hidden

By Asheeta Regidi

WhatsApp, in the ongoing case against its new privacy policy before the Delhi High Court, has said that it doesn’t have any access to user data because of end-to-end encryption. It also said that only the user’s name, contact number and contact lists would be shared with Facebook. A reading of WhatsApp’s new Privacy Policy, however, presents a very different scenario. Whatsapp can collect a range of information including profile pictures, location data, and possibly user messages as well.

The Delhi High Court has asked WhatsApp to file a short affidavit before 20 September explaining the factual position.

WhatsApp can share any information with anyone

WhatsApp in its arguments before the Delhi High Court states that it only collects user names, contact numbers and contact lists. This limited amount of information will be shared only with Facebook. The sharing will be only for limited purposes, such as targeted advertising. These restrictions, however, are only mentioned in its blogpost talking of the new Privacy Policy. The actual Privacy Policy does not contain any of them.

As explained in an earlier article, WhatsApp has taken permission from users to collect a very wide range of data. This ranges from user phone numbers, contact lists, profile pictures, status messages, emails, location information, device data, webpages shared using Whatsapp, etc. This means that while WhatsApp claims that it collects user names and contact numbers, it is taking permission from users to collect a lot more data. Moreover, any of this information can be shared with not just Facebook, but also any of its affiliated companies and third party providers. In effect, while WhatsApp claims to be sharing very little information only with Facebook, it is taking permission to share any information with anyone.

Facebook can use your WhatsApp Messages

Some very ambiguously drafted terms in the Privacy Policy indicate that even end-to-end encryption may not be implemented as completely as WhatsApp claims it is. A part of the policy meant to reassure users of Facebook’s use of the information shared with it, unfortunately has the opposite effect:

For example, the policy states that ‘…your WhatsApp messages will not be shared onto Facebook for others to see’, indicating that messages can still be shared ‘with’ Facebook, only it won’t be shared publicly ‘on’ Facebook. The statement goes on to say ‘In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services …’ Clearly, Facebook can use your WhatsApp messages to assist in operating and providing services.

Other faults can be found, such as the claim that WhatsApp does not ‘retain user messages in the ‘ordinary course’ of providing services’, which means that under special circumstances, user messages can be retained. Yet another statement says that WhatsApp retains popular media files being shared repeatedly, like videos and pictures. If WhatsApp can identify and retain such files, this obviously indicates that at some level, WhatsApp is aware of the actual content being shared by its users while messaging.

Ambiguity in a Privacy Policy is illegal

A part of the problem could simply be that WhatsApp’s new Privacy Policy is too ambiguously drafted. The problem with this is that while WhatsApp may not intend to violate user privacy, there is so much scope of misinterpretation that it can easily do so if it changes its mind. It is for this reason that companies have privacy policies, which spell out their intentions. India’s laws on privacy policies are contained in the Information Technology Personal Data Rules, 2011. Under these rules, it is absolutely essential that a privacy policy contain clear and unambiguous statements of the company’s stance towards privacy. As a result, Whatsapp’s new privacy policy can be considered to be illegal.

WhatsApp needs to clear its stance on privacy

There is a huge contradiction in what WhatsApp is publicly promising its users, and what it is actually doing. The public statements made play a huge role in influencing user opinion on a company’s stance on privacy. Most users will not read the actual terms of the Privacy Policy, and will be misled by the public statements made by WhatsApp. Such claims can therefore easily be construed as false advertisement or misrepresentation.

To avoid this, WhatsApp needs to clear its stance on privacy. Perhaps in reality, WhatsApp is not collecting any more information than it claims to be in its arguments before the Delhi High Court. In that case, Whatsapp needs to redraft its Privacy Policy, and specify that only usernames, contact numbers and contact lists will be collected, and that this information will not be shared with anyone other than Facebook. Alternatively, if Whatsapp intends to collect and share the entire range of information, then it needs to change its public statements and reassurances.

Hopefully, the Delhi High Court will also find these ambiguities and contradictions in the new Privacy Policy, and direct WhatsApp to adopt better privacy practices.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.