An old favourite and one we are often asked to review...so it is with great pleasure that we've invited in a new guest contributor, Will Ellis from PrivacyAustralia, to give us his take on it!

WhatsApp’s New Privacy Policy After Huge Fine

Maybe you recall pop-ups warning you, in early 2021, to update WhatsApp.

While that didn’t cut off users completely, the app degraded over time, unless you accepted it – but this time around, their update of your terms and conditions with them is automatic.
Now, there’s a fresh debate over privacy issues, which we’re experts on – this time it’s scandalous.

Table of Contents:

€225m WhatsApp Fine

How serious is the breach?

Pretty serious. Back in May, they made changes to their privacy policy. This gained a fair bit of public backlash. Many of their users migrated to a different messaging app, instead of accepting their updated terms and conditions.

Six months later – WhatsApp’s been handed a world-record €225m fine after regulators reprimanded them for an poorly transparent privacy policy. WhatsApp intends to appeal the fine, but still issued a new privacy policy, to make amends.

To date, it’s the largest fine ever issued by the Irish DPC, who is the EU’s leading privacy regulator for Meta, due to Dublin being the headquarters for Meta’s European operations.

The European Data Protection Board (EDPB) in Brussels determined – which was settling a dispute between some of the EU privacy watchdogs, responsible for interpreting the law – that WhatsApp was not compliant with the GDPR. Its detailed ruling was laid out in July and recommended a fine.

WhatsApp fine

WhatsApp’s record 225 million fine was enacted by the Irish DPC. A WhatsApp spokesperson said, “As ordered by the Irish DPC, we have reorganised and added more detail to our Privacy Policy for people in the European Region.”

Further adding, “We disagree with the decision and are appealing because we believe we already provided the required information to all our users.”

They’ve reaffirmed their commitment to end-to-end encryption, saying that nonone can eavesdrop on user communications, not even WhatsApp.

Do I need to do anything this time around?

Nope. They’ve learned their lesson from the outcry last time, so you’ll find it goes mostly unnoticed with users. There won’t be any alerts requesting users to update the privacy policy, or to accept any new terms and conditions. The real question?: is WhatsApp safe for privacy?

PrivacyAustralia’s Take

Is WhatsApp safe?

Nope: victims have been exposed to identity theft and fraud before in the past, through the app.

For instance, a security flaw enabled the secret installation of spyware on smartphones. Discovered in May 2018, sitting on target devices, this gave attackers access to highly sensitive data.

While a second vulnerability was discovered by cyber security company Check Point Research, which could allow hackers to remotely change someone’s reply in messaging conversation.

This led to a warning from a second cyber security firm Sophos to WhatsApp users. Simply your phone number is enough for hackers to seize total control not only of your WhatsApp account, but also your smartphone.

Is WhatsApp private?

This is another concern WhatsApp users have. There is some privacy, for instance, WhatsApp users basic end-to-end encryption, which works to make it harder for third-parties to intercept transmitted sender-to-receiver information.

But there are huge privacy gaps that could expose your PII data. For instance, WhatsApp backups on iCloud and Google Drive are unencrypted. Thereby, your WhatsApp messages can be read before sending and after receiver receipt.

Indeed, WhatsApp chats can be viewed by anyone who does a basic Google search, to access your group’s:

  • Names of all members.
  • Phone numbers.
  • Chat information.

This happens even if groups are set to private. Add to this that WhatsApp is owned by non-private social media giant, Facebook, doesn’t bode well for your information.

(We haven’t even mentioned safety issues regarding video calling and sending photos which can be easily exploited by hackers.)

Is Telegram private and safe?

Telegram managed to add 25 million new users to their subscriber list in only a few days, thanks to the WhatsApp exodus in January 2021 – reaching the 500 million mark.

Its Secret Chat feature provides end-to-end encryption, which is its own form of zero-knowledge: messages sent by users are only accessible to them on the devices.

Technically, messages sent using this should be secured even against cyber attackers and the Telegram app itself. Most users are aware that their messages are by default secured. You need to turn the Secret Chat feature on.

But, even if this feature is enabled, some researchers are sceptical of the encryption protocols used by Telegram – because Telegram’s MTProto-encryption protocol may contain flaws. One study concluded that it’s not ideal compared to other available standards.

Is Signal private and safe?

Messaging Apps Comparison
Source: QED42 – click to expand image

If we had to recommend a most private messaging app that is widely available, secure and free – it would be Signal, who use the motto for their brand, “Hello to privacy.”

Signal is both the name of the encryption protocol and app. The Signal protocol has been around since 2010, developed by privacy activist Moxie Marlinspike.

It’s also fully open source, with full audits for security gaps. And is widely seen as the most secure e2ee messaging protocol ever created. Which is why derivatives of it are used by the other big messaging services, including Skype, Facebook Messenger, and WhatsApp.
A few years ago, the 82nd Airborne Division’s Task Force Devil was asked by military leadership to download the app on government phones for a mission in Iran, as it’s encrypted and free to use.

Zero-Knowledge

Zero-knowledge is an abstract method in communication and transaction systems and relates to WhatsApp’s new privacy policy

In this model, transactions happen between authorized parties without giving a third party access. Only the permitted user is able to know or see protected data, such as messages, passwords, and addresses – not even the intermediary host

Zero-knowledge can be considered a subset of applied cryptography, which seeks to secure communicated data. A facet of this is the ‘zero-trust’ principle, which is a key to cybersecurity: users are given as much privilege to information as is required for authorised data access.

A few tips to lower chances of being leaked:

  • Verify the identity of any new contact you talk to. Apps like Signal let you scan in your contact’s QR code (each user has a unique code).
  • Use something able to filter traffic, such as a DNS filter or VPN.
  • Lock your mobile device and hide lock messages, to avoid sneak peaks when in public.

Conclusion


It’s in dispute whether acceptable standards of zero knowledge, for private messaging apps, weren’t held up – and if this caused WhatsApp’s new privacy policy.

Should I keep using WhatsApp?

Not if you value the privacy and security of your messages. (Or even smartphone!) This enormous fine is one too many flags suggesting that advocates of privacy and security – for their personal devices and data – should probably avoid using WhatsApp. And that’s not to mention Facebook’s past record, who owns WhatsApp.

WhatsApp’s New Privacy Policy After Huge Fine | Privacy Australia
WhatsApp has always had major privacy concerns and this one is no different. Read our news article and find out more.