Search

Facebook Messenger and Whatsapp: is your data private?

Privacy, data monetization, encryption... here’s what you need to know about those popular apps.

WhatsApp: a delayed update

On January 15, 2021, nearly ten days after WhatsApp’s updated terms of use were announced, causing an outcry on social networks around the world. WhatsApp posted on its blog: “We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8.“ 

A new date has been set for updating the terms of use: May 15, 2021.  

This gives users more time to understand how their data is being used by tech giants, WhatsApp and Facebook. We humbly attempted to understand this better ourselves and present the results of our readings in this article.  

How is user data secured?

Facebook Messenger 

Facebook Messenger encrypts messages in the same way as WhatsApp, except that the encryption is not automatically activated. To do so, you must activate the “secret conversation“ mode. Instructions on how to do this can be found here

WhatsApp 

WhatsApp uses end-to-end encryption to secure user interactions. In a dedicated FAQ, WhatsApp states, “End-to-end encryption ensures only you and the person you’re communicating with, can read or listen to what is sent, and nobody else in between. Not even WhatsApp.”  

This encryption is automatic: no need to activate any settings. Note that the encryption protocol is the Signal protocol (which is open source).  

Are communications private?

Facebook Messenger 

The same data use policy applies to all Facebook products except WhatsApp, which is not listed.  

Facebook states: “We collect the content, communications and other information you provide when you use our Products.” 

To the question, does Facebook have access to Messenger user conversations? The answer is yes unless they are encrypted.  

WhatsApp 

In Europe, WhatsApp’s Privacy Policy is effective as of April 24, 2018.  

Concerning privacy, WhatsApp states: “End-to-end encryption means that your messages are encrypted to protect against us and third parties from reading them.”

WhatsApp also specifies that messages are stored on user devices. Messages are deleted from servers after they are distributed unless they cannot be sent (30 days retention) or when content is considered “popular“ (such as repeatedly shared videos).  

Does WhatsApp have access to user conversations? The answer is no (except in the exceptional cases mentioned above). 

Is data shared with advertisers? 

Facebook Messenger 

On its site, Messenger specifies that it does not use “the content of your messages with other people for ad targeting, which means advertisers can’t target you based on what you say in messages.”

However, its Data Policy states: “We use the information we have about you-including information about your interests, actions and connections-to select and personalize ads, offers and other sponsored content that we show you.” 

It’s therefore not possible to completely exclude that unencrypted communications may be used for marketing purposes. However, it’s essential to specify that the data that Facebook conveys to advertisers is “anonymized,” as explained quite clearly in the screenshot below:

Data transmission between Facebook and advertisers. Source 

WhatsApp 

As part of its Privacy Policy (April 24, 2018), WhatsApp states that it does not allow banner ads from independent third parties on WhatsApp.  

The company also specifies that it permits communication between companies and its users, “We will allow you and third parties, like businesses, to communicate with each other using WhatsApp, such as through order, transaction, and appointment information, delivery and shipping notifications, product and service updates, and marketing.”  

To summarize, WhatsApp does not display banner ads but allows companies that a user is already in contact with to offer marketing content through the application.  

To date, do Facebook and WhatsApp use user data for ad targeting? 

This question has raised the most concern among users, and it is also the one we find the most difficult to answer accurately. Here’s what we can tell from reading the content produced by WhatsApp and Facebook. 

In a FAQ page dedicated to the exchanges between the two entities, WhatsApp writes that today, Facebook does not use WhatsApp account information “to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook.”  

A sentence that does not, however, exclude that advertisements can be proposed outside of the social network. Further, WhatsApp states it is looking for “ways to build a sustainable business,” including “exploring ways for people and businesses to communicate using WhatsApp,”. An exploration that leads the company to “include working with the other Facebook Companies to help people find businesses they’re interested in and communicate with via WhatsApp. 

Again, it seems impossible to completely rule out the hypothesis that the two entities exchange data for offering advertising targeting.  

Where is user data hosted? 

Both Facebook Messenger and WhatsApp explain that user information is “transferred or transmitted to, or stored and processed in, the United States or other countries,“ without mentioning which ones.  

Both companies also state that they rely on the adequacy decisions of the European Commission. As it explains on its website: “The European Commission has the power to determine, on the basis of Article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection. The adoption of an adequacy decision involves a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries, the adoption of the decision by the European Commission.”  

In other words, Facebook declares that it complies with the EU instructions on data transfer and storage.  

GDPR compliance: Facebook on thin ice 

While it is not our role to judge how Facebook and WhatsApp process user data, we would like to emphasize that understanding the Terms of Use and the various privacy policies remains a complicated process. The use of abstract vocabulary makes the exercise particularly difficult.  

However, as the French Commission for Information Technology and Civil Liberties states on its website, “the GDPR requires complete and accurate information. Transparency allows the people concerned: to know the reason for various data collections concerning them, to understand the processing that will be done with their data, to ensure control of their data by facilitating the exercise of their rights. For data controllers, it contributes to fair data processing and establishes a relationship based on trust with the data subjects.”  

Today, unfortunately, it’s this “relationship based on trust“ that Facebook is struggling to rebuild. The firm has until May 15, 2021, to win back its users’ hearts.  

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT