Skip to main content

What’s Up with WhatsApp: Canadian and Dutch Privacy Regulators Take Aim at Mobile Privacy Issues

June 26, 2013

In an effort to address an increasingly online, mobile, and borderless world, the Office of the Privacy Commissioner of Canada (“OPC”) recently coordinated with the Dutch Data Protection Authority in the first-ever international investigation of privacy complaints.  The Canadian-Dutch collaboration investigated the handling of personal information by WhatsApp Inc., a California-based mobile application developer. WhatsApp cooperated throughout the investigation and took corrective actions in response to the Canadian and Dutch authorities’ findings and recommendations, some of which are outlined below.

A popular instant message app for mobile phones, WhatsApp relies on a user’s address book to populate contacts for a user’s own contact list.  WhatsApp would upload the full address book or contacts list including contacts that are not part of the WhatsApp network, as a condition of service.  The OPC found that this violated the principle that the collection of personal information must be limited to that which is necessary for an identified purpose and the principle that an organization shall not, as a condition of the supply of a service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.

Once a user’s address book had been uploaded, all contact information was retained by WhatsApp, including mobile numbers of non-users (in hash form). Since WhatsApp does not require the mobile numbers of non-users to function, the OPC recommended those numbers be destroyed immediately after their identification and classification as “out-of-network” numbers. Non-user numbers may be collected with a user's consent to identify contacts on the WhatsApp network, but those numbers should not be retained by WhatsApp. This retention  violated the principle that personal information should be destroyed, erased, or made anonymous when it is no longer required to fulfill its identified purpose. Although WhatsApp claimed to render out-of-network numbers anonymous, the OPC did not find its process sufficient, as full phone numbers could easily be recovered with a modest amount of computing effort. In response to the OPC’s findings, WhatsApp now gives iPhone users the option to manually add contacts, and by-pass the address book based process. This function will soon be rolled out for other platforms.

The OPC found that WhatsApp violated the principle that the knowledge and consent of an individual are required for the collection, use, or disclosure of personal information by broadcasting, without users’ consent, the status updates of its users to all members in the WhatsApp network. In response to the OPC’s findings, WhatsApp amended its terms of service to clearly disclose that status updates are visible globally and indicated it has added real-time notification for user status submissions to future releases starting near the end of September 2013.

When the investigation began, WhatsApp messages were unencrypted, leaving them prone to eavesdropping or interception, particularly when sent through unprotected Wi-Fi networks.  In response, WhatsApp introduced encryption to its mobile messaging service.  Furthermore, the OPC found that generating passwords on behalf of users using device information that could be easily exposed (IMEI numbers and MAC addresses) to did not provide adequate security safeguards considering the sensitivity of the personal information being sent and received by WhatsApp.

In response, WhatsApp strengthened its authentication process to use a 160-bit randomly generated key. The OPC found that the security safeguards employed by WhatsApp appeared to be in line with the sensitivity of personal information at issue.

This matter is an interesting example of cross-border collaboration to address privacy concerns arising from mobile apps, and may signal the beginning of a trend in privacy enforcement. 

The complete Report of Findings from the OPC can be found at:

Content shared on Bereskin & Parr’s website is for information purposes only. It should not be taken as legal or professional advice. To obtain such advice, please contact a Bereskin & Parr LLP professional. We will be pleased to help you.