WhatsApp Found to Violate Privacy Laws
CREDIT: WhatsApp Inc.
The popular smartphone app WhatsApp Messenger improperly accesses users' contact lists, an investigation by the Canadian and Dutch governments has concluded.
Although Mountain View, Calif.-based WhatsApp Inc. made security improvements over the course of the year-long investigation, the app still violates "internationally accepted privacy principles ... in relation to the retention, safeguard and disclosure of personal data."
That's according to the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority, who issued a joint press statement yesterday (Jan. 28).
Most problematically, WhatsApp requires users to provide access to all contacts on a device, whether or not those people use WhatsApp themselves. That data is uploaded to WhatsApp's servers.
"Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form)," the statement explained. "This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfillment of an identified purpose."
The joint statement and individual reports cited other privacy concerns, such as a lack of privacy controls that allow anyone with a user's number to see that user's status updates without the user's knowledge.
WhatsApp has millions of registered users who use the service to send text messages to other mobile users via the Internet instead of over cellular channels. It runs on iOS, Android, Windows Phone, BlackBerry and Symbian.
In August 2012, the company said the service was sending and receiving 10 billion messages per day.
Since the Canadian-Dutch investigation began a year ago, WhatsApp Inc. has added encryption to messages sent between users and switched to a more secure method of generating authentication keys.
The company has said it will create an alert system and streamline its terms of service and policies by the end of September 2013.
The investigation claimed to be the first time two national data protection agencies had worked together to examine a service's impact on their respective populations.
Both Canada and the Netherlands plan to continue to investigate WhatsApp.
An email seeking comment from WhatsApp Inc. was not immediately returned.