What you need to know about WhatsApp’s new terms of service
When WhatsApp announced support for end-to-end encryption earlier this year, many of its more than 1 billion active users, including vulnerable human rights defenders and activists, became convinced that the messaging service offers more privacy than the competition.
Recent updates to its terms of service—the first since Facebook acquired WhatsApp two years ago—however, undermine user privacy, in part because it now shares message metadata indicating with whom, when, how, and sometimes where you are corresponding.
Sharing metadata doesn’t directly expose message contents, but as former U.S. Department of State employee Stephen Kim discovered when he was caught speaking with reporter James Rosen, it can be used to secure criminal convictions. The metadata trail proving that Kim spoke with Rosen before Rosen published a story on North Korea was enough to convince Kim to plead guilty to violating the Espionage Act in 2015.
As former National Security Agency General Counsel Stu Baker stated last year, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
While WhatsApp metadata hasn’t yet played a role in a high-profile prosecution in the United States or elsewhere, Kim’s case demonstrates its power to do so. Here’s what people who rely on WhatsApp to keep their private communications private should understand about its new terms of service.
What hasn’t changed
WhatsApp still uses end-to-end encryption, meaning that the contents of your messages are encrypted from the time they are sent to the time the recipient opens them.
But encryption can’t mask metadata because it’s “critical” to verifying the authenticity of the transmitted data, says Harlo Holmes, director of newsroom digital security at digital-media rights group Freedom of the Press Foundation. And like phone call records collected by the NSA, message metadata can reveal a lot, including a clear picture of your social network—especially if you use WhatsApp groups.
Analysis of messages from only a few people could enable someone to graph an entire network of friends, colleagues, or activists.
If “one person’s phone number is already under targeted surveillance,” says Nathan Freitas, founder of the Guardian Project, an initiative to develop a secure smartphone and apps, “the simple act of being included in a group chat with them adds you to that [surveillance] list.”
What WhatsApp changed
And although WhatsApp’s terms of service don’t indicate which types of data it shares with law enforcement agencies, as Facebook’s do, it’s now “a fair assumption that they’ll comply with legal processes in any country,” says Nate Cardozo, an attorney with digital-rights group Electronic Frontier Foundation, who notes that “until recently, WhatsApp did not comply with non-U.S. process.”
Driving this assumption: WhatsApp now prohibits its use in countries that have banned it. And its potential ban is hardly hypothetical. In India, people have recently floated a petition to ban WhatsApp and a draft policy on encryption that would make its 256-bit encryption illegal. And in Brazil, police recently threw a Facebook executive in jail over WhatsApp’s encryption.
WhatsApp and Facebook did not respond to requests for comment.
Finally, users in the United States or Canada must now settle legal disputes with WhatsApp through “binding arbitration”—a negotiation conducted by a third party chosen by WhatsApp. The only way to effectively sue the company is to first opt out of this term with a signed letter, sent through the postal service to WhatsApp’s Menlo Park office within 30 days of accepting the new terms.
What privacy-oriented users can do now
- Say no to information sharing.
Existing WhatsApp users must agree to the new terms by September 25. When you scroll through the terms, you can uncheck the box that says “share my information with Facebook.” Doing this won’t isolate your information from its parent and sister companies, but it will ensure that WhatsApp won’t share it for the purpose of improving your Facebook ads and products experiences.
If you’ve already accepted the new terms of service, you can still stop contributing your data to Facebook. Go to “Settings,” “Account,” then “Share my account info,” and uncheck the box.
- Isolate WhatsApp from Facebook
If you really want to keep WhatsApp and Facebook separate, don’t use the same phone numbers for the services. You can either use a different number for Facebook and WhatsApp, or simply not provide Facebook with a phone number.
To further isolate WhatsApp and Facebook, use Facebook through a mobile browser rather than its app.
- Use common sense
Weigh your own security and privacy needs. And regardless of how you use WhatsApp, keep in mind that it’s part of the Facebook family now, which isn’t always a happy family.