WhatsApp, a widely used instant messaging mobile application similar to Research in Motion’s BlackBerry Messenger, violates Canadian privacy laws and potentially puts user information in danger, according to Privacy commissioner Jennifer Stoddart.
“Our office is very proud to mark an important world-first along with our Dutch counterparts, especially in the light of today’s increasing online, mobile and borderless world,” said Stoddart. “Our investigation has led to WhatsApp making a commitment to make further changes in order to better protect users’ personal information.”
“But we are not satisfied,” said Jacob Kohnstamm, chairman of the DDPA. “The investigation revealed that users of WatsApp – apart from iPhone users who have iOS 6 software – do not have a choice to use the app without granting access to their entire address book.”
“This lack of choice contravenes (Dutch and Canadian) privacy law,” said Kohnstamm.
The WatsApp Messenger, is a cross platform messaging service which allows individuals to exchange messages on their mobile phones through the Internet rather than by short message service (SMS). The app can be used on Apple’s iPhone, BlackBerry phones and Android phones. By some estimates, the app is said to transmit more than a billion messages each day worldwide.
From January to November last year, the Office of the Privacy Commissioner of Canada (OPC) investigated WhatsApp on grounds that the office had reasons to believe the California company was collecting, using , disclosing and retaining personal information in a manner contrary to Canada’s Personal Information Protection and Electronics Document Act (PIPEDA).
The violations found by subsequent Canadian and Dutch investigations found that:
- Once users consent to the use their address book, all phone numbers from their mobile device are transmitted to WhatsApp to assist in the identification of the WhatsApp user. Rather than deleting the number s of the non-users, WhatsApp retains them in hash form. Only iOS6 users have the option of manually uploading their contact number
- Messages sent using WhatsApp were unencrypted leaving them prone to eavesdropping or interception. In Sept. 11, WhatsApp responded to this finding by introducing encryption
- WhatsApp was generating passwords for message exchanges using device information that can be easily exposed. There was a risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has ssince introduced a more secure randomly generated key
The OPC and DDPA will continue to monitor WhatsApp to determine of breaches of the law continues and will decide after that whether they should take “further enforcement actions.”
Dutch laws allow the DDPA to impose sanctions on violators but the OPC doe no have order making powers.