uploaded to WhatsApp Inc’s servers. This step is a prerequisite to use the service on every mobile platform with the exception of Apple’s iPhone running iOS 6, where users have the option of adding contacts manually. In addition, rather than deleting the uploaded data once it has been processed, it is retained in hashed form, in order to help WhatsApp identify new users as they sign up for the service.

The retention of data in this was contravenes Canadian, Dutch and European data protection legislation, which states that data should only be retained for as long as is necessary for the fulfilment of an identified purpose. This last issue has yet to be fully resolved by WhatsApp Inc.

Dutch authorities have warned that they will continue to monitor WhatsApp Inc’s progress on this issue and may enforce sanctions if required.

This joint investigation by sovereign data protection agencies is a very welcome global first. As communication becomes more cross-jurisdictional and cross-border and services continue their inexorable march to the cloud and the mobile platform, regular users need to know that there are investigative bodies, with real teeth, whom they can approach in the case of privacy concerns and who will effectively collaborate to reach a successful conclusion.

3 thoughts on “WhatsApp in violation of privacy law.

  1. James

    Someone should do something about Facebooks security before this? Seriously….people are accepting friends requests from unknown people. Hackers make 3 unknown accounts and add you 3 times as people you either don’t know at all and/or duplicate accounts of people already on your page. They then use the 2 step verification via matching pictures of to the 3 fake accounts as 3 confirmed people that you (them posing as you) know and you can reset your “fogotten password” from there the list is endless to the amount of damage they can do.
    I was able to identify a mass group of “request” users through simple technology like TinyEye Reverse image search to almost instantly identify them as fake accounts. I went a step further and found direct connections between some of the hacked accounts who added each other to come across as legitimate FB accounts, these were accounts that were supposed to seem otherwise never connected. A 18 year old US chick (man she was adding random guys in my region faster than ever) a 45 year old middle eastern lady, and a 25 year old guy from Europe. They all linked to a middle eastern main account page that was legitimate and had very questionable propoganda hate against white Americans (not that I offended as I am Australian) and pro support for a sick and dieing militant leader? I reported all this to Facebook giving direct links to how I discovered what I had and guess what?

    Nothing….nothing happened. They did sweat f*%# all. Not a single action was taken. All accounts still in operation.

  2. Pat Drummond

    I think in general, encryption of data should be the norm. But then again, encryption only provides bare minimum security. The security industry has to change how we fundamentally protect data and come up with a method that works.

  3. Joe

    Funny thing that the Canadian government complains about security. At least some encryption is better than none. This considering the fact that they have freely allowed unencryted portable USB drives and hard drives within their OSAP student loan facility, which ended up in SIN (same as SSN), date of birth, address, names and student loan amounts (all you need to steal someones ID) being “lost” (sold) as the contents were on an unencrpyted portable hard drive in a format where anyone can simply open and read it. Only 580,000 people. Then they complain about WhatsApp security? Give me a break lol :)


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.