Don’t tech giants already know everything about me, WHAT’S UP with this new policy? What to do next?

From Unsplash — @_giri_

TL;DR

Key takeaways for the recently updated policy are below, grab a coffee for a deep dive analysis as we explore how we arrived at where we are right now.

Policy update in a nutshell: Now Facebook will be able to access metadata, like who you’ve been talking to and when, but they can’t access your actual conversations. The data Facebook will have access to are; messaging, calling, status, group name, group picture, group description, payments or business features; profile photo, “about” information; whether you are online, your “last seen”, and when you last updated your “about” information.

A summary chart for choosing alternative solutions: Use Signal.

Privacy Protection Comparison Chart

Detailed Analysis

I think the real issue is that too many of us are just too comfortable with the status quo of our information being collected by tech giants in order to know more about us, predict more about us and even know more about us than ourselves and our families.

That’s why people ignore the small changes which happen inch by inch. When we keep telling ourselves that tech giants already have every piece of information about us and that we don't have anything to hide. But the scary thing about this boiling frog syndrome is that an Orwellian dystopia is not far away where privacy is truly dead. If people do not raise their voice against these small changes than companies like Facebook will eventually turn surveillance capitalism into the status quo.

How did we get to this point?

As can be seen in the image below we have scanned the updated privacy policy of WhatsApp with Verilogy Privacy UX Tool and there are significant updates to its privacy policy.

Verilogy Privacy Hub/Whatsapp

The company is making changes to how it processes your data, how businesses can utilize Facebook services to store their chats and its integrations across products.

Purchasing Whatsapp for $19 billion was a game-changer for Facebook. Shortly after Facebook acquired WhatsApp for $19 billion in 2014, a state-of-the-art end-to-end encryption was integrated into the messaging app. Signal Protocol, an open-source encryption scheme whose source code has been examined by various security researches and approved.

The security of WhatsApp was questioned after the case WhatsApp vs. NSO, WhatsApp is hacked using an Israeli firm’s spyware that facilitated the transmission of what appeared to be legitimate calls to WhatsApp users. In fact, those calls concealed malicious code that could be injected into the memory of the WhatsApp user’s device, even if the user did not answer the call. The victims of NSO’s attack included attorneys, journalists such as Jamal Khashoggi, human-rights activists, political dissidents, diplomats, and other foreign government officials.

So even with the Signal Protocol in place, Facebook wants to do marketing with the WhatsApp data like they for all other users. Since then, WhatsApp is gradually removing privacy from its product.

In 2016, WhatsApp started to change its data-sharing practices. This update was the first hint for alarming privacy pros against data sharing between WhatsApp and its parent company Facebook.

This change was reflected in the privacy policy as “improving your Facebook ads and products experiences”, for fraud and spam detection, understanding the unique user count between platforms, and enabling “business-to-consumer” communications.

So really, What’s up with this new policy?

Now, this week WhatsApp users received a pop-up that it is updating its terms and privacy policy.

WhatsApp users have time until February 8 to read and agree to the new terms. Failing to do so would lead to WhatsApp deleting your account. WhatsApp’s UI does not offer clear information about what will change and hides mechanisms for opting out, so let’s dive in to see the bigger picture.

Now Facebook will be able to access metadata, like who you’ve been talking to and when, but they can’t access your actual conversations. The data Facebook will have access to are; messaging, calling, status, group name, group picture, group description, payments or business features; profile photo, “about” information; whether you are online, your “last seen”, and when you last updated your “about” information.

WhatsApp goes into detail about how it uses and shares the information gathered from WhatsApp with other Facebook products or third-parties. This can include users’ device and connection related data such as hardware model, operating system information, browser information, IP address, mobile network information including phone number and device identifiers.

From now on, WhatsApp may send you marketing material about Facebook companies. They will also use your metadata for content suggestions, recommendations, and advertising. The addition of “Facebook Companies” makes it clear that they are wanting to mine the metadata for advertising purposes.

WhatsApp Business users will have more features that allow more third-party apps to be able to read your communications on behalf of them.

Here is a list of all information WhatsApp collects from now on from its users:

• Purchase history,
• Coarse location,
• Other user content,
• User ID,
• Device ID,
• Product interaction,
• Advertising data,
• Contacts,
• Customer support,
• Email address,
• Service-related, diagnostic, and performance information,
• How you use our services,
• Contacts,
• Your services settings,
• How you interact with others using our services (including when you interact with a business), and
• The time, frequency, and duration of your activities and interactions),
• Log files,
• Diagnostic, crash, website, and performance logs This also includes information about when you registered to use our services,
• The features you use like our messaging, calling, status,
• Groups (including group name, group picture, group description),
• Payments or business features;
• Profile photo,
• “About” information;
• Whether you are online,
• When you last used our services (your “last seen”),
• When you last updated your “about” information”
• Hardware model,
• Operating system information,
• Battery level,
• Signal strength,
• App version,
• Browser information,
• Mobile network,
• Connection information
• Phone number,
• Mobile operator or ISP,
• Language and time zone,
• IP address,
• Device operations information,
• Unique identifiers,
• City and country.

What does this change mean for EU citizens?

There are no changes to WhatsApp’s data-sharing practices in Europe arising from this update.

Whatsapp’s director of policy for EU and EMEA shared some further information after the public outcry:

So what do we do now? Should I delete WhatsApp?

Signal and Telegram seem like the best options to go with. I actually use Signal for more than a year now, but 90% percent of my contact list was not using it so after this event, I hope to see more and more of my friends and finally ditch WhatsApp.

Privacy Protection Comparison Chart

Signal

Edward Snowden himself uses it, and that should tell something about the quality of this app.

The team behind the software is a privacy centered nonprofit funded by grants and donations. Therefore, Signal is open source, so the code is transparent to those who would like to take a closer look.

Closed-source applications such as WhatsApp do not reveal their source code so there is no way you can know what goes on beneath the surface.

The Signal code is currently being used by many applications like Whatsapp, Skype, and Facebook Messenger.

Signal is widely regarded as the most secure messenger available. That includes the EFF, Edward Snowden, and many others.

“Our analysis shows that the cryptographic core of Signal provides useful security properties. These properties, while complex, are encoded in our security model, and which we prove that Signal satisfies under standard cryptographic assumptions. Practically speaking, they imply secrecy and authentication of the message keys which Signal derives, even under a variety of adversarial compromise scenarios such as forward security (and thus “future secrecy”). If used correctly, Signal could achieve a form of post-compromise security, which has substantial advantages over forward secrecy.”

You can check out the security audit for Signal in more detail from here.

Telegram

Telegram is a cloud-based instant messaging app that was launched back in 2013 by Pavel and Nikolai Durov, two Russian brothers who founded social networking platform VK.

The app features a secret chat option with end-to-end encryption, as well as a regular chat variant that is encrypted in the Telegram Cloud.

Telegram is better from a user experience point of view. But Signal is better in terms of encryption/storage.

The Signal app is more secure than Telegram. Although it has end-to-end encryption just like Telegram, Signal has a feature that lets users set a certain time interval for messages to self-destruct. There’s nothing the recipient can say or do about it. Telegram also offers the same feature however some users claimed that they can still see the messages on their phone’s SD card, which means it’s not fully secured.

Telegram, along with most other messengers, leak metadata about your messages, even if the message itself was end-to-end encrypted.

So, which one is more secure? Well, there is nothing 100% safe in the digital world…

Quantum computers are already here. So, popular messengers and encryption protocols are no longer really secure :)

To learn more about Verilogy, visit our website here: https://www.verilogy.com

Follow us, don’t miss the updates!

https://twitter.com/verilogy
https://www.linkedin.com/company/verilogy