A data protection law would have made WhatsApp privacy update illegal

In November 2014, WhatsApp adopted the Signal protocol for end-to-end encryption after its acquisition by Facebook in February in the same year. Since then, it has grown to be the most popular app for IP messaging and telephony with almost two billion users worldwide, of which 400 million are in India, the largest in any country. WhatsApp’s unique blend of text, audio and voice messaging and calling platform with the end-to-end encryption has allowed the company to maintain its pole position, despite hiccups like the Pegasus malware episode.

It is, therefore, surprising that a platform that has made a virtue out of protecting user privacy is trying to force its updated terms of service (ToS) and privacy policy on users. The policy seeks consent from users to allow the platform to share their data with Facebook and its companies, which means that WhatsApp would share transaction data, mobile device information, IP addresses and other metadata on how users interact with businesses on WhatsApp. Such sharing would be done with the user being notified before the start of a chat if the business uses Facebook to store and analyse data and the user would have the option of blocking the business.

However, even this would defy the principle of purpose limitation that has been the yardstick of addressing privacy concerns at a global level. It is a fact that Facebook does not have a stellar record of data protection of its users, as the Cambridge Analytica data scam during the 2016 US elections and Brexit is proof. In 2018, there were reports of Facebook entering into data-sharing deals with other tech firms like Apple, Amazon and Spotify.

WhatsApp responded to widespread concern by, first, trying to clarify that the update did not change anything as far as the private chats between individuals and groups were concerned and that the data would be shared only for business interactions. It then issued large media ads and finally proposed to defer the implementation by about three months to May 15, 2021. But these steps didn’t stop the exodus of many users to alternate online messaging services like Signal and Telegram.

The Indian government has also sent a strong note, seeking the company’s response to 14 queries related to their practices in India and asking the platform to withdraw those proposed changes. This note has sent a clear message to WhatsApp to not subject Indian users to greater information security risks and vulnerabilities with the consolidation of data from WhatsApp and Facebook. In 2019, during the revelations of the Pegasus hacking the IT minister had taken a similar stand, forcing WhatsApp to commit to a few deliverables. In the most recent note, the government referred to the principle of purpose limitation provisions in the Personal Data Protection Bill (PDPB) that was introduced in Parliament in December 2019 and is currently being discussed by a joint select committee. It will be pertinent to mention that had the bill been passed by now, WhatsApp’s move would have been illegal. Provisions in the bill required that every data intermediary has to take explicit permission from the user whose data would be harvested. Even the method of data classification into sensitive personal data and critical data has been defined and their processing possibilities mentioned in the bill.

Clearly, the government has to make the PDPB into law sooner than later so that such restrictive practices can never be introduced in the first place. After all, WhatsApp did make an exception for its users in the European Union. At the same time, for the Competition Commission of India, this is a classic case of an organisation using its near monopolistic power in the market to push through something that is not in the consumer interest.

The fact remains that tech giants need more legal and regulatory watch, given the digital proliferation in the country. As Digital India expands and brings in more users from the current base of 70 crore, and more take to social media for communications and business, they must be ensured a safer digital space, given that most wouldn’t be aware of the reach of the data being generated. For now, WhatsApp has to roll back the TOS and privacy policy and think of methods to allow opt-in and opt-out choices so that forced consent is never made the order of the day.

This article first appeared in the print edition on January 23, 2021 under the title ‘The Whatsapp Fix’.  The writer is a member of the editorial board of the cyber journal of Chatham House

Source link

About the Author