WhatsApp, a widely used instant messaging mobile application similar to Research in Motion’s BlackBerry Messenger, violates Canadian privacy laws and potentially puts user information in danger, according to Privacy commissioner Jennifer Stoddart.
A joint statement by commissioner’s office and the Dutch Data protection Authority said that in their coordinated investigations, they found The California-based WhatsApp Inc., contravened Canadian and Dutch privacy laws dealing with protection, retention and disclosure of personal data because WhatsApp forced users to provide access to their address book in order to use the app. The address book of WhatsApp users may contain information of people who do not even use the app.
The company has promised to change its policies, but both Canadian and Dutch authorities are not satisfied.
“Our office is very proud to mark an important world-first along with our Dutch counterparts, especially in the light of today’s increasing online, mobile and borderless world,” said Stoddart. “Our investigation has led to WhatsApp making a commitment to make further changes in order to better protect users’ personal information.”
RELATED CONTENT
WhatsApp and the world of universal messaging clients
Privacy policies need more than words: Cavoukian
“But we are not satisfied,” said Jacob Kohnstamm, chairman of the DDPA. “The investigation revealed that users of WatsApp - apart from iPhone users who have iOS 6 software – do not have a choice to use the app without granting access to their entire address book.”
“This lack of choice contravenes (Dutch and Canadian) privacy law,” said Kohnstamm.
The WatsApp Messenger, is a cross platform messaging service which allows individuals to exchange messages on their mobile phones through the Internet rather than by short message service (SMS). The app can be used on Apple’s iPhone, BlackBerry phones and Android phones. By some estimates, the app is said to transmit more than a billion messages each day worldwide.
From January to November last year, the Office of the Privacy Commissioner of Canada (OPC) investigated WhatsApp on grounds that the office had reasons to believe the California company was collecting, using , disclosing and retaining personal information in a manner contrary to Canada’s Personal Information Protection and Electronics Document Act (PIPEDA).
The violations found by subsequent Canadian and Dutch investigations found that:
- Once users consent to the use their address book, all phone numbers from their mobile device are transmitted to WhatsApp to assist in the identification of the WhatsApp user. Rather than deleting the number s of the non-users, WhatsApp retains them in hash form. Only iOS6 users have the option of manually uploading their contact number
- Messages sent using WhatsApp were unencrypted leaving them prone to eavesdropping or interception. In Sept. 11, WhatsApp responded to this finding by introducing encryption
- WhatsApp was generating passwords for message exchanges using device information that can be easily exposed. There was a risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has ssince introduced a more secure randomly generated key
The OPC and DDPA will continue to monitor WhatsApp to determine of breaches of the law continues and will decide after that whether they should take “further enforcement actions.”
Dutch laws allow the DDPA to impose sanctions on violators but the OPC doe no have order making powers.