The Electronic Privacy Information Center and the Center for Digital Democracy have filed a complaint with the Federal Trade Commission against Facebook’s $16 billion acquisition of WhatsApp based on privacy concerns, according to a document released Thursday. EPIC and CDD’s problems with the acquisition center around the fact that WhatsApp staked its reputation on—that it’s a company keeping a reasonable distance from its customers’ data. Now that it will fall under the aegis of Facebook, its users stand to lose those privacy guarantees, even though WhatsApp told its users nothing would change.
Facebook draws legal complaints for treading outside the bounds of responsible data use on a fairly regular basis. There was Beacon, which posted users’ activity to third party sites without so much as a heads up. There were Sponsored Stories, which placed users’ photos and names alongside ads. There was the sudden unsolicited use of facial recognition. The list goes on with many new and interesting ways Facebook has found to use the information it’s collected, but it’s plain that given an opportunity, Facebook is more likely to ask forgiveness than permission.
Then Facebook bought WhatsApp, the messaging app that, up until now, cared not a whit for information about its users or what they were doing. Despite the fact that the company could be sitting on a staggering database of phone numbers, locations, and names (not to mention troves of conversations, media, and links), WhatsApp has traditionally dismissed all of those opportunities.
In the complaint, EPIC and CDD cite a few communiques from WhatsApp to its users on protecting their privacy. “We have not, we do not, and we will not ever sell your personal information to anyone. Period. End of story,” wrote founder Jan Koum back in 2009. In mid-2012, Koum wrote, “Your data isn’t even in the picture. We are simply not interested in any of it.” The WhatsApp privacy policy, last updated in 2012, reads “We do not use your mobile phone number or other Personally Identifiable Information to send commercial or marketing messages without your consent or except as part of a specific program or feature for which you will have the ability to opt-in or opt-out.”
According to its privacy policy, WhatsApp does not even store phone numbers, instead associating the number “dynamically” on the device, not in WhatsApp’s servers. Likewise, it does not collect names, e-mail addresses, or phone numbers from any device’s contacts, a practice that has become common in many other apps. The app also does not store messages on its servers unless they go undelivered, and even those are deleted after 30 days.
When the acquisition was announced, WhatsApp reassured its current users in a blog post that “nothing” would change. “WhatsApp will remain autonomous and operate independently,” Koum wrote, promising the experience would remain ad-free.
Despite WhatsApp’s reassurances that it doesn’t store or collect its customers’ info, industry experts cited by EPIC and CDD state that many of the app’s users chose the app specifically due to its commitment to privacy. Because of that, it’s an even bigger concern that Facebook will start reaching for that information once the transaction goes through.
The complaint states that the WhatsApp acquisition is, potentially, a violation of Facebook’s commitment to give users “clear and prominent notice” when a privacy policy changes and to get their “express consent.” WhatsApp presents Facebook with a crack at a new data set that it could use to augment its own databases, and no one at either company has yet alerted users to that possibility.
“WhatsApp users could not reasonably have anticipated that by selecting a pro-privacy messaging service, they would subject their data to Facebook’s data collection practices,” says the complaint. The document concludes by asking the FTC to launch an investigation into Facebook’s ability to see and use “WhatsApp’s store of user mobile phone numbers and metadata,” and to halt the acquisition until it’s clearer how the two companies’ relationship will develop.
Facebook getting its hands on WhatsApp data is decidedly a privacy concern, but how immediate that concern is lies in how you interpret Koum’s post-sale blog post. The founder promised that “nothing” will change. In one sense, this means that WhatsApp will continue to keep customer phone numbers, metadata, and their contacts’ information off its servers, and it will continue to not store messages. In this case, Facebook will not actually have access to anything, because there are no logs.
However, Koum seemed mostly focused on the consumer end—how a user experiences the product—as opposed to how WhatsApp does business. Koum assured users that the experience will remain ad-free and operate on nominal fees. He also promised that WhatsApp will not “compromise on the core principles that will always define our company.” He did not specifically mention data collection or transmission.
Today’s complaint asks that the FTC figure out whether the acquisition will be in violation of Section 5 of the FTC Act, which prohibits “deceptive trade practices,” a category that can include companies that don’t follow their published privacy policies. If WhatsApp started collecting and giving data to Facebook without updating its privacy policy, that could certainly qualify as a violation. Since the transaction hasn’t yet been cleared, there is still time. Likewise, promising no changes now doesn’t mean WhatsApp can’t shift its position on customer data to clear itself for handing the information over to Facebook later.
Adapted from arstechnica.com