Whatsapp - sensibly private; but tainted by Facebook

series: Privacy & Apps
Whatsapp holds up a reputation of being simple and sensible; the presence of Facebook makes it hard to swallo

navigate: blog; research; main site
tags: Android; apps; facebook; privacy; Privacy Guard; Whatsapp;

Update: clarification regarding Wi-Fi and IMEI related permissions

As part of the Privacy Guard series, I look at the functionality of various mobile apps in respect to the data they use. One of the most frequent apps I use (and I suspect a large population does) is the Whatsapp Messenger.

The premise of the app is simple - the app is registered against your phone number, and so you can find all your contacts on whatsapp without adding their usernames and such. While this adds a great deal of ease to the end-user, it also exposes your entire contact list to a company that provides you 'free' services - a misnomer used to collect and commercialise your data. In the case of Whatsapp, the company used to be independent, and over time managed to amass a large following owing to the simple model of usage and the cheap cost of free for the first few years. Technologically, Whatsapp has always been a strong and stable platform. Recently, they implemented Open Whisper System's Signal protocol which enables end-to-end encryption on all chats. This allows secure messaging between contacts, and gives a degree of credibility to the fact that no one can read the messages while they are in transit. So Facebook does not have any access to the contents of messages.

But, and here is an important part - Facebook can and does access the metadata of these messages. This is information that is monetised in the larger social graph that is used to target ads. Metadata is information such as who do you talk to, how often, at what time, how long do the chats go on, what is your location, and everything else except the actual contents of the message itself. In a startling revelation of how powerful metadata can be, consider that much of wiretapping and surveilance depends on access to such metadata. Data that can provide such powerful analytics and inferences in the hands of a vested commercial entity is certainly a cause of concern on ethical and moral grounds. And this is only metadata in Whatsapp, whereas much of the actual information is hidden inside the Facebook social graph.

In terms of using data in a smartphone, the Whatsapp application itself is well behaved. It clearly signals when it needs information, and specifies for what purposes. The permissions as requested by the app on Android are quite numerous. Below I list all of them along with information about when they are requested, their possible justifications, and what happens when that piece of data is denied to the app.

Device & app history - retrieve running apps

Identity

Contacts

Location

SMS

Phone

Photos/Media/Files

Camera

Microphone

Wi-Fi connection information

Other

These permissions make no sense and are outright denied

Overall, Whatsapp is a good application. It does not appear to 'leak' any data, and the use of Signal Protocol ensures that messages are not read by anyone in between. That said, it is still owned by Facebook, who has been known to be quite greedy and morally questionable in many cases. There have been several news reports where Facebook was asked to stop collecting data from Whatsapp users, particularly in the EU. However, Facebook is still looking actively into monetising this platform (it paid billions for it, after all). I'd be vary of using Whatsapp simply to avoid the tentacles of Mark Zuckerberg & Co.