Unclarity in WhatsApp’s new Terms

On 7th January 2021, WhatsApp Messenger asked me to agree to send data to Facebook. I did not.

(WhatsApp had previously asked for agreement in 2016, but at that time there had been an option for existing users to opt out. No such opt-out was available with the 2021 change.)

Although it is disputed that Cambridge Analytica really did swing two major elections in the Anglo-American world power by clever use of Facebook data in 2016, it’s nevertheless clear that Facebook may be *dangerously competent* at mining personal data. In fact I would sooner agree to having my data looked after by an oppressive regime than by Facebook, because Facebook’s data analysis skills seem stronger than that of major governments.

What I’m trying to avoid with WhatsApp is quite simple:

I do not want my account to be a “signal” in the profile analysis of my contacts.

For example:

European confusion

Various media reports said WhatsApp data will not be shared with Facebook for users within the EEA (strangely including Britain even after “Brexit” although I’m not sure for how long that would last), but I’d prefer to get my information by reading *the agreement itself* rather than possibly-mistaken reports about it.

One piece of questionable web design was the way the European and non-European agreements were headed. The European version started out with the sentence “If you don’t live in the European Region, WhatsApp LLC provides WhatsApp to you under this Terms of Service and Privacy Policy” whereas the *non*-European version said “If you live in the European Region, WhatsApp Ireland Limited provides the Services to you under this Terms of Service and Privacy Policy.” Each of these statements linked to the *other* version of the policy, but the use of the term “this” could easily be read as “this one on this page,” causing confusion about which one *is* the European version. Clearer headings could have prevented this, but perhaps clarity is regarded as a less-important skill by some legal departments.

The European version (the one that had eea in the URL) linked to a Privacy Policy that included these words:

WhatsApp shares information globally, both internally within the Facebook Companies, and externally with our partners and with those you communicate around the world in accordance with this Privacy Policy and our Terms.

which has a PP-attachment ambiguity: does the “in accordance with” part apply *only* to the “externally” part, or does it apply to the whole sentence? If it applies to the whole sentence, then they should have added an extra comma before the “in” to make this clear—as it stands, it’s *possible* to read it as saying the policy restricts only “external” sharing and does not restrict “internal” sharing within the Facebook Companies which is a rather important comma to leave out.

The (European) Privacy Policy did link to a FAQ page that said “WhatsApp does not share your contacts with Facebook” (changed to “WhatsApp does not share your contacts with Meta” in November due to the company name change), but that page was removed in January 2023, and before that I didn’t think it was assurance enough because:

1. this statement is not on the policy page *itself*, but on an *auxiliary* page—it’s not clear that linking to it from the policy makes it *part* of the policy, and if it’s not part of the policy then they could change it at any time without needing any further agreement from you (compare for example YouTube’s 2020 change that said they’ll start advertising on your videos even if you’ve opted out—they *said* this would take the form of links in an already-cluttered sidebar, but that detail was not *part* of the policy, and within months I had to delete my educational videos because pressing Play gave full-screen noisy advertising for products I do not endorse);

2. there may be a difference between sharing “your contacts” and sharing *data derived from* your contacts (for example, Facebook could decide to query WhatsApp about how many contacts you have that fit within a supplied cohort, which would still derive advertising signals from them without counting as “sharing” the contacts themselves);

3. another FAQ entry says:

Today, Facebook does not use your WhatsApp account information to improve your Facebook product experiences or provide you more relevant Facebook ad[vertisement] experiences on Facebook. We’re always working on new ways to improve how you experience WhatsApp and the other Facebook Company Products you use. We’ll keep you updated on new experiences we offer and our data practices.

which seems to say they *will* derive advertising signals from your WhatsApp data, they just haven’t figured out how to do it *yet*,

4. and elsewhere it says “Should we choose to share such data with the Facebook Companies for this purpose in the future, we will only do so when we reach an understanding with the Irish Data Protection Commission on a future mechanism to enable such use” and I’m not entirely sure the Commission can be counted on not to declare post-Brexit Britain to be out of their remit, effectively giving Facebook the go-ahead without any further consultation from us.

Advertising on WhatsApp itself

The (EEA version of the) Privacy Policy said:

“We still do not allow third-party banner ad[vertisement]s on our Services. We have no intention to introduce them, but if we ever do, we will update this Privacy Policy”

The problem with this is the word banner—it doesn’t say there won’t be any *advertising*; it says only that there won’t be any “banner” advertising. Banner advertising is not the *only* kind of advertising! Including the word “banner” here gives superficial reassurance while still leaving open the way to third-party advertising in *any format that’s not a banner*.

And would *that* advertising be allowed to use Contacts data as a signal? Consider:

1. The policy includes “providing marketing communications to you” under “Legitimate Interests” of data use, and says “We use information described in the “Information You Provide,” “Automatically Collected Information,” and “Third-Party Information” sections of this Privacy Policy for this purpose”

2. and the full range of Facebook algorithms should be available for this, as the wording:

“When we receive services from the Facebook Companies, the information we share with them is used on WhatsApp’s behalf and in accordance with our instructions. Any information WhatsApp shares on this basis cannot be used for the Facebook Companies’ own purposes.”

still allows WhatsApp to say “hey Facebook, here’s some personal data, don’t *you* keep it, but suggest an advertisement for this person and we’ll deliver it from WhatsApp.”

I don’t want to agree to a policy that might allow sociograms to be used as advertising signals, and I’m not convinced this one is watertight enough.

Closing WhatsApp

As I had no reply from the dedicated enquiries address posted with the EU Privacy Policy, and the revised 15th May deadline drew near without any indication that they were going to fix the wording, I gave notice to all active WhatsApp groups I was in, mostly saying:

Sorry leaving this WhatsApp group Friday when my account closes. I asked them about loopholes in new agreement that I think lets them mix our contacts’ advert feeds (can’t OK that with students on my phone), I suggested words to fix it, but no reply & no change, so I leave at their extended deadline to accept.
I’m still on phone & text, + happy to re-join group if we move it to Telegram or Signal, can help set up if needed. (Telegram has 500 million users & I’ve had no trouble with it for 6 years, works better than WhatsApp. Not telling anyone what to do, just reporting my personal experience.)

In most cases I was able to use WhatsApp’s “Export Chat” function to send things I needed to keep to K9 Mail and email it to myself. It was also sometimes possible to send these to Telegram (although Telegram makes it possible for all parties to delete history, so it might not be suitable for keeping agreements etc).

I then closed the account under Settings before deleting the app.

I found closing the WhatsApp account resulted in groups being informed you’d “left” but did not inform anyone sending you a message that you wouldn’t receive it—any messages sent just sat as “unread” indefinitely (with no ‘last seen’ time on the contact). It may therefore be advisable to broadcast individual messages explaining that you’re leaving.

But isn’t WhatsApp end-to-end encrypted?

End-to-end encryption of *messages* does not stop companies from analysing your *contacts*. Any messaging system must necessarily get data about your contacts (or at the very least the people you communicate with), so it’s a question of picking one that’s less likely to do something *else* with that data.

Incidentally, although the actual contents of messages is not my main concern here, I should still point out that WhatsApp’s “end-to-end encryption” means little unless I can verify the client’s source code. Skype had end-to-end encryption too, but that didn’t stop them from adding ‘spyware’ *in the client* in at least one country’s version—end-to-end encryption doesn’t stop a proprietary client from sending *a separate copy* of messages to a third party. Closed-source proprietary software is never something I can fully trust: if I haven’t seen the source code myself (or know a reliable person who has) then I can’t vouch for it. I therefore do not consider WhatsApp communication to be any more “secret” than that of systems *not* featuring end-to-end encryption. If you want secrecy then use a messaging client whose source code you can verify.

Are we “wrong” to think it’s unclear?

WhatsApp never replied to *me* but on 11th May a German official was widely quoted as saying “even after close analysis, it is not clear what consequences approval has for users” and disallowing it in Germany, to which WhatsApp reportedly said “the Hamburg DPA’s claims are wrong” so they “will not impact the continued roll-out of the update” and the wording of the new agreement was not changed.

Personally I can see why the Hamburg DPA said “it is not clear” after his “close analysis” since that is what I also felt after my own analysis. If the statement that “it is not clear” is included in what WhatsApp calls “the Hamburg DPA’s claims” when it says “the Hamburg DPA’s claims are wrong”, then presumably WhatsApp think they can show the agreement is clear enough—and I’d very much like to read their argument if it can be made available, but meanwhile I’m not in the habit of agreeing to things I feel are unclear just because of some company’s unsubstantiated implication that there exists somewhere an argument that shows I’m “wrong” to feel it’s unclear. Show me the *actual argument* and I’ll consider it—but it must be based on the actual agreement, not any *other* statements by the company (there’s an “entire agreement” clause in there to make nothing *else* binding), and if it tries to tell me that the legal meaning of words is different from what I think then I’d appreciate being able to check this from publically-available legal references.

2024 update

In 2024, WhatsApp linked UK users to a new “UK” version of their Privacy Policy which includes the following sentence in a discussion of uploading contacts:

We require each of these users to have lawful rights to collect, use, and share your information before providing any information to us.

This casts doubt on the legality of anyone in the UK using WhatsApp if that person happens to work or volunteer for any organisation or charity (including local community groups) to which the Data Protection Act 2018 applies (the UK’s implementation of the European GDPR, which was not cancelled at Brexit), since it would be necessary to obtain permission from all of their contacts to share such information, or else try to use WhatsApp without allowing it to read contacts at all, which I’m told makes WhatsApp quite unusable as the designers were not motivated to separate the local contact management code from the upload system.

The 2024 UK privacy policy also has a section “How We Work With Other Meta Companies” which includes the sentence:

When Meta Companies act as our service providers, we require them to use your information on our behalf in accordance with our instructions and terms.

which sounds nice but it doesn’t actually say *what* those “instructions and terms” are, and in particular it doesn’t say “in accordance with this Privacy Policy” so they still have quite a large loophole here.

Limiting WhatsApp’s access to contacts

Using technical means to limit WhatsApp’s access to your phone contacts before accepting the agreement does not completely solve the problem: you’d still be giving Facebook/Meta permission to make inferences about any contact information they *do* get—such as the subset of people with whom you do communicate on WhatsApp—even if they’re unable to use the rest of your contact list. And being unable to access your other contacts is *not* a given: the agreement didn’t say Facebook won’t ever try to find a way *around* whatever technical measures you put in, plus accidents happen and once you’ve agreed you’ve agreed.

If you determine this is an acceptable risk (I cannot advise on this), the technical options I’m aware of are:

1. Run a second device just for WhatsApp. You shouldn’t need a second number if you can connect the second device only over WiFi and manually confirm SMS codes sent to your primary device—this might be suitable if all your WhatsApp messages are low priority and it doesn’t matter if they’re not sent to your main phone in real time. It does require you to *have* a second device.

2. Deny the WhatsApp app permission to read any phone contacts. This will result in WhatsApp always showing numbers instead of names (it does not support its own contact management independently of the phone’s) which might be inconvenient. Moreover, at least some versions of WhatsApp will *repeatedly* ask for contacts-reading permission, and it takes only one accidental tap to give it—so I cannot recommend working like this if you don’t want to risk *accidentally* giving permissions to WhatsApp.

3. Use a custom dialler app like F-Droid’s OpenContacts, which maintains its own list of contacts instead of using the phone’s database. Any contact added into the custom dialler app should be hidden from all other apps, including WhatsApp but also including Signal etc—this method does not leave you the option of hiding contacts *only* from WhatsApp while allowing apps like Signal to see them. Moreover, it’s not impossible that a bug might be introduced in the custom dialler that causes your contacts, call logs or messages to be divulged to the wider system: this setup might be more precarious than it looks.

4. Set up a “work” profile with cross-profile contacts search disabled, and install WhatsApp on that so it will have access only to “work” contacts. This is an option only if your device is not already enrolled in any organisation’s work profile; you’ll need an app like Test DPC (on Android Enterprise) to set it up, and you’d better be careful when setting both Policy permissions and also Play Store contacts backup/restore options in the profile. Any input methods you require may need to be reinstalled in the “work” profile.

5. Run a highly-customised AOSP fork: this will require a *lot* of work, probably including some fairly low-level coding.

Again, I am unable to endorse any of the above workarounds, because *agreeing* with a competent resourceful company that has a questionable track record, to something with which you don’t really agree, and then relying on technical measures to stop it from happening, when you don’t have access to their app’s source code, is fundamentally risky. I list them here for reference only and disclaimers apply.

Legal

All material © Silas S. Brown unless otherwise stated. Android is a trademark of Google LLC. Facebook is a trademark of Facebook, Inc. Google is a trademark of Google LLC. Skype is a trademark of Microsoft in the US (but not in Europe because it was too similar to Sky). Telegram is a trademark of Telegram Messenger LLP. WhatsApp is a trademark of WhatsApp Inc., registered in the U.S. and other countries. Wi-Fi is a trademark of the Wi-Fi Alliance. YouTube is a trademark of Google Inc. Any other trademarks I mentioned without realising are trademarks of their respective holders.