Why did WhatsApp Come Under Fire?
Starting January 4, 2021, several WhatsApp users from the messaging app’s core consumer base in India and Brazil received an in-app message enforcing data-sharing with the parent organisation, Facebook. According to the guidelines, users had until 8th February to accept the new terms and conditions in order to continue using the app. If they didn’t, they would not be able to use the app at all after 8th February.
Considering that Facebook had already earned plenty of notoriety for its involvement in the Cambridge Analytica scandal, it was natural that users were wary about the update. In particular, they were worried about how their data could be potentially misused post WhatsApp’s latest update. The uproar was further magnified, as several noted Indian industrialists pointed out that mandating data-sharing is not the way consent works (or should work). Many also highlighted the need for a Data Protection Policy akin to the EU’s General Data Protection Regulation (GDPR), which strictly forbids data-sharing between the two platforms for customers in the EU. In the EU, the user can choose whether their data can be shared between Facebook and WhatsApp – or not. Amid such growing concerns, WhatsApp was directed by Indian authorities to roll back, or postpone the implementation of the new policy.
What was WhatsApp’s Clarification About?
In the wake of the backlash, WhatsApp released a statement on its site that clarified what the new policy meant. The statement clearly mentions that “the new policy only affects chats with businesses and not personal interactions. Messages are protected by end-to-end encryption, and WhatsApp and Facebook cannot read or listen to them.”
So What Does End-to-End Encryption Mean?
An end-to-end encryption protocol prevents third parties (including Facebook) and WhatsApp from having plaintext access to messages or calls. There is no off-switch for this mode of encryption. It happens automatically. All WhatsApp messages, voice and video calls between two entities are not stored in any form by Facebook or Whatsapp servers, but rather only on the two communicating devices. This prevents eavesdropping, or any kind of unauthorised/illegal data-sharing without the user’s consent.
However, the end-to-end encryption in the Facebook ecosystem applies only to plain text messages, and not to metadata. Metadata like the hardware model, operating system information, mobile network, phone number, mobile operator or ISP, language and time zone, IP address, device operations information, and other unique identifiers have always been shared between WhatsApp and Facebook. Even information like battery level, signal strength, and location (should users choose to give location permissions) are shared between the platforms.
Against this background, Signal was touted as the best alternative to WhatsApp, as it encrypts both messages, and metadata.
About WhatsApp Business and End-to-End Encryption
As you may know, WhatsApp Business was introduced to help companies connect with customers on a messaging platform that offers a more personalised experience. According to Facebook, over 175 million WhatsApp messages are sent every day to business accounts.
Some functionalities that WhatsApp Business users can access include:
- Setting quick replies for faster communication with clients
- Setting automated greeting and away messages
- Contact list organisation
- In-app payments
- Shipment tracking
WhatsApp Business has undoubtedly helped several companies, both small and large, build a strong customer base for communications, marketing announcements, and more. But how does privacy work with business interactions?
Of course, businesses use WhatsApp data within their organisation to allow employees to directly interact with customers. This would still be considered part of WhatsApp’s end-to-end encrypted messaging system. On the other hand, many large organisations choose to automate WhatsApp replies and may use third-party chatbot software providers to set this up. In this case, the message is not considered end-to-end encrypted by Facebook.
Other instances where businesses may wish to share data with third-party providers include for analytics and other marketing purposes. This third-party may be Facebook itself, wherein businesses can use the “shared hosting” service to target ads on Facebook to customers and others.
How are Users Made Aware of their Privacy Rights While Interacting with Businesses?
As seen in the image above, users are informed about end-to-end encryption with every interaction. Moreover, you need to take permission from the customer to allow the communication channels to open.
It should also be noted that Facebook policy clearly indicates that it is up to the business how it wants to use data. Even the choice to share WhatsApp user data with Facebook for targeted ads from your company relies on the permissions you set (as it always has been).
In short, there has been some miscommunication with how Facebook is collecting data from WhatsApp, especially in regard to personal messaging. On the other hand, Facebook’s statement that the new policy only affects business accounts does not clarify much on the general consensus about WhatsApp privacy issues. The fact that Facebook has always been collecting metadata from WhatsApp users, regardless of business interactions, adds more confusion to a less than reputable stance on privacy. In this regard, mandating sharing of information between the two providers only muddies the waters further. Perhaps, this wasn’t the brightest marketing move on the part of Facebook. But after much hue and cry, the percentage of users who have stopped using WhatsApp in favour of Signal and other applications, is less than significant. This indicates how prevalent and ubiquitous both WhatsApp and Facebook are in India’s business milieu.
If you are an organisation that heavily relies on WhatsApp marketing for communicating with customers effectively, consider sending out a copy of your company policy on privacy and data protection. If you have not integrated any third-party service providers with WhatsApp, including Facebook, clearly state the same and assure your customers that their data rights are well protected. Doing this will ensure that your customers don’t worry about their data or how you will use it.
Ultimately, this will build trust in your brand and help you garner their long-term loyalty.