WhatsApp may have ridden out its privacy backlash, but there will be more to come as some of you now lose access to your accounts. And, worse, WhatsApp’s nightmare start to 2021 has exposed a serious problem for its 2 billion users that seems impossible to resolve. Millions more are likely to leave. Should you do the same?
Do you need to delete WhatsApp after this latest ultimatum.
WhatsApp says security and privacy are in its DNA, but it’s owned by the world’s most avaricious data harvesting machine. And so, it’s unsurprising that WhatsApp’s 2021 PR blitz has ignored the metadata harvesting issue. “Metadata—data about your data,” Cyjax CISO Ian Thornton-Trump explains, “is almost as powerful as the actual data.”
Let’s not forget that the recent backlash came in two parts. First, Apple introduced its privacy labels, exposing WhatsApp for collecting much more of our data than Signal, Telegram and iMessage. Whether that data is shared with Facebook is important, but not as important as the rationale for collecting it in the first place.
WhatsApp’s privacy label is awful. It’s the only leading secure messenger that harvests “data linked to you,” including your device ID, for “developer’s advertising and marketing.” It also collects your contact info, user ID and device ID for ominously vague “other purposes.” Other messengers collect your data to tailor functionality. WhatsApp is harvesting it for other reasons.
“Other apps,” WhatsApp has now told users, “say they’re better because they know even less information than WhatsApp—we believe people are looking for apps to be both reliable and safe, even if that requires WhatsApp having some limited data.”
Remember—if the product is free, then you’re the product. This isn’t complicated.
WhatsApp Vs Rivals
The second part of that backlash, the forced change of terms, hit hard because it seemed WhatsApp was collecting this data and sharing it with Facebook—that was the misreporting. It’s all good, WhatsApp said, we don’t share all your data with Facebook. But suddenly WhatsApp had shone a light on the fact that there is some data sharing. The fact this isn’t new is hardly the point. Those privacy labels are stark.
More importantly, the rationale behind collecting all this data in the first place was downplayed. It seemed that WhatsApp’s was taking the view that the backlash would blow over and we would all forget. We collect it because we need it, was the message. But there was no word on exactly what was being used, and how. This is your data. You have the right to know what’s being collected and how it’s being used.
Yes, WhatsApp is a free platform. And they are completely entitled to say we collect certain data fields and use those to send you ads that might be relevant. We, as users, can then choose whether that’s acceptable to us or not. What they’re not entitled to do is obfuscate, to talk around the subject and refuse to provide transparency, to say that it’s an inevitable and intangible part of this free service they offer.
Ironically, most users accept that some form of data collection is a price worth paying for free platforms. But there has to be a limit. And there has to be transparency. It is impossible to argue that the data collection is proportionate with the services on offer. Facebook reported $28.1 billion in revenues last quarter—it’s not scraping a living.
WhatsApp’s specific backlash has been blown out of proportion. The change of terms is more benign than it was (mis)reported at the time. WhatsApp’s owner, Facebook, wants to enable its business customers to communicate with you on WhatsApp, and only if you agree to those contacts. If you do, though, some of those messages might be stored off of WhatsApp, outside its fabled end-to-end encryption.
This is a non-issue. Who cares about the security of your messages with your dry cleaner or supermarket—especially given you have opted in each specific chat? But it still breaks WhatsApp’s existing data handling terms and so the change needs to be made. As WhatsApp says, it needs to sell services to keep the messenger free. But the change has opened WhatsApp to belated scrutiny on its metadata—and that has not gone well. WhatsApp’s privacy issue is not going to be put back into its Pandora’s Box.
You now have a few weeks to accept WhatsApp’s new terms. After that, WhatsApp has now confirmed in a not especially helpful FAQ, “you won’t have full functionality of WhatsApp until you accept. For a short time,” it says, “you’ll be able to receive calls and notifications, but won’t be able to read or send messages from the app.”
WhatsApp says that “if you haven’t accepted by [May 15], WhatsApp will not delete your account,” but you will, effectively, lose use of your account after “a short time.”
So, what does this actually mean? You will still be able to access the account for a while, albeit you won’t be able to read or send any messages. In WhatsApp’s terminology, your account will seemingly become “inactive.” And here WhatsApp’s policy is clear. “To maintain security, limit data retention, and protect the privacy of our users, WhatsApp accounts are generally deleted after 120 days of inactivity. Inactivity means the user hasn’t connected to WhatsApp.”
All of this is confusing. WhatsApp hasn’t said it will delete accounts after that “short time,” or even how long a grace period that is. But the media is reporting that deletions will take place and that’s not being corrected.
Even WhatsApp appeared confused over its plans as it delayed the February 8 deadline for accepting the new terms. On January 15th, WhatsApp said “we will make sure users have plenty of time to review and understand the terms—rest assured we never planned to delete any accounts based on this and will not do so in the future.”
January 15th statement
That implies that accounts won’t be deleted. And maybe they won’t—despite headlines warning exactly that. I asked WhatsApp again whether they would confirm any of this, and they declined to answer. All WhatsApp says is that it has “extended the effective date to May 15th. If you haven’t accepted by then, WhatsApp will not delete your account. However, you won’t have full functionality of WhatsApp until you accept.”
Of course, one could be more cynical about a tweet sent on January 15, mid-backlash, that assured users that accounts would not be deleted over the change of terms, “we never planned to delete accounts based on this and will not do so in the future,” which was followed a month later by the news that accounts would be at best locked out and at worst deleted if terms are not accepted by May 15.
WhatsApp also declined to comment on this apparent contradiction.
Back in January, I advised users to stick with WhatsApp, albeit to maybe trial other options, particularly Signal, in parallel. I said there was no reason to ditch WhatsApp, that the issue around the change of terms had been overblown. But the way WhatsApp has managed this situation might just change that advice.
This was an opportunity to listen and engage, not to blitz users with slick PR while sticking to Plan A. Apple has changed the game by introducing privacy labels and removing ad tracking. Platforms either need to step up and change how they behave, or they risk losing users to alternatives that will. Facebook has made its stance against Apple’s changes clear. WhatsApp is doing the same.
The new privacy terms are fine to agree—there’s nothing to worry about there. But WhatsApp’s stubborn data collection and refusal to budge or even review the situation is pure Facebook. This is the clearest sign yet as to the direction WhatsApp is heading.
It’s unrealistic for many of us to quit WhatsApp altogether—unless we refuse to accept the new terms, of course. But replacing it as our default messenger is feasible. The same happened to SMS for many of us after all—as we turned to WhatsApp, ironically. So, is it seriously time to stop using WhatsApp? Maybe this time it actually is.
Zak is a widely recognized expert on surveillance and cyber, as well as the security and privacy issues associated with big tech, social media and communication