The Boiling Frogs of Data Privacy and Digital Risk – was the fuss about WhatsApp justified?

  • Home
  • /
  • Blog
  • /
  • The Boiling Frogs of Data Privacy and Digital Risk – was the fuss about WhatsApp justified?
  • Home
  • /
  • Blog
  • /
  • The Boiling Frogs of Data Privacy and Digital Risk – was the fuss about WhatsApp justified?
February 26, 2021

Data Privacy - C2 Cyber Ltd

So apparently it’s not true – according to modern biologists a frog placed in a pan of water being heated will actually climb out when it gets too hot; but the recent changing of WhatsApp’s privacy policy does beg the question of whether or not we are being slowly heated up to a place where our data privacy is truly threatened. And the millions” of users that left WhatsApp for rival encrypted messaging brands suggests that the sentiment out there is “yes” 

Add to that the sheer impact of some of the biggest collectors of personal data in the world sharing it with each other and it is tempting to think that nothing is safe anymore. We decided to take a look and try to reach a balanced view. 

What really happened with WhatsApp? 

Many users were spooked by the requirement to accept WhatsApp’s new privacy policy (which is still a requirement if you want to use the app after May)

  • The new privacy policy seemed to mandate sharing of sensitive profile information with WhatsApp’s parent company, Facebook, and other companies in the Facebook group 
  • That isn’t true — the update actually has nothing to do with consumer chats or profile data, and instead the change is designed to outline how businesses who use WhatsApp for customer service may store logs of its chats on Facebook servers. 
  • According to WhatsApp’s policies, neither Facebook nor WhatsApp read users’ message logs or listen to their calls, and WhatsApp doesn’t store user location data or share contact information with Facebook. (It’s also worth noting that data sharing with Facebook is extremely limited for European users due to stronger user privacy protections with GDPR.) 
  • The policy also says that end-to-end encryption is used throughout a message’s lifecycle, including if it is stored for any length of time on WhatsApp’s servers. 

Was the fuss over WhatsApp justified from a Data Privacy perspective? 

Ironically, it is highly likely that the data sharing WhatsApp users are so worried about has already been happening for a while for the vast majority of users of the service. WhatsApp allowed users to opt out of data sharing with Facebook briefly in 2016, two years after Facebook purchased the platform. 

Subsequently, new customers and anyone who didn’t manually opt out of data sharing have had some personal information, principally their phone number and profile name, shared with the larger social network for ad targeting and other purposes.  

If you look at the privacy labels for WhatsApp on the App Store, labels Apple only last month began forcing developers to disclose, you’ll see scores of information that is marked as “data linked to you,” although only a unique device ID and app usage data is listed as used for “developer’s advertising and marketing.” 

So although little has changed with the new privacy policy, it has perhaps served to emphasise that we are already being exploited and that trajectory would only seem to be going up. 

Signs of overheating? 

From CCyber’s perspective, it is fair to say that the frog is already well cooked. It remains remarkably difficult to be absolutely sure what data is being collected, retained and who it is being shared with by large companies and their associated groups. The Facebook group of companies is just one example. But it is a good illustration 

Facebook has acquired 78 companies over the past 15 years. Merely the 27 purchases for which costs have been disclosed were valued to be worth more than $23 billion. (If you want to see the full story of Facebook’s acquisitions, there is a really good link here). Although there are some exotic purchases involving VR headsets and drone manufacturers, the majority of the estate relies on and thrives because of the aggregation or provision of customer data for focussed advertising purposes. The kind of return on investment that creates such a large financial value makes it irresistible to not share data and that pressure will always exist. Therein lies the threat to data privacy. 

Such a conglomeration of sensitive data in one place also makes social media companies an irresistible target for hackers and bad actors. That defines the digital risk. 

It would not be so bad if there had not been such a clear run of serious data breaches or examples of a lack of care with personal data among the large players in the industry (Google and Microsoft included). The Facebook example in April 202where 267 million sets of personal customer records were sold on the dark web including email addresses, names, Facebook IDs, dates of birth and phone numbers is a case in point. 

So, can we trust them? 

Ultimately, we all need to take a view on what data we share on cloud-based applications in general and messaging apps in particularespecially if we are using them for business purposes. And it is fair to say that we can trust WhatsApp as much now as we could before its new privacy policy, but that may be a low bar against which to judge it. GDPR is a good start, but as long as the fines levied for data breaches are less than the value to be gained from sharing information between companies then they are going to look at it on a risk and reward basis. 

__CONFIG_group_edit__{}__CONFIG_group_edit__
__CONFIG_local_colors__{"colors":{"8b2fd":"Snuff","edb1a":"White Lilac","83d40":"Ship Cove","20090":"Scampi","4f35b":"Rose White","b98f0":"Turquoise","772bd":"Turquoise"},"gradients":{}}__CONFIG_local_colors__