hidden

By Asheeta Regidi

WhatsApp’s new Privacy Policy came as a sharp contradiction to every promise of privacy and security made by it in the past. The new Policy is now being challenged in the Delhi High Court, possibly the first such case in India. The petition, filed by Karmanya Singh Sareen and Shreya Sethi, questions this contradiction in the previous policy and the new one, and also the manner in which consent is being obtained. So what can the Delhi High Court find wrong with the new Policy?

Procedurally speaking the change is legal

The changes to the policy are procedurally legal. Abroad, the procedure to modify a privacy policy consists of two steps – first, inform the customers that the policy is being changed, and second, obtain their consent to this change. The Indian law on privacy policies, the Information Technology Personal Data Rules, 2011 doesn’t specify a procedure for this, but it is clear that a customer’s specific consent is required for any modification. WhatsApp has followed the two steps, and so, the change to the policy is legal. Issues with the change, however, arise once you dig a little deeper.

False advertisement / misrepresentation claims are possible

The main problem people have is that WhatsApp has gone back on all its promises of privacy and security made in the past. Whatsapp’s blogpost states that the only thing changing is that WhatsApp will now share user phone numbers with Facebook, for the limited purpose of providing targeted ads, and giving better friend suggestions. The other change is that WhatsApp will allow businesses to communicate directly with their customers through WhatsApp.

While the blogpost projects a very narrow usage of user data, the new Privacy Policy takes permission to share every piece of data collected by WhatsApp, with anyone. The data now being collected by WhatsApp is extensive, ranging from your phone number, your contact list, your profile picture, your status messages, your e-mail, location information, your device data, webpages shared using WhatsApp, etc. Previously, all WhatsApp collected was your phone number, your contact list, and your device information.

Considering WhatsApp’s tall claims about its stand on privacy, this is a major change. It is surprising how little is actually revealed in the blogpost meant to inform people of the change. There is a good chance that this contradiction can be taken to be misrepresentation. Legally, a privacy policy is a contract between WhatsApp and its users, and if the Court considers this to be a misrepresentation as to its privacy practices, that will make the contract, i.e., the privacy policy, illegal.

Also, the difference between the blogpost and the actual Policy can be considered to be false advertisement. This was in fact one of the major allegations against the policy of Uber, which advertised itself to be the ‘safest ride’, when in reality it did not take basic measures like conducting driver background checks. In fact, its terms and conditions at the time refused all responsibility for passenger safety. This resulted in a 28 million dollar settlement in California, and forced Uber to adopt more responsibility for the passenger’s safety. WhatsApp’s privacy promises seem to have taken the exact same turn.

Ambiguous terms of the policy question end-to-end encryption

Another issue with the Privacy Policy is the absolute ambiguity in the drafting of the policy. An essential part of a Privacy Policy under the IT Personal Data Rules is that the policy must have clear statements of the companies’ privacy policies. For example, suppose WhatsApp’s new Privacy Policy had said exactly what was written in the blogpost. The blogpost specifies which information can be shared (phone numbers only), and with whom it can be shared (with Facebook only) and for what purpose it can be used (marketing, etc.). This would be a clear statement. None of these promises, or rather limitations, are found in the actual privacy policy. This is in addition to several misleading statements in the policy itself which question WhatsApp’s promise of encryption:

i. One controversial statement in the policy is that: ‘…your WhatsApp messages will not be shared onto Facebook for others to see’. Meaning that while your WhatsApp messages will not be shared ‘onto’ Facebook, the messages can be shared ‘with’ Facebook. The statement goes on to say ‘In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services …’ Clearly, Facebook can use your WhatsApp messages to assist in operating and providing services.

ii. The policy says it does not retain user messages in the ‘ordinary course’ of providing services. Does this mean that in situations ‘out of the ordinary’, WhatsApp can collect user messages?

iii. The policy also states that popular media files being shared, like videos and pictures, are retained. This implies that the WhatsApp messages being sent are being subjected to some kind of monitoring or filtering, without which such videos or pictures being sent cannot be identified. Does this mean the promise of end-to-end-encryption does not, in reality, guarantee user privacy like WhatsApp claims?

The Indian case against WhatsApp’s new policy isn’t the only one. A similar petition has also been filed before the Federal Trade Commission of the US. This petition points out that most users will blindly agree to the privacy policy on the strength of the assertions made by WhatsApp on its blog, and on the belief that WhatsApp is a staunch guardian of their privacy. Hopefully, between this petition and the one now before the Delhi High Court, WhatsApp and Facebook will be forced to adopt a different stance towards its user’s privacy.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.