Leaders in privacy, compliance & information governance solutions

Welcome. Log in or create an account for AccessPrivacy.com

Mobile Messaging App "WhatsApp" Findings Released

January 28, 2013
The Office of the Privacy Commissioner of Canada (OPC) released the findings today of their investigation into the personal information practices of the mobile application developer, WhatsApp Inc., developer of a popular mobile messaging app WhatsApp for various devices, including iOS, Android, Blackberry, and Windows Phone devices.   The investigation was initiated by the OPC and conducted in collaboration with the Dutch data protection authority.

The OPC alleged violations of the requirements under the Personal Information Protection and Electronic Documents Act concerning (i) consent, (ii) limiting collection, (iii) use and retention, and (iv) safeguarding related to the following functions in connection with WhatsApp:
  • Enrolment and account registration
  • Integration with a user's address book
  • Automatic sharing of status messages
  • Offline storage of messages
  • Transmission security
  • Data retention and account termination

Of particular note, the OPC was critical of a requirement in WhatsApp that required users to consent to the collection of the user's entire address book in order to use the app.  The OPC noted that at the time the investigation was initiated, there was no ability to add users one-by-one, though this functionality has since been added to the iOS app and is planned for the future on the Android app.

The OPC also found that WhatsApp did not have appropriate safeguards in place to protect communications between users since, at the time of the investigation was initiated, messages were sent unencrypted and unique device identifiers were used to auto-generate passwords for message exchanges on behalf of users.

In addition, the OPC held that WhatsApp was retaining personal information for longer than required when contacts were uploaded from a user's address book in order to identify other WhatsApp users.  The mobile numbers of non-users of WhatsApp were not being deleted once it was determined that the mobile number related to a non-user and were instead retained in hashed form.

Both the OPC and the Dutch data protection authorities released their own reports of findings and will be pursuing any outstanding matters independently.  The Dutch data protection authority's has released an unofficial translation of their finding.  The OPC's finding follows the OPC's release of mobile application guidelines in October 2012.

A summary of this finding will be posted shortly on our subscription service, the Private Sector Source.  In addition, we will be discussing this development on the next AccessPrivacy Monthly Call on Wednesday, February 20, 2012 at 11:30 a.m. (Eastern Standard Time).

*      *      *

Don't miss AccessPrivacy's 2013 Annual Privacy Conference on June 5, 2013!  Details about this full-day session will be released in the future, but in the interim, you can check out last year's conference for a sample of the types of topics.

PIPEDA; Social Networking; Share This