Netherlands, Canada Say WhatsApp Still Violates Privacy Laws

ID THREATPOST:9995560147E76F10FD4C43229F62443C
Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:30:50


Dutch and Canadian officials say the popular mobile text messaging app WhatsApp violates their countries’ privacy laws because it rifles through users’ contacts to find other devices hooked up to the service.

The announcement Monday follows a joint investigation launched a year ago into whether California-based WhatsApp Inc.’s data collecting was against the two countries’ privacy laws. Among the most popular smartphone apps, WhatsApp allows its millions of registered users to send text-based messages over the Internet without SMS. More than one billion such messages are sent daily using the mobile app.

Both the Canadian report and Dutch version note the company has been cooperating and made security upgrades in recent months. In September 2012, the company added encryption to its mobile messaging system. It also strengthened its authentication process in the latest version, using a more secure randomly generated key instead of generating passwords from MAC (Media Access Control) or IMEI (International Mobile Station Equipment Identity) numbers. These are used to create passwords for device-to-application message exchanges.

But Monday’s news release from The Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority shows WhatsApp has another hurdle to overcome – namely the way it requires users provide access to all phone numbers in their address book, whether or not those contacts use the app.

“The investigation revealed that WhatsApp was violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data,” according to the news release.

It specifically cites data retention as a point of concern.

“Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.”

In addition to the privacy alert, the international partnership marks a first, according to the two nations.

“The coordinated investigation is a global first, as two national data protection authorities conducted their work together to examine the privacy practices of a company with hundreds of millions of customers worldwide. This marks a milestone in global privacy protection,” according to the Canadian news release.

WhatsApp has yet to publicly respond to the reports.

The two nations will now separately address other privacy issues each has with the company.