- Practical difficulties also exist when policies are not available in the local language
- When we consider data collection and use, not all data collection including meta-data is something that we should be worried about
- Informed consent is when users are able to read through the policy and understand what is required within that particular policy or the ToS
Communication today is just a WhatsApp message away. With social media dominating a greater part of our lives, many of us have made it a daily ritual to update our status on Facebook or Twitter, post a story on Instagram and keep up with the trends. WhatsApp and other instant messaging applications too have made life easier; sometimes replacing emails when sharing documents, photos and the like. However, a recent policy update on WhatsApp raised concerns among digital media activists, who claimed that a third-party will now have access to personal communication threads. This also raises a question on whether we are fully aware of our privacy rights when using these applications.
Latest policy update for WhatsApp business accounts
“WhatsApp was designed to be simple, working on a low bandwidth so that it’s reliable and the core of it is privacy,” said Clair Deevy, WhatsApp Director for Public Policy in the Asia Pacific Region at a webinar organised by the Sri Lanka Press Institute. “Therefore it’s secured with end-to-end encryption and therefore WhatsApp and other third parties cannot see your messages and we use the same encryption protocol on Signal.
“However there are three different versions of WhatsApp which people most often get confused with. The WhatsApp consumer app is what most people are familiar with – then there’s a WhatsApp business app which could also be downloaded for free, but has more features such as automatic replies, being able to put business information, location and other information to promote the business. The third app is the WhatsApp Business API used by airlines for example to send boarding pass updates, used for one-time passwords, during COVID we had a number of governments who set up informational apps where people could login and have a chat book function where people could get information. Our research statistics suggest that more people want to message with businesses on WhatsApp and over 175 million people are already messaging with businesses every single day on WhatsApp,” she added.
She said therefore, the App has been made more transparent when you communicate with business and how that business may use your data. “If a business chooses to host their data on Facebook, you will get a notification to say that this business uses Facebook to manage its WhatsApp conversations. When Facebook is acting in this capacity as a cloud or a hosting service, we will have access to messages between the users, but we can only process them on behalf and on the instructions of the business. This is an industry practice when you’re a hosting service. We cannot use these messages automatically to inform ads that the user sees and anyone who gets these notifications.” added Ms. Deevy.
Shedding light on the security aspect, she suggested that all users have a two-step verification. “This allows a second level of security and it’s one of the strongest things you could do by setting up the number to prevent your account being taken over by people or hackers. Secondly, we have added a function that allows you to have more control over who adds you to groups. So there’s an option of whether anyone could add you to a group or as only someone in your contacts who can add you? Reporting tools set us apart from some app predators and this is one of the reasons why we actually collect some of the data that we have. If something happens on WhatsApp against their terms of service if it is sending inappropriate information, scamming or spamming you have the ability to report and block. When you send us a report, about the equivalent of a screenshot, the last few messages you have, it would help us to take action on what has happened to you on WhatsApp. We think that it is important from an integrity point of view to have the ability to do this, to maintain that messages are end-to-end encrypted and this is the best way that we can do that,” she said.
The legal perspective
Sharing her thoughts on the threat to privacy when using instant messaging applications, Ashvini Natesan-Weerabahu, legal consultant, researcher and lecturer in information technology, media and telecommunications law said privacy could be understood as having access to some of our personal data and also meta-data through which it is possible for the entity that is providing us service to perhaps see certain information and at the same time they also can share it with a few other entities. So the questions in relation to privacy in an instant messaging application include what data are being collected, how secure is my communication, to whom and what are the entities to which my data could be shared and what are the purposes for which the data could be used?” explained Natesan-Weerabahu.
She said that informed consent is when users are able to read through the policy and understand what is required within that particular policy or the ToS. “But many of us haven’t read all the policies although we have accepted them. You may say there is a lot of legal jargon involved, but many policies tend to be very simple for us to read. So the real reason of not being able to read is the time. We see many policies on a daily basis, so we may not be reading the entire text. Practical difficulties also exist when policies are not available in the local language. This jeopardizes informed consent.
Watch where your phone came from
In Sri Lanka, mobile phone connectivity exceeds that of the population. “Out of them, 65-70% are smartphones which people have been using with messaging applications such as WhatsApp,” said Indika De Silva, Huawei Technologies Lanka Co-Vice President, Enterprise Business Group. “When buying a device in Sri Lanka there’s a sticker saying TRC approved or TRCSL approved. This means that device is legally imported into the country and the specifications of the country have been met. But your security can be compromised in devices that are smuggled in because you don’t know the standards with which they are being made and what are in those devices. After you take devices you need to ensure that it’s protected with passwords etc. When you download unknown data somebody can break in and get your information. When you download anything there’s a privacy acceptance. Many of us don’t read what they are, but we blindly accept them or click yes. When you do that you’re giving access to things that you shouldn’t be giving. So you expose yourself by yourself without checking all those parameters. We need to decide on what groups we should get in and what groups we shouldn’t. We need to think of the equation of protecting ourselves. From a country point of view a few institutes such as Sri Lanka Cert, TRC, ICTA are in the final stages of drafting the data protection law. With those legislations coming in we will get more stringent laws with our ecosystem,” said Mr. De Silva.