On the 25th of August you announced that you would share people’s phone numbers with your parent company, Facebook. However, much remained unclear about the privacy implications of your new policy. Since contacting your firm directly does not result in any meaningful response, I decided to write you this open letter hoping you could clarify the following issues:
- What gets shared with Facebook about the phone numbers of non-user like me?
- Will you share other data from user’s address books too (name, physical address, comments, etc)?
- How much are you really committed to user privacy if you require uploading address books, didn’t enable SSL until 2012 and end-to-end encryption until 2016?
- Will you share phone numbers with Facebook of users that stopped using your service before the new policy became active?
- How long do you keep that data after people terminate the use of your service?
Data of non-users
My main concern is that none of these new terms specify what you’re going to do with the phone numbers (and possible other data in address books that you acquired) of non-users. Are you going to share those with Facebook too? Am I correct in assuming that Facebook will use this data to build profiles of non-Facebook and/or non-WhatsApp users? What’s the legal basis for this new policy of yours?
After an investigation by the Canadian and Dutch data protection commissioners you agreed to store the data of non-users separately, although they were not allowed to verify this. In what way do you use this information for your company’s goals?
You made a statement that “you want to know as little as possible about our users”, which sounds contrary to the way you seem to work. You require users to upload their whole address book, and have no data retention policy according to your own terms. If you really wanted to collect as little as possible, why don’t you select only necessary data from the address book concerning existing users and discard the rest? Why is it necessary to store data indefinitely?
It worries me that you didn’t offer end-to-end encryption until after many competitors did. You didn’t even offer an SSL connection to users in the first two years of your service. If privacy is a main concern of yours, why don’t you implement data protection measures more proactively?
Data of regular users
I was tempted to start using your service when you offered end-to-end encryption because many of my relatives are using it already. Unfortunately, it turned out to be to good to be true, when you announced only 4 months later the sharing deal with Facebook. From my perspective this looks like a trade-off deal with Facebook. You get the end-to-end encryption, Facebook gets access to your phone number database.
What would happen to the data of users that decide to remove the app or delete their account after you published these changes? Your help pages suggest that their data will be deleted from your servers, however, your privacy statement says something entirely different.
I am looking forward to hearing from you soon.