The TLDR: Over the past week, WhatsApp users were greeted with an ominous message that asked them to accept the company’s updated privacy policy—or lose access to the app after February 8. The language of the updated terms of service was vague and ominous—prompting widespread anxiety and rising download numbers for Signal and Telegram. The company has now ‘clarified’ its new policy, but worries still remain—perhaps because no one trusts any company owned by Mark Zuckerberg.

First, tell me what is still safe

Here’s what’s absolutely safe:

Your messages: which are still protected by end-to-end encryption. No one can read them or listen into your WhatsApp calls. The company does not keep logs of your conversations either. You can also choose to make your messages disappear after a certain period of time (see how to do it here).

Your media: Be it funny viral vids to friends & fam or sexy pics to your bae, WhatsApp stores these temporarily on its servers to make it faster to forward. But these are encrypted and not visible to the company and are deleted very quickly. In the end, that media only exists on your phone and that of the receiver.

Your group chats: are every bit as protected as your one-to-one conversations.

Here’s what is still fuzzy:

Your location: Any location information you share via a message is encrypted, as WhatsApp points out in its clarification:

“When you share your location with someone on WhatsApp, your location is protected by end-to-end encryption, which means no one can see your location except the people you share it with.”

But the updated privacy policy also says this:

“We collect and use precise location information from your device with your permission when you choose to use location-related features, like when you decide to share your location with your contacts or view locations nearby or locations others have shared with you… Even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location (e.g., city and country). We also use your location information for diagnostics and troubleshooting purposes.”

So we’re going to file this one under ‘unclear’.  

Your contacts: The clarification insists:

“We don’t share your contacts with Facebook: When you give us permission, we access only the phone numbers from your address book to make messaging fast and reliable, and we don’t share your contacts lists with the other apps Facebook offers.”

But its privacy policy makes it clear that WhatsApp does have access to your contacts—you’re usually prompted to do this when you start using the app. It’s just not sharing that information with Facebook companies… as yet.

So what is it sharing with Facebook then?

Here’s a short list:

• Phone number and other personal information you provide when you sign up. Example: name.
• Information about your phone, including make, model, and mobile company.
• Your internet protocol (IP) addresses, which indicates your location.
• Any payments and financial transactions made over WhatsApp.

So that’s okay then…

Yes, as long as you stay away from any kind of business communication on WhatsApp. Because then everything you share can be passed along to various third parties, including Facebook. As the clarification makes clear:

“But whether you communicate with a business by phone, email, or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook.”

The privacy policy makes this crystal clear:

"Businesses you interact with using our Services may provide us with information about their interactions with you… When you message with a business on WhatsApp, keep in mind that the content you share may be visible to several people in that business. In addition, some businesses might be working with third-party service providers (which may include Facebook) to help manage their communications with their customers. For example, a business may give such third-party service provider access to its communications to send, store, read, manage, or otherwise process them for the business.”

The last is key because Facebook is incentivizing businesses by offering them hosting services to manage their WhatsApp communications with their customers.

Point to note: Back in 2016, WhatsApp users had a small window when they could opt out of sharing any information with Facebook. Those who did are still entirely safe—as the rest of us do not have that option any more.

And it will use this information to do what?

To target you with ads on other platforms like Facebook and Instagram. Almost all of Facebook’s $21.5 billion in revenue in the third quarter of 2020 came from ads. Point to note: There is no plan to serve ads directly on WhatsApp as yet. And Facebook can also then share that information with other third parties/businesses.

What’s still unclear: Are businesses that use WhatsApp incentivised or even tacitly forced to share their user data with Facebook?

Point to note: WhatsApp payments are a core component of Reliance’s partnership with Facebook. The big plan is to use WhatsApp to create a retail juggernaut—and Mukesh-bhai has already made clear that he has zero investment in end-to-end encryption or any other kind of customer privacy. (we explained this partnership here)

This sounds like any other Indian company…

True. Privacy laws are shockingly weak in India since we do not have a data protection law in place. It has been languishing in Parliament for the past two years. As one policy expert points out:

"Section 5 of the Personal Data Protection Bill… says that you can only use the information for purposes that are reasonably linked to the purpose for which the information was given. If that section was there, then this (the new update in WhatsApp’s privacy policy) would have been illegal.”

Many standard business practices in India—which includes blithely demanding and then selling your personal information to third parties—would be illegal as well. Meanwhile, a Parliamentary panel headed by Shashi Tharoor plans to summon WhatsApp to explain its new privacy policy.

(FYI: As we state in our welcome email, we absolutely DO NOT sell or give access to our subscribers personal information to any third party. We don’t use it to target you with bs promotions or ads either. We make our money from your subscriptions! So please refer us far and wide lol!)

Point to note: The updated policy does not apply to Europe and the UK because of its strict privacy laws. WhatsApp users in that part of the world have the right to “access, rectify, port, and erase your information, as well as the right to restrict and object to certain processing of your information.”

So should I move to Signal or Telegram?

Well, many people certainly are—or at least downloading one or more of those apps as a backup. Both have seen a huge surge in users over the past week:

“According to data from analytics firm Sensor Tower, Signal was downloaded globally 246,000 times the week before WhatsApp announced the change on 4 January, and 8.8 million times the week after. This included big surges in India, where downloads went from 12,000 to 2.7 million, the UK (from 7,400 to 191,000) and the US (63,000 to 1.1 million).”

Telegram—which is currently No. 2 behind Signal on the App Store—saw more than 25 million users sign up in just the last 72 hours.

CEO exodus: Top execs across the world—including India—are moving themselves and their staff to Signal. And that includes Elon Musk—who tweeted out his preference, giving the Mumbai police a perfect opportunity to showcase their cheeky humour.

The bottomline: is best summed up by The Verge:

“...Facebook must contend with [the fact] that the lack of trust in WhatsApp is directly related to years of bad faith privacy pledges from Facebook and increasingly complex terms of service agreements no regular, non-lawyer user can reasonably comprehend… Now, Facebook and WhatsApp face a long road of transparent communication and trust-building ahead if they want to get those people back.”

Reading List

Bloomberg News and Indian Express offer a quick overview of the new rules. Mashable breaks down the company’s clarification in detail. The Verge lays out why Facebook’s latest controversy is well-deserved. Business Standard has a brief primer on end-to-end encryption. The Hindu has a good op-ed linking the controversy to lack of data protection laws in India. Also read: the privacy policy and clarification.