WhatsApp could face prosecution on poor privacy

Dutch and Canadian privacy commissioners conducted a yearlong investigation into the popular mobile app

A yearlong investigation by government privacy watchdogs in Canada and the Netherlands identified major weaknesses in the way the WhatsApp cellphone messaging application handled the personal information of its users.

Many of the problems have since been fixed, but Dutch authorities have yet to decide whether they will attempt to prosecute WhatsApp under Dutch privacy law, the two organizations said in a joint statement on Monday.

WhatsApp allows users to exchange messages like conventional instant messaging software, but rather than use screen names the system identifies users by their phone number. When a user signs up, they upload their cellphone's address book to WhatsApp to discover who among their existing contacts is available via WhatsApp.

That method was one of the things that originally drew the attention of the Office of the Privacy Commissioner of Canada and The Dutch Data Protection Authority.

Their investigation found that after uploading the address book and using the data to match existing users, the WhatsApp servers failed to delete the phone numbers of non-users as required by Canadian and Dutch law.

The app was also initially found to be sending messages in an unencrypted form, which leaves them vulnerable to eavesdropping and interception, particularly when sent over an unsecure Wi-Fi network. WhatsApp added encryption to messages in September 2012.

Finally, the investigation found the app was generating passwords for message exchanges based on things like the phone's IMEI (international mobile equipment identity) or MAC (media access control) address. Both are relatively easy to discover, opening the possibility that a third party could send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened password generation, but users need to update their software to benefit from the change.

WhatsApp, which is based in Silicon Valley, could not immediately be reached for comment.

News of the investigation comes as the issue of mobile app privacy is increasingly coming into the spotlight.

In December, the State Attorney General of California launched a prosecution of Delta Airlines for failing to comply with California's privacy laws. California's online privacy law requires commercial operators of websites and online services, including apps, which collect personally identifiable information conspicuously to post a privacy policy. The state attorney general has begun looking at apps that either don't include such a policy or don't make it obvious to users.

But even if a privacy policy is put in front of consumers, many often click the "read and understood" button without looking at it, said Pat Walshe, privacy director at the GSM Association, an organization representing network operators. His organization has published guidelines for privacy by design for mobile phone applications.

"We want consumers to have confidence in the industry and that means a commitment to protect consumer privacy. Industry has to fill in the gaps or policy makers will do it, possibly in an overly prescriptive way," said Walshe.

(Jennifer Baker in Brussels contributed to this report.)

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com

Tags: WhatsApp, GSM Association, security, Access control and authentication, legal, mobile security, encryption, mobile, mobile applications, Criminal

Google introduces Chrome 'factory reset' pop-ups to tackle extensions hijacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Web Security and Control

Protect your users on the web

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.