WhatsApp – end to your privacy?

Do you own an Iphone, Blackberry or Android device and use it to chat? There is a good chance you are renouncing some of your privacy … but also that you are violating EU laws. Over the course of the last few months, several data protection authorities (the Dutch, Canadian and Italian) have raised concerns about a privacy risk that may exist in using these applications; however, these preliminary alerts fall short of capturing the full extent of the issue.

This blog post is perhaps a bit different from what you are used to read on Cybersmashup. I will try to review, over a few posts, various security and privacy aspects of mobile messaging platforms, both from a technical and a legal angle. Some of the points I will mention are not new. Indeed, many people have already commented on WhatsApp‘s security. However, the implication of some go beyond what one could expect. Don’t get me wrong, I do appreciate the way chat applications are changing the telecommunication market. Nevertheless, I think that new opportunities often come with some trade-offs and it’s fair to have a look at the consequences.

Only a few years ago, SMS were common to inexpensively communicate on the go. Lately, a new trend has arisen, and the classic text messages lost ground to phone chat applications such as WhatsApp, Line and similar platforms. 2012 is the year in which popularity of the chat platforms overtook that of SMS. It is estimated that in 2012 chat applications carried 19B messages/day, while SMS stood at 17B. And the gap is growing! The change has been so rapid that people focused on what it meant for their wallets, overlooking changes intrinsic to the nature of the new platforms (and so did Telco operators whose lucrative SMS business model suddenly required them to adapt to the new market trend, in some cases by offering almost-free or included in the plan SMS).

For the purpose of this analysis, the main differences between chat platforms and SMS are:

– Cost. Chat platforms are usually free or require a small one-off fee compared to the per-message cost of SMS. For a regular user, this is probably the single top reason to move to chats.

– Type. The second “S” in SMS stands for Service, leaving little doubt as to the nature of what is provided to the user. Chat platforms are usually referred as “Apps”, implying that the role of platform operators (eg. Whatsapp Inc., …) would be limited to that of software developers. On the contrary, chat platforms contain several bricks, including servers and “pipes” that manage users and store and forward messages. An open question is whether these platforms would constitute a Telecommunication service, as defined by the EU legislation. This is not straightforward, but a practical consequence is that these platforms would be subject to the mandatory notifications regime (to authorities and users) in case of privacy breaches.

– Behavior. For the reasons above (cost and integration), users are now more inclined to send multiple small messages instead of filling in the 160 characters of the SMS, to include “status update” (a gold-mine for those who are interested to dig into the lives of WhatsApp users, even if those are not our friends).

– Trust. All chat messages of a platform will transit trough that platform at a certain point. This has several implications for privacy of users and that of messages. On one hand, a central entity has the (theoretical) possibility to look into each and every message and into a user’s status (e.g. time of last connection, IP and location of that connection). On the other hand, the same entity is also installing software on your mobile that could do more than what you expect.

A particular example of what the software can do is upload your entire address book to the platform operator’s servers (usually without asking). While this is handy as you don’t have to manually add each of your contacts, it also comes with additional risks, including your liability. Yes, liability. I will write more about this in my next post.

– Correlation. An increased risk comes from the amount of data that the central entity can correlate. What is even scarier, not only the data of its users… but also the data of people who have NOT chosen to use their application. For instance, if some of my friends have decided to use WhatsApp and not me, still WhatsApp will see my number (uploaded from the address book of my friends) and will be able to infer the relation between these friends and me (using my number as a “join key”)!

– Double-Trust. Now, you can, of course, trust your platform operator (and its staff) and the fact that it will never go through your messages. However, even when you are messaging your neighbor, now your messages are making a long trip and certainly are traveling over foreign networks and countries. Perhaps, if you are a US user, this doesn’t change (too) much. But if you live in Switzerland, as I do, (and if you believe in PRISM) you may want to know which countries your messages and data are visiting. Even though since 2012 WhatsApp messages are reported to be encrypted, the encryption is only used between device and the platform… Well, you know…

– Triple-trust. Now, even if you trust your platform operator and if you trust all governments of all countries where your platform has servers (or simply where messages are being forwarded), you still have to trust that nobody has made an error, either in the design or in the implementation of the chat software, both on the client and the server side. I think I will dedicate an entire post to this point

For the moment, I’d like to note that I can add to my address book whatever number. I will be able to see if this person is currently “connected”, when he’s been online last and any profile picture he may have used, in addition to his “current status”.

As for the (legal) role of the platform owner and of the user, data protection literature (at least in the EU) talks about data subjects, data processors and data controllers. The online chat platforms are changing the paradigm and may be introducing new liabilities and legal risks, for the user as well. The position of the platform operator is currently in between that of a software developer and that of a telecommunication operator; as said, the exact role assumed may have tremendous implications on its duties.

– You accept it all. If you moved to chat platforms because you like reading short messages, you’ll have to think about it again. Terms and Conditions’ or T&C (here I am talking about WhatsApp, but I bet many platforms will have this point in common) pronounce at art.1 that by “using the service” you have read and agreed to the whole T&C. And T&C are no short message… as of today, WhatsApp’s T&C + Privacy policy add up to roughly 6300 words! A bit more than Shakespeare’s Hamlet and Midsummer Night’s Dream together. I hope to dedicate a full blog post to the legal issues.

– Free. Did I already mention this? :-) Well, the fact that these applications are all free (or almost) – which is not bad per se – leaves some doubt in my mind about the way these young startups will raise funds to survive in the future. I don’t like to imagine a price tag hanging on my data :-) but you know (I may be paranoid here), but it doesn’t mean they are not out there to get us (PRISM ;P) :-)

Well, this is it for my first post. I hope to use my time on the next flight do dig a bit more into some of the technical and legal points I made here. In the meantime, I’d love to hear what you think about this and the extent to which usability will outweigh privacy.

Securely yours,
Salva