Privacy Groups Say Facebook Must Make WhatsApp Data Sharing Opt-In, Ask FTC To Intervene

The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD), two of the biggest digital privacy organizations in the U.S., filed a complaint with the FTC against WhatsApp’s new policy to share user data with Facebook.

Facebook’s New Privacy Policy

WhatsApp's new privacy policy recognizes that user data is protected by end-to-end encryption by default, but it also said contacts and other information will be shared with Facebook for more effective ad targeting.

If you were careful, you could opt-out of allowing Facebook to use the data for ads, but Facebook would still get it either way. To opt-out, you have to click at the bottom and go to a separate screen, where you can uncheck the box before hitting the “Agree” button.

There’s also another option that allows users to opt-out, but it’s going to be available to users only for the first 30 days. That may not be enough time for everyone to discover that their data is now shared with Facebook by default, as not everyone will get the chance to read the new privacy policy, or even news stories about it.

WhatsApp’s Failed Privacy Promises

Before it was acquired by Facebook, WhatsApp promised its users that it would “never” sell their information.

“So first of all, let’s set the record straight. We have not, we do not and we will not ever sell your personal information to anyone. Period. End of story. Hopefully this clears things up,” said Jan Koum, WhatsApp’s founder in a 2009 blog post.

In 2012, Koul followed with:

“At WhatsApp, our engineers spend all their time fixing bugs, adding new features and ironing out all the little intricacies in our task of bringing rich, affordable, reliable messaging to every phone in the world. That’s our product and that’s our passion. Your data isn’t even in the picture. We are simply not interested in any of it,” said Koum.

When WhatsApp was acquired by Facebook in 2014, Jan Koum said that "nothing" will change for users. The message was reiterated by Facebook’s CEO, Mark Zuckerberg, a few days later:

“We are absolutely not going to change plans around WhatsApp and the way it uses user data. WhatsApp is going to operate completely autonomously,” said Zuckerberg in 2014.

The two may still technically be right if the WhatsApp chat client itself never gets any ads, but Facebook would still get to use the data to make its ads more effective on its other services. However, WhatsApp did mention that “users may receive messages containing marketing information” in its recent privacy policy change announcement.

EPIC And CDD Step In

Some of the users who discovered WhatsApp’s plan were outraged about the new privacy policy. Coming to their aid is EPIC and CDD. The two privacy groups believe the FTC should investigate WhatsApp because of the company’s initial promise not to use the data for marketing purposes. Changing course now would “constitute an unfair and deceptive trade practice,” the groups allege.

Before it allowed the WhatsApp acquisition to complete, FTC also seems to have required Facebook to make any changes to WhatsApp’s data collection policy opt-in rather than opt-out:

“We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers. Further, if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC’s order against Facebook,” said the FTC in 2014.

In other words, WhatsApp can’t first collect everyone’s phone numbers as part of the app’s installation process under the promise that the data will not be shared with anyone else, only to then give that data away, without the users’ explicit permission. As it is right now, not only will all Whatsapp phone numbers (as well as other information) be shared automatically with Facebook, but users have only 30 days to opt out.

In 2011, the FTC settled with Facebook, after the company “deceived consumers by failing to keep privacy promises.” Because of that, the FTC gave itself permission to keep Facebook under constant watch for the next 20 years, in case the social media company decides to do something like that again.

According to EPIC and CDD, Facebook is deceiving consumers once again by taking data it was never supposed to get without explicit opt-in permission. That should prompt the FTC to take action, if it’s consistent with its own past enforcement policies.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jaber2
    I turned mine off
  • mavikt
    Go FTC!
  • thundervore
    I turned mine off and never provided facebook with my phone number because that's how people find you.

    People fail to realize that when facebook shows you the "people you may know" suggestions what its doing is looking at your contacts and phone number, then it check it against the database to see who provided facebook with that number and then suggest them to you.

    Ive met females at bars that gave me fake names but real numbers only to see facebook later suggested that I know this person and wouldn't you know it, their whole profile is public, where they work, where they hang out, etc. Even random hookups with women only to see Facebook suggest them as a friend to me 24 hours later and I find out that they are married or have a family.

    The best one was where I was with a female and facebook suggested the friend connection, I look at the profile and I see pictures of her that look like sex ad pictures you would see for camgirl ads. I did a image search on one of the pictures and it took me right to backpage where she was selling herself. I confronted her and she flips it around on me and calls me a stalker and a creep......thanks Facebook :)

    This is the same way your employer or manager can find you too, all they need I your phone number in their contacts and as long as you provide facebook with your number your namager can easily find your profile and see what you do in your spare time or anything you may say or do to become a risky employee.
  • velocityg4
    These rulings would be more effective if all the high level executives could go to jail for this sort of stuff. Say one day for every privacy failure. Which would come out to the rest of their lives considering all the users.
  • 3ogdy
    18521828 said:
    These rulings would be more effective if all the high level executives could go to jail for this sort of stuff. Say one day for every privacy failure. Which would come out to the rest of their lives considering all the users.

    Hanged in front of the people they betrayed. Beat to death the same way some muslims do to what they consider "unfaithful" women. These people screw our right to privacy and they may as well face serious charges and have their right to life in freedom questioned. Period.
  • thundervore
    18521828 said:
    These rulings would be more effective if all the high level executives could go to jail for this sort of stuff. Say one day for every privacy failure. Which would come out to the rest of their lives considering all the users.

    They should but they can keep throwing money their legal issue and make it go away.