In February 2014, Facebook purchased WhatsApp for a whooping $19 billion. This deal came under scrutiny from various privacy advocates. They questioned if the standards of privacy and security of communication on WhatsApp would be maintained post acquisition. WhatsApp reassured users of its commitment to privacy through a blog post titled ‘Setting the record straight’. The blog clarified that WhatsApp would operate independently and autonomously with no new data being collected. In a separate post, WhatsApp categorically assured ‘nothing’ would change for the user. Reinforcing its commitment to privacy, earlier this year WhatsApp had even introduced end to end encryption.

However, on August 25 2016 WhatsApp introduced key changes in its privacy policy that threaten user privacy. These changes negate WhatsApp’s earlier assurances and raise fundamental concerns regarding privacy and security of user information on WhatsApp.

Changes in the Privacy Policy

Most users have already received a notification from WhatsApp about their updated Terms of Service. Although WhatsApp has presented users with the option to opt-out (though only partially), it has made it difficult for users to exercise this option. The option is only visible once you click on ‘read’. As users rarely inspect standard form contracts – it is likely that this option would be overlooked by many.

The key changes that this policy introduces pertain to sharing of account information with the ‘Facebook family of companies’ (i.e. Facebook along with Atlast, Instagram, Parse etc.). The first change allows WhatsApp to share WhatsApp account information to improve the users ‘Facebook ads and products experience’.  A user has two options to opt-out of this process. The user can opt-out of this process by un-ticking an option displayed on the ‘key updates’ page reached after clicking on ‘read’ (Option 1). If the user has already agreed to the privacy policy they can opt-out within a limited period of 30 days (Option 2). The second change is that WhatsApp will now be sharing data with the ‘Facebook family of companies’ for ‘other purposes’ which include but are not limited to improving delivery systems and fighting spam or abuse. Account information that is shared includes a user’s phone number, contacts and profile picture amongst other information. There is no opt-out option for this and the information will be shared by WhatsApp on a regular basis. (A pictorial representation of the changes may be found here)

Problems with the new Changes

These new changes are fraught with problems. First, WhatsApp has not sought consent for sharing data for purposes other than advertising. While examples of ‘other purposes’ are provided for, the list is non-exhaustive. This paves way for sharing of data and its use without knowledge and consent of the user. Further, the data shared may include phone number and pictures which are recognised by many as personally identifiable information. Sharing of personally identifiable information is subject to informed consent by data protection laws across the world. This policy ignores such requirements. Second, once the user agrees to share the terms of the policy – they only have a time period of 30 days to opt out. This time period is an unfair limitation on the rights of users to stop WhatsApp from sharing of data for advertising purposes in the future. By not incorporating an option to revoke consent at any point of time – WhatsApp again ignores one of key safeguards for protecting the right to privacy. Third, the policy provides for an opt-out mechanism as opposed to an opt-in mechanism. Instead of seeking user consent before sharing the data the mechanism is designed in a manner that requires users to take active steps to prevent sharing of information. Opt-out boxes assume user consent until the user un-checks the box and often run the risk of being missed by users. Fourth, at the time of acquisition of WhatsApp the Federal Trade Commission of USA had issued a letter to both Facebook and WhatsApp reminding them of the need to maintain their privacy commitments. The letter required affirmative express consent (such as opt-in) in case data is used in a manner inconsistent with the promises made at the time of collection of such data. An opportunity to opt-out was required in case of changes in collection, use and sharing of ‘newly collected data’. While this new policy applies to data that was collected earlier (such as phone number and contact details) it goes for an opt-out option as opposed to affirmative consent through an opt-in option.

Finally, WhatsApp and Facebook repeatedly assured users that ‘nothing’ would change as a result of the merger. The policy for use of data to customise advertising goes against WhatsApp’s earlier policies as well as the 2014 assurances of no change in data use. This new policy not only undermines the right to privacy in many ways – but goes a long way in undermining the trust of users.

Reactions to the Policy

The policy has been condemned by many. The absence of even an opt-out option for sharing of data for purposes other than advertising has invited even greater criticism. The Electronic Privacy Information Center from the United States has filed a complaint before the Federal Trade Commission against WhatsApp and Facebook. The Data Protection Authority in the UK, the Information Commissioners Office, has also stated that it would be investigating these changes. Reports indicate that most of the EU regulators will also be closely following the changes in the WhatsApp policy.

A public interest litigation has also been filed before the Delhi High Court arguing that these changes are in violation of Article 14, 19 and 21 of the Indian Constitution as well as Section 72 of the Information Technology Act 2000. The court has sought the government’s response on modification of the privacy policy. It remains to be seen how the regulators across the world respond to these changes.

(I would like to thank my colleague Kritika Bhardwaj for her assistance with this piece)