January 28, 2013
Canada, Denmark Accuse WhatsApp Of Violating International Privacy Laws
Michael Harper for redOrbit.com — Your Universe Online
Popular mobile messaging app WhatsApp has just been accused of violating some international privacy laws in joint-yet-separate reports from privacy officials from Canada and Denmark. Though both countries have said that the makers of the app cooperated with their investigations, they were still found to take a relaxed approach when it came to the way they handled their privacy laws.
The issue centers around how the app handles its users´ contact information. When the app is installed on Android, Blackberry, iOS, and other devices, it asks users for permission to look through their contacts to match that user with other WhatsApp users they already know. Unless these devices are running iOS 6, these users are sending their entire address books over the air to WhatsApp servers.
The investigation by Canadian and Dutch officials found that WhatsApp keeps all contact information, whether the data is linked to a WhatsApp user account or not. iOS 6 users, by the way, have the ability to manually add contacts or reject the apps request for access to their contact list.
“Our Office is very proud to mark an important world-first along with our Dutch counterparts, especially in light of today´s increasingly online, mobile and borderless world,” said Jennifer Stoddart, Privacy Commissioner of Canada, in a press statement.
“Both users and non-users should have control over their personal data, and users must be able to freely decide what contact details they wish to share with WhatsApp,” said Jacob Kohnstamm, chairman of the Dutch Data Protection Authority.
WhatsApp has reportedly taken the recommendations of these two governments to heart and have made some changes following this investigation. Although some of these issues have been resolved, the Office of the Privacy Commissioner of Canada says there are still some issues which need to be addressed.
For instance, the Canadian officials claim WhatsApp continues to keep the data of non-users, albeit in a hashed format. The investigation also found that messages sent via WhatsApp were sent in an unencrypted format. This means the messages were vulnerable to eavesdropping, particularly if sent via an unsecured Wi-Fi network. The investigation also found that the passwords generated to exchange messages also used information specific to the devices used to exchange said messages. Should these passwords have been leaked, cyber miscreants could have sent and received messages using another user´s name without their knowledge.
In response to these investigations, WhatsApp has begun using encryption to prevent any intercepting or eavesdropping on their platform. According to the Canadian report, WhatsApp has also “strengthened its authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC (Media Access Control) or IMEI (International Mobile Station Equipment Identity) numbers (which uniquely identify each device on a network) to generate passwords for device to application message exchanges.”
The report encourages any user of the app to update to the latest version in order to benefit from these security upgrades.
The Office of the Privacy Commissioner of Canada does not have the authority to make any orders against the company, but has said they´ll be monitoring the app closely in the future. The Dutch Data Protection Agency, on the other hand, is still deciding if they should carry the investigation further and press charges against WhatsApp.