WhatsApp’s New Privacy Policy: What it is and what it isn’t!
A viral piece of “news” was circulated widely in January, 2021 about WhatsApp’s new privacy policy, prompting questions about the App’s security. Some critics claim that WhatsApp now plans to share user data and private conversations with its parent company, Facebook. Others claimed that WhatsApp removed the app’s critical end-to- end encryption feature from conversations between two people or in a group. Our TibCERT team delved deeper and have concluded that these claims misrepresent WhatsApp’s policy change.
First and foremost, TibCERT recommends using Signal for truly secure communication as it not only provides end-to-end encryption but is open-source, which means that all of Signal’s code is made public, allowing us to verify how Signal is built. At the same time, Signal doesn’t store any personal data apart from your phone number, and it is “built to protect” based on the Privacy by Design Principle. Many WhatsApps users have transitioned to communication apps like Signal, Telegram, and others. But, we know there are also many reasons people continue to use WhatsApp for ease of communicating with family and friends. And, if you’re using WhatsApp instead of Wechat for communication (in countries where WhatsApp is accessible) then half the battle is already won!
When it comes to secure communication, WhatsApp is an important step in the right direction. This is why we’re explaining what you really need to know about WhatsApp’s changes. Also, at the end of the post, we highlight important steps that can make your WhatsApp account even more secure – don’t forget to check these out!
So, what are the real changes you should know about to WhatsApp’s privacy policy?
Initially, starting as of Feb 8, 2021, and currently as of May 15, 2021, WhatsApp users will have to agree to a new set of terms and conditions about how their personal information is shared with Facebook. Users must accept the new terms otherwise they will no longer be able to use WhatsApp. Since the move triggered an outcry from users, WhatsApp clarified some rumours about its privacy policy in its FAQ section. The company clarified that there have been no changes to the end-to-end encryption feature, meaning not even WhatsApp can access your personal messages, let alone Facebook. Below is a screenshot of WhatsApp’s clarification regarding its encryption feature.
WhatsApp also tweeted a clarification regarding the rumours about it removing its end-to-end encryption feature. A screenshot of the official WhatsApp tweet is shown below.
Regarding the claim that this new policy allows WhatsApp to share its user data with Facebook, this is partly true. However, it is only true if you are using a WhatsApp business account. In the latest WhatsApp Privacy Policy, under “Key Updates,” it is mentioned that there are “New ways to use WhatsApp,” which include business services now offered by WhatsApp. These services include order processing, transaction, and appointment information, delivery and shipping notifications, product and service updates, and marketing. Under “The choices you have,” it is mentioned that an existing user can choose not to have their WhatsApp account information shared with Facebook. The screen shot of the statement is mentioned below.
Furthermore, it is relevant to note that in 2016, WhatsApp did exactly what people are claiming it is doing now – share your WhatsApp account details with Facebook. As noted by Wired.com: when WhatsApp launched a major update to its privacy policy in August 2016, it started sharing user information and metadata with Facebook. A screenshot of the 2016 major privacy policy update is mentioned below.
In a nutshell, the only thing that really has changed in the new WhatsApp privacy policy is that, only when you use business, products, and advertising services by WhatsApp, it shares your WhatsApp account information with Facebook. The screenshot below shows how a WhatsApp business account can use Facebook to manage its conversations.
In conclusion: It’s encouraging to see the notifications pop up on my phone letting me know that many of my contacts have started using Signal. However, the reality is that many of us are still using WhatsApp and will probably continue to use WhatsApp. On top of end-to-end encryption (which is default in the app), there are few additional steps that one can take to enhance security on WhatsApp.
Step 1: Enable 2-step verification. This will make sure that even if someone gets access to your phone number, they are not able to register a fake WhatsApp account using your phone number.
Step 2: Privacy Setting. You can make sure that only contacts can see “Last Seen”, “Profile Photo”, “Live Location” and to enable “Screen Lock” too.
Step 3: Turn off Chat Backup: You can turn off the setting that backs up your Chats (on Icloud on an iphone or Google Drive on an Android) because backing up chats removes end-to-end encryption when it is stored externally.
Step 4: Secure your photos: Change your settings so that your photos are not saved to your phone’s photo gallery/Camera Roll and other apps are unable to access it . This will ensure media files such as photo or video are also end-to-end encrypted.