The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD), two of the biggest digital privacy organizations in the U.S., filed a complaint with the FTC against WhatsApp’s new policy to share user data with Facebook.
Facebook’s New Privacy Policy
WhatsApp's new privacy policy recognizes that user data is protected by end-to-end encryption by default, but it also said contacts and other information will be shared with Facebook for more effective ad targeting.
If you were careful, you could opt-out of allowing Facebook to use the data for ads, but Facebook would still get it either way. To opt-out, you have to click at the bottom and go to a separate screen, where you can uncheck the box before hitting the “Agree” button.
There’s also another option that allows users to opt-out, but it’s going to be available to users only for the first 30 days. That may not be enough time for everyone to discover that their data is now shared with Facebook by default, as not everyone will get the chance to read the new privacy policy, or even news stories about it.
WhatsApp’s Failed Privacy Promises
Before it was acquired by Facebook, WhatsApp promised its users that it would “never” sell their information.
“So first of all, let’s set the record straight. We have not, we do not and we will not ever sell your personal information to anyone. Period. End of story. Hopefully this clears things up,” said Jan Koum, WhatsApp’s founder in a 2009 blog post.
In 2012, Koul followed with:
“At WhatsApp, our engineers spend all their time fixing bugs, adding new features and ironing out all the little intricacies in our task of bringing rich, affordable, reliable messaging to every phone in the world. That’s our product and that’s our passion. Your data isn’t even in the picture. We are simply not interested in any of it,” said Koum.
When WhatsApp was acquired by Facebook in 2014, Jan Koum said that "nothing" will change for users. The message was reiterated by Facebook’s CEO, Mark Zuckerberg, a few days later:
“We are absolutely not going to change plans around WhatsApp and the way it uses user data. WhatsApp is going to operate completely autonomously,” said Zuckerberg in 2014.
The two may still technically be right if the WhatsApp chat client itself never gets any ads, but Facebook would still get to use the data to make its ads more effective on its other services. However, WhatsApp did mention that “users may receive messages containing marketing information” in its recent privacy policy change announcement.
EPIC And CDD Step In
Some of the users who discovered WhatsApp’s plan were outraged about the new privacy policy. Coming to their aid is EPIC and CDD. The two privacy groups believe the FTC should investigate WhatsApp because of the company’s initial promise not to use the data for marketing purposes. Changing course now would “constitute an unfair and deceptive trade practice,” the groups allege.
Before it allowed the WhatsApp acquisition to complete, FTC also seems to have required Facebook to make any changes to WhatsApp’s data collection policy opt-in rather than opt-out:
“We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers. Further, if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC’s order against Facebook,” said the FTC in 2014.
In other words, WhatsApp can’t first collect everyone’s phone numbers as part of the app’s installation process under the promise that the data will not be shared with anyone else, only to then give that data away, without the users’ explicit permission. As it is right now, not only will all Whatsapp phone numbers (as well as other information) be shared automatically with Facebook, but users have only 30 days to opt out.
In 2011, the FTC settled with Facebook, after the company “deceived consumers by failing to keep privacy promises.” Because of that, the FTC gave itself permission to keep Facebook under constant watch for the next 20 years, in case the social media company decides to do something like that again.
According to EPIC and CDD, Facebook is deceiving consumers once again by taking data it was never supposed to get without explicit opt-in permission. That should prompt the FTC to take action, if it’s consistent with its own past enforcement policies.
