The WhatsApp Privacy Concerns — A Devil’s Advocate Point of View

WhatsApp is updating it’s terms of service and privacy policies. We all know that. It’s the current hot topic. lot of us trying to move away from the app for safer alternatives. But, the things I’ve been reading and the generic opinion on this, on social media and YouTube, is bugging me a lot, to say the least. That’s the reason I’m writing this.

Quick disclaimers:

I am not a “fanboy” of any particular app nor company. In fact, people who know me personally know that I’ve always recommended Telegram as a better alternative to WhatsApp (There are some things Telegram just gets right. For me, not storing the messages on my phone alone is a big deal, more on that later).

Yes, I know you are gonna get mad at me, but it’s ok. I’m not here to promote any product/service, but I’m just here to throw some light to the whole scenario and to ask you to think more critically.

And, why does this bother me? I am a developer. Even some mishaps by some companies affect everyone in this space, one way or the other. And also, there are some things we are clearly overlooking, which I want to discuss.

A quick question for you

Let me start by asking you a question. A simple question, but one which has significance in this issue. Did you read the updated terms of service and privacy policies of WhatsApp? I mean, directly. If you haven’t, I strongly encourage you to do so, and compare it with what you have been made aware of through other sources (the news, media, YouTubers, memes). It isn’t anything high level or filled with legal jargons. Again, I strongly encourage you to spend a couple of minutes to atleast skim through the actual thing in question.

IT is a very unique field. Almost everyone in the world uses the products of this field directly. The products whose internal workings are not of concern to anyone except a small fraction. In this scenario, there is clearly a lot of room for mis interpretation of fundamental facts. Which happens more than you would probably estimate.

Facts travel through a lot of people and get distorted severely in this process. I have personally sensed fundamentally wrong information being passed around, creating panic. I attribute this to two things

1. The people who are responsible for carrying information to the common man (media/social media content creators) (I’m not blaming all of them, some people do an excellent job. But most don’t).
2. Us. We don’t think critically before sharing something to others. It is human behaviour to be cautious about things, a bug being found, a vulnerability. But most of the times, these things get “over-hyped"

Here is a small anecdote

Case 1: WhatsApp leaking users phone numbers into the internet

A few months ago, a couple of my friends shared me a pic, a Google search result, for the query “wa.me” showing tons of people’s phone numbers. The caption of the pic said, “WhatsApp is leaking people’s phone numbers". This image was being heavily circulated, and some of my friends got legitimately concerned.

But I instantly understood what was going on. (Although I had a really bad time explaining this to them, who wouldn’t be convinced). Here’s what it is.

1. Google is a search engine. It scans the entire internet to pick up key words and presents results when someone searches for the key words. If you have published a website, that contains the sentence, “I like Pizza”, and I search on Google for “I like Pizza”, there is a chance that your website shows up in my search result.

2. WhatsApp has this neat feature, where you can place links on your website, that when someone clicks, will open up your contact on their WhatsApp. You can easily try this. Open a browser tab and enter this: “wa.me/919876543210", by replacing the number with the phone number of someone you know. This will open up your WhatsApp chat with that person.

wa.me is a domain name owned by WhatsApp. I have used this trick a few times for my clients websites. I’ll provide a link that says “Chat with us", that anyone can use to open a WhatsApp chat (instead of manually copying the phone numbers)

3. Google has picked up this information in the websites. And when you search for wa.me, it shows the phone numbers of the websites that use this feature.

Is this a privacy concern? ABSOLUTELY NOT! The phone number is something what the website owners have explicitly put on their websites.

TL;DR? They were just business phone numbers that people actually put in their own websites.

I have been in this situation a lot of times. People would share some vulnerability or a privacy concern, which would be an entirely different thing at its root. I am not trying to say everything that shows up should be ignored. All I’m asking is to think critically and take everything with a grain of salt.

We are also sometimes easily manipulated by “marketing material", which make use of people’s general lack of awareness about certain things in tech (and it’s totally not an issue! I don’t expect everyone to be tech savvy.) Here’s another example

Case 2: “Our VPN service will prevent your ISP from knowing which sites you are visiting”

Internet Service Providers (ISPs) are whom you pay to get yourself connected to the internet. It can be a cellular network, or a broadband one.

I always get agitated by VPN provider claims. I can go on for long, but here’s a jist.

1. HTTPS (the S stands for secure) is a protocol (it doesn’t belong to any other company, let me state that first) that more than 90% of the websites today use. If the website uses just HTTP, your browser will show a message “not secure”. HTTPS ensure that, no matter what, only you and the website have a secret conversation. No one else can see what data you are sharing, not even your organization, not even your ISP. It is just how the protocol works. If your VPN service claims that it is encrypting your data, it is doing nothing more that what you already have(!?). If at all, it reduces your internet speed by encrypting the same data multiple times unnecessarily.
2. But, even when using HTTPS, the people in between you and the website (the network infrastructure in your organization, your ISP) can technically see which websites you are visiting, and only that. The 'domain name’, (for eg: www.google.com) acts as the address which is used by your ISPs (and all the parties in between) to determine where to send the data. Your ISP will not know where to send your data unless you provide it the domain name. It is a critical piece of the communication which is absolutely essential. But, nothing other than the domain name the ISP can see. The body of the message is encrypted using HTTPS.
3. Yes, VPNs prevent your ISP from knowing which sites you visit. When using a VPN, the data, along with the domain name is encrypted and sent to the VPN. Therefore the ISP doesn’t know which site you are visiting. The VPN can then decrypt the domain name (it cannot decrypt the data) and it will send the data to the corresponding recipient. But the biggest question is, if you would not trust your ISP, why should you trust your VPN provider? You are not entirely hiding which sites you are visiting. You are just sending it from your ISP to the VPN.

The only true benefit of a VPN is to access geo locked content. Anything other than that is just magically worded, to make it technically correct, but of no use practically.

Coming back to the whole WhatsApp scenario. I am not saying we should totally ignore the new terms of service. Especially when it comes from a product owned by a company having questionable practices. We ought to look into this.

But here is the problem, the information that comes to my ears is very diverged from reality.

(Please keep in mind I’m not a WhatsApp “fanboy”. Everything I’m about to say is from the point of view of the terms and policies) WhatsApp has never stored chat in their servers. Actually, this has been a bummer for me, having to have my phone around for WhatsApp web (since all chats are relayed from my phone). Telegram doesn’t have this issue, Instagram doesn’t, Facebook messenger doesn’t. Because they store your chat on their servers.

There are some vital pieces of information that any service needs, without which they cannot operate. For example, your username, phone number and display picture needs to be stored in the server.

Given these two things, the common thing people around me tell me is, “the new terms give WhatsApp the legal ability to share your chat to Facebook”. NO. It doesn’t. (Whether they adhere to their terms is a different story, but legally, it doesn’t)

Fine, “Signal is open source, so it’s more secure”. Well, partially. When a product is open source, it means anyone can look at the code. But this doesn’t mean you can ensure the data is safe too. The data is maintained separate from the codebase. There is practically nothing we can do to assure data security other than to rely on terms and policies. If you would not believe WhatsApp with your data, why should you trust anyone else?

The elephant in the room

Let’s talk about the biggest thing in this scenario. The new ToS allow certain data to be shared to Facebook. Which data? Quoting the ToS (although I strongly recommend you to read the whole thing):

[…] Our Privacy Policy explains how we work together to improve our services and offerings, like fighting spam across apps, making product suggestions, and showing relevant offers and ads on Facebook. Nothing you share on WhatsApp, including your messages, photos, and account information, will be shared onto Facebook or any of our other family of apps for others to see, […]

[…] We will explore ways for you and businesses to communicate with each other using WhatsApp, such as through order, transaction, […] Messages you may receive containing marketing could include an offer for something that might interest you. […]

There was no reference anywhere which says WhatsApp can share your chats/documents with other apps/companies.

There is this whole thing called “targeted marketing”. Have you searched for some product one time in Google, and then found yourself seeing a whole bunch of ads for that product or related products? That’s what I am talking about. Ad companies (including Google and Facebook) try to keep ads relevant and improve “clickability” of those ads. This is done by “learning” about the things we are interested in. The things we search about, etc. This, on the surface looks like they are trying to thrust ads down our throats, but look at it this way.

If you think about it, aren’t they exactly the same as recommened videos on YouTube? YouTube knows which videos you watch most, which topics you are interested in, and keeps your feed interesting by showing more of the things which are similar to what you have showed interests in the past. We do like recommened videos right? I would now like some random sample of the thousands of videos uploaded every day, would I?

I see targeted ads as exactly that. I reiterate, I am not in for leaving my privacy compromised. But targeted ads do provide a better experience. Of course, ads are irritating (but, for a lot of services, even small ones, getting ads run on their websites is a primary source of income), but if some ad is relevant, it would be less irritating.

I have, in the past, been in both ends of the spectrum. I have some experience with having ads run in a site, as well as promoting my social media page through ads. But in neither case, I was not made available of which individual users saw the ads.

Problem with WhatsApp’s terms

Most of the targeted marketing stuff I mentioned previously provided one way or the other to opt-out. But the new WhatsApp’s terms doesn’t provide any way to opt-out.

The choices you have. If you are an existing user, you can choose not to have your WhatsApp account information shared with Facebook to improve your Facebook ads and products experiences. Existing users who accept our updated Terms and Privacy Policy will have an additional 30 days to make this choice by going to Settings > Account.

This sparked the conversation. WhatApp has been focusing about more than just text messages recently-building an ecosystem for businesses to run. Providing payment options and other business features. They want to promote businesses similar to what you have interacted with in the past, and for that, they need to know which businesses you are interacting with currently.

So there you have it. The actual thing, the aftermath and the confusions. My point here is neither asking you to stick onto WhatsApp, nor creating a panic about all chat services. I’m just saying, there are possible loopholes everywhere. And it is left to us to think critically, and be more aware. The reason I first started using WhatsApp was not because I liked it, but because all of my friends were using it. You want to use a different platforms due to security concerns in a new one? Sure, I have no problem. I’ll join there too.

There are some things you need to do first in order to keep yourself safe. Such as having safe passwords, TFAs, etc. There are a lot more things that need to be addressed, but we just discovered the tip of an iceberg, which feels large. But is tiny compared to the actual thing. Don’t panic about anything quickly. Think critically. Stay vigilant. Share responsibly.