WhatsApp's privacy investigated by joint Canadian-Dutch probe

[anuseems]

WhatsApp, the popular instant messaging smartphone app, has been under investigation by governmental privacy authorities in Canada and The Netherlands for almost the past year for violations of both nations' privacy acts.

This is the first time countries have worked together to conduct a privacy investigation and it appears to have been a great success. As I don't read Dutch, I have only examined the Canadian report.

The first issue they looked into was the ability for someone to "spoof" or artificially register someone's smartphone for the service without their permission or to impersonate that person's phone to intercept their messages.

While some issues existed in this process previously, it was determined that the concerns were not well founded.

Another complaint against WhatsApp was that it requires users to upload their entire address book to determine which of their contacts are fellow users of WhatsApp.

The lack of an option to choose which contacts you want to upload to the service is considered a breach of privacy and an overreach by the company.

WhatsApp has updated its iOS app to allow manual uploading and intends to provide updates for its Android, Blackberry, Windows and Symbian clients as well.

A bigger issue is that WhatsApp not only uploads the phone numbers of non-app users from your address book, but stores them perpetually. The company's defence is that it stores non-user numbers as MD5 salted hashes.

The Canadian Privacy Commissioner found that this is an unacceptable, unnecessary practice. In the case of a data breach, these numbers can be trivially brute-forced "in less than 3 minutes on a desktop computer," according to the report.

To comply with international privacy regulations, WhatsApp must stop retaining unnecessary personal identifiable information.

WhatsApp also broadcasts your status updates to everyone who has your number in their address book. It is not made clear to users that this will occur, and even worse, there are no controls.

Even someone who typo'd a friend's phone number would be granted access to your status updates without your knowledge.

The report details concerns over the lack of visibility of who can see your statuses and the lack of controls. The law states "Consent must be meaningful" when sharing personal information; a simple disclaimer in a EULA/ToS/privacy policy is not enough.

WhatsApp intends to include a pop-up in future versions of the software ensuring users understand who may see their statuses and allowing them to choose not to broadcast their status. They committed to providing this by September 30, 2013.

Another provision of the Canadian PIPEDA Act that was violated covered the lack of disclosure to users about the minimum and maximum times for retention of data collected. While it appears that WhatsApp had a policy, it was not presented directly to their users.

The company has agreed to update its privacy and terms of service policies to clearly outline its intentions by March 31, 2013.

At the beginning of the investigation, the company was not properly encrypting any of the communications of its users. Its initial attempt at encryption relied upon using IMEIs and MAC addresses as encryption keys.

The investigation determined this was inadequate and easy to defeat. WhatsApp has begun the transition to 160-bit randomly generated keys in its iOS app and will follow through on other platforms.

I think it is an excellent conclusion that two independent countries could work together to ensure the safety of their citizens while working in a cooperative manner with private enterprise.

Normally I would chastise WhatsApp for exposing sensitive information unnecessarily, but in this case I will give them some credit. They made mistakes, but are willing to work with authorities to make things right.

While anyone can create an "app" and be a smartphone superhero overnight, that does not exempt you from privacy regulations. Don't make the mistakes WhatsApp made, think things through from the point of your customer.

@ http://nakedsecurity.sophos.com/2013/01/29/whatsapps-privacy-investigated-by-joint-canadian-dutch-probe/

[LeetPirate]

Whatsapp surely needs more options and a signon password would be nice.

[ffi]

I am a dutch citizen and I say screw that privacy law, I am not in the least but concerned about privacy issues with whatsapp, whatsapp is a free service I can chose the use or not and the permissions it needs when installing are quite clear. I don't need some high paid government dimwits nannying over me. If privacy is a concern it's my choice to use whatsapp or not use it, not the dutch government's. And if those bastards didn't rob me of over half my income I might not need to resort to free but privacy concerned services...

I hope whatsapp tells the dutch government: we not dutch so go screw yourselves...

[RadioActive]

I've always hated that over-hyped app. Why on earth would I pay for that crap when there are dozens out there that does the same thing for free? Also, an app JUST for text messing and nothing else? That's a waste of space! Personally, I use Naver's Line which does all that for free and adds voice chatting to boot.

[pintas]

Bastards!
Who the hell they think they are to steal all my contacts!?

[ffi]

I've always hated that over-hyped app. Why on earth would I pay for that crap when there are dozens out there that does the same thing for free? Also, an app JUST for text messing and nothing else? That's a waste of space! Personally, I use Naver's Line which does all that for free and adds voice chatting to boot.

If you don't like it, don't use it, no one is forcing you to use it. I personally like it for what it does and I don't need the government babysitting me, I am an consenting adult and I full well understand the permissions whatsapp needs and I accept it

[Toshiro]

If you don't like it, don't use it, no one is forcing you to use it. I personally like it for what it does and I don't need the government babysitting me, I am an consenting adult and I full well understand the permissions whatsapp needs and I accept it

I've always hated that over-hyped app. Why on earth would I pay for that crap when there are dozens out ther

I agree, but a message between two should be respected. If it's staying like this, the government will have to much power over their citizen.. police questioning everything about the messages you've send (if you get caught for example). It feels like you don't have anything left that somebody can't bug in into.

Yea, it's better to get them crooks, but if you ain't one of those and you have to explained every f*** message line they find strange is a real pain in the ass. Yea it happend here and it isn't fun.

Also, an app being very popular, doesn't mean it can break the law.

[ffi]

A government powerful enough to give you everything you want is also powerful enough to take everything you have.

Also, an app being very popular, doesn't mean it can break the law

whose laws, it's the internet, they should respect the laws of the country were they are based in but it would be impossible to respect the laws of every country (can you imagine what would happen if they had to respect the laws of iran, pakistan or saudi arabia too?)

[RadioActive]

If you don't like it, don't use it, no one is forcing you to use it. I personally like it for what it does and I don't need the government babysitting me, I am an consenting adult and I full well understand the permissions whatsapp needs and I accept it

What the hell are you talking about? I hate the damn thing, thus, I don't use it. I was simply stating my opinion regarding that app, I couldn't care less about governments and what they're doing.