WhatsApp’s breach of privacy WhatsApp’s breach partially resolved following investigation by data protection authorities Media release Ottawa, ON and The Hague, NL, January 28, 2013 — The Office of the Commissioner of Canada (OPC) and the Dutch Data Protection Authority, College bescherming persoonsgegevens (CBP), today announc the outcome of a joint investigation into WhatsApp Inc. A California-based mobile application provider’s handling of personal information.
The joint investigation was a world-first: two national data protection authorities had collaborat to investigate the privacy practices of an organization that has hundreds of millions of customers worldwide. This marks an important shift toward global privacy protection.
“Our Office is very proud to have been part of this important world first with our Dutch counterpart. Particularly in today’s increasingly virtual, mobile and borderless world,” said Jennifer Stoddart, Privacy Commissioner of Canada. “Thanks to our investigation, WhatsApp is making changes to its app. And has committ to making more, to better protect the personal information of its users.”
Jacob Kohnstamm, chairman of the Dutch Data Protection Authority,
Further said: “But we are not yet completely WhatsApp’s breach of privacy satisfied. The investigation reveal that WhatsApp users – with the exception of users of the iPhone with iOS6 software – have no option but to grant access to their entire address book in order to use the application. The address book contains the phone numbers of both canada whatsapp number database users and non-users. This lack of choice also runs against Dutch and Canadian privacy laws. Both users and non-users of the service should be able to make decisions regarding their personal data. And users must be in a free position to decide what information about their contacts they wish to share with WhatsApp.”
Main conclusions and results
It investigat WhatsApp’s popular mobile messaging service that enables users to send and receive instant messages over the Internet on various mobile devices. WhatsApp was in breach of Dutch and Canadian privacy laws, and the company took steps to address several recommendations in order to make its product more secure from a privacy point of view. However, not all issues have been fully addressed yet.
The investigation concluded that in WhatsApp contraven some globally accept privacy principles, mainly in the areas of retention, protection, and disclosure of personal data. For instance:
To make users of the application communicate with each other,
WhatsApp uses a user’s address book to enrich the canada mobile phone number list contact list for its subscribers. After users consent to the use of their address book. All phone numbers stored in their mobile device are transmitted to WhatsApp to facilitate the identification of other users of the application. Instead of deleting the cell numbers of non-users. WhatsApp retains them (in a condensed form). This practice violates Canadian WhatsApp’s breach of privacy and Dutch privacy laws. Which dictate that information can only be retained for as long as it is necessary for the stated purposes. Because of the company’s agreement with the Commission, only iPhone users with iOS6 software are able to manually add contacts rather than having the company’s servers automatically download the cell numbers store in their address book.
When we launch our investigation. Messages sent using WhatsApp’s messaging service were unencrypt, and thus vulnerable to interception. Particularly when sent over unsecur Wi-Fi networks. In September 2012. In some response to our investigation. WhatsApp start encrypting its mobile messaging service.
During the investigation
We discovered that WhatsApp was creating passwords mailing data for messaging base on device information that can be revealed quite easily. The practice expos users to the risk of some third party messaging and receiving on behalf of users without knowing it. WhatsApp has strengthen the authentication process in the latest version of the app. The process involves using a more secure, randomly generat key instead of Media Access Control (MAC) addresses or International Mobile Station Equipment Identity (IMEI) numbers (which identify each device using a network with a unique number) to assign passwords to the device for messaging through the app. That means anyone who has ever download WhatsApp. Active user or not. Needs to be on the latest version to benefit from this security enhancement.
Next steps
The OPC and CBP have collaborated intensively but filed separate reports due to the differences in data protection laws between the two jurisdictions. For Canada, the law covering data protection is called the Personal Information Protection and Electronic Documents Act, whereas for the Netherlands. It is Wet bescherming persoonsgegevens. After issuing these two separate reports containing their findings. The OPC and CBP will further investigate the remaining issues separately.
After investigation, the second phase under the Dutch Dat
