Canadian and Dutch data privacy guardians release findings from
investigation of popular mobile app
OTTAWA and THE HAGUE, Netherlands, Jan. 28, 2013 /CNW/ - The Office of
the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection
Authority (College bescherming persoonsgegevens, (CBP)) today released their findings from a collaborative investigation
into the handling of personal information by WhatsApp Inc., a
California-based mobile app developer.
The coordinated investigation is a global first, as two national data
protection authorities conducted their work together to examine the
privacy practices of a company with hundreds of millions of customers
worldwide. This marks a milestone in global privacy protection.
"Our Office is very proud to mark an important world-first along with
our Dutch counterparts, especially in light of today's increasingly
online, mobile and borderless world," said Jennifer Stoddart, Privacy
Commissioner of Canada. "Our investigation has led to WhatsApp making
and committing to make further changes in order to better protect
users' personal information."
Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, adds:
"But we are not completely satisfied yet. The investigation revealed
that users of WhatsApp - apart from iPhone users who have iOS 6
software - do not have a choice to use the app without granting access
to their entire address book. The address book contains phone numbers
of both users and non-users. This lack of choice contravenes (Dutch and
Canadian) privacy law. Both users and non-users should have control
over their personal data and users must be able to freely decide what
contact details they wish to share with WhatsApp."
Key findings and outcomes
The investigation focused on WhatsApp's popular mobile messaging
platform, which allows users to send and receive instant messages over
the Internet across various mobile platforms. While WhatsApp was found
to be in contravention of Canadian and Dutch privacy laws, the
organization has taken steps to implement many recommendations to make
its product safer from a privacy standpoint. At this time however,
outstanding issues remain to be fully addressed.
The investigation revealed that WhatsApp was violating certain
internationally accepted privacy principles, mainly in relation to the
retention, safeguard, and disclosure of personal data. For example:
In order to facilitate contact between application users, WhatsApp
relies on a user's address book to populate subscribers' WhatsApp
contacts list. Once users consent to the use of their address book, all
phone numbers from the mobile device are transmitted to WhatsApp to
assist in the identification of other WhatsApp users. Rather than
deleting the mobile numbers of non-users, WhatsApp retains those
numbers (in a hash form). This practice contravenes Canadian and Dutch
privacy law which holds that information may only be retained for so
long as it is required for the fulfilment of an identified purpose.
Only iPhone users running iOS6 on their devices have the option of
adding contacts manually rather than uploading the mobile address
numbers of their address books to company servers automatically.
At the time the investigation began, messages sent using WhatsApp's
messenger service were unencrypted, leaving them prone to eavesdropping
or interception, especially when sent through unprotected Wi-Fi
networks. In September 2012, in partial response to our investigation,
WhatsApp introduced encryption to its mobile messaging service.
Over the course of the investigation, it was found that WhatsApp was
generating passwords for message exchanges using device information
that can be relatively easily exposed. This created the risk that a
third party may send and receive messages in the name of users without
their knowledge. WhatsApp has since strengthened its authentication
process in the latest version of its app, using a more secure randomly
generated key instead of generating passwords from MAC (Media Acess
Control) or IMEI (International Mobile Station Equipment Identity)
numbers (which uniquely identify each device on a network) to generate
passwords for device to application message exchanges. Anyone who has
downloaded WhatsApp, whether they are active users or not, should
update to the latest version to benefit from this security upgrade.
The OPC and CBP have worked closely together, but have issued separate
reports, respecting each country's data protection law (Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the Dutch Data Protection Act (Wet bescherming persoonsgegevens (Wbp)). Following the issuance of their respective reports of findings, the
OPC and CBP will pursue outstanding matters independently.
Following investigation, the Dutch Data Protection Act provides for a
second phase in which the CBP will examine whether the breaches of law
continue and will decide whether it will take further enforcement
actions. The Dutch legal framework contains the possibility to enforce
the Dutch privacy law by imposing sanctions.
Under Canada's PIPEDA, the OPC will monitor the company's progress in
meeting commitments made in the course of investigation. In most cases,
companies are cooperative in meeting their obligations, and WhatsApp
has demonstrated a willingness to fully comply with the OPC's
recommendations. Unlike the CBP, the OPC does not have order making
SOURCE: Office of the Privacy Commissioner of Canada
For further information:
For full reports of findings, please consult the Dutch and Canadian reports, which can be found online at www.priv.gc.ca and www.dutchdpa.nl.
Office of the Privacy Commissioner of Canada
Lysette Rutgers and Merel Eilander
Dutch Data Protection Authority
(031) (70) - 888 8555
(031) (6) 23381892 or (031) (6) 1161982
firstname.lastname@example.org or email@example.com