WhatsApp, Facebook get a privacy finger wagged at them by FTC

library
crime | hacking | security

As Naked Security has reported, WhatsApp CEO Jan Koum has tried to reassure us all that privacy is hard-wired into the company – “coded into our DNA”, as he publicly stated, and that the instant messaging app was built around “the goal of knowing as little about you as possible.”

Yeah? Well, you better aim to keep it that way post-Facebook acquisition, the US Federal Trade Commission (FTC) warned on Thursday.

The FTC has approved of Facebook’s WhatsApp acquisition in the US, but not without wagging a finger at the two companies over privacy.

From a prenuptial letter sent to the two companies by Jessica Rich, the director of the FTC’s Bureau of Consumer Protection:

WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties — promises that exceed the protections currently promised to Facebook users. We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.

Rich warned the companies that if, post-acquisition, WhatsApp fails to honor its promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, a previous FTC order against Facebook concerning user privacy.

In February 2014, Facebook made eyeballs pop in the technology world when it announced it would buy WhatsApp for a whopping $16 billion (nearly £10 billion).

The FTC’s already tussled with Facebook over privacy.

But for its part, “hard-wired” privacy in its DNA or not, WhatsApp certainly hasn’t been immune to privacy questions.

The company was investigated and censured in 2013 for a number of privacy violations, following a joint investigation of its practices by Canadian and Dutch regulators.

At any rate, as the FTC’s Rich reminded WhatsApp in her letter, its most recent privacy policy states that:

* WhatsApp does not collect names, emails, addresses or other contact information from its users’ mobile address book or contact lists other than mobile phone numbers

* We do not collect location data

* The contents of messages that have been delivered by the WhatsApp Service are not copied, kept or archived by WhatsApp

* We do not use your mobile phone number or other Personally Identifiable Information to send commercial or marketing messages without your consent

* We do not sell or share your Personally Identifiable Information (such as mobile phone number) with other third-party companies for their commercial or marketing use without your consent.

After the acquisition announcement, WhatsApp wrote:

Here’s what will change for you, our users: nothing … And you can still count on absolutely no ads interrupting your communication.

Facebook CEO Mark Zuckerberg echoes that promise, having said that “We are absolutely not going to change plans around WhatsApp and the way it uses user data”, while a Facebook spokesperson confirmed that the company will uphold WhatsApp’s promises to users.

The FTC is going to make sure things do, in fact, pan out that way.

If Facebook and WhatsApp do decide to change what they collect from WhatsApp users or how that data is used, whether it’s for improving Facebook’s News Feed algorithm or to improve ad targeting on Facebook, for example, they’ll need direct permission from their users, the FTC says.

Rich writes:

If you choose to use data collected by WhatsApp in a manner that is materially inconsistent with the promises WhatsApp made at the time of collection, you must obtain consumers’ affirmative consent before doing so.

Given that restriction, it could be a bit more of a challenge for Facebook to squeeze its new international messaging arm enough to warrant a $16 billion price tag.

What’s more, the FTC is standing up for consumers even more by recommending that they get an opportunity to opt out of data collection changes, or at least that WhatsApp make it clear that they have an opportunity to stop using the WhatsApp service.

Making new data collection policies opt-in would be an even more pro-privacy, pro-consumer stipulation, but we’ll take what we can get.