WhatsApp is one of the five most popular apps in the world. Last year it found itself in the firing line of a joint investigation by both the Canadian and Dutch data protection authorities following technology blog reports that its security measures were somewhat lacking. We digest the Dutch authorities' investigation report, published late last month, and tease out the lessons for all app developers.
I've never used WhatsApp. What is it?
In case you've never come across What'sApp, it is a substitute for SMS / text messaging. In essence it enables free communications between users without incurring the kind of per-message charges that can be racked up under non-inclusive mobile tariffs. A user just has to make sure his/her data plan is sufficient to cover the information being exchanged. Depending on the smartphone used, the app is free to begin with but then you have to buy a cheap subscription package, or you pay a small amount for the app itself.
WhatsApp is headquartered in California, where all its servers are based. It is not signed up to the US Safe-Harbor self-certification regime, so has not privately undertaken to co-operate with EU authorities on data protection matters, one of the core tenets of the Safe Harbor regime.
WhatsApp's success can only really be summed up in superlatives, of which there are too many to list. Suffice it to say that as of last week, it was the most popular paid app for the iPhone and iPad in Canada, and (according to the Dutch data protection authorities) it is so popular in Holland that last year it entered the Dutch dictionary as a verb - "whatsappen" - to WhatsApp!
So WhatsApp-ened to WhatsApp?
From the Dutch point of view, both quite a lot and not very much at all.
The Dutch data protection authorities have spent the better part of a year investigating WhatsApp and pulled it up in their definitive report for breaching Dutch data protection law in a number of areas. As a result, WhatsApp is also indirectly in breach of the EU Data Protection Directive which underpins all EU Member State's data protection regimes.
The Dutch authorities have so far not taken any substantive action against WhatsApp though. According to their definitive report, WhatsApp have made some noises about addressing the issues raised in future developments, but not given any specific dates. The Dutch authorities seem to tacitly criticise this stance in their definitive report, but have otherwise left matters as they are for the time being.
They have reserved their position though. In the words of their recent press statement, "Following investigation, the Dutch Data Protection Act provides for a second phase in which [they] will examine whether the breaches of law continue and will decide whether it will take further enforcement actions. The Dutch legal framework contains the possibility to enforce the Dutch privacy law by imposing sanctions."
Lessons for all app developers to take away.
Before digesting the lessons, from a UK perspective it is worth remembering that:
- Although Dutch and UK data protection laws have the same origins in the EU's current Data Protection Directive, in practice the way in which that Directive is interpreted and applied in each EU Member State does typically differ.
- The UK regime is generally held up as being more permissive that that of its European neighbours, in particular Germany; the Dutch regime is probably somewhere in the middle.
- As a result, what occurs in one Member State will not necessarily be repeated in another Member State. Nonetheless, we can draw parallels.
There are quite a few lessons in our view, all listed below.
- The scope of "personal data" is very wide, far wider than the US concept of “personally identifiable information” or “PII”. We have previously blogged on this topic, but it is worth keeping in mind. The Dutch authorities have applied long-standing EU guidance to this effect in their investigation. Amongst other things, they have confirmed that the following types of data all constitute personal data: mobile phone numbers, unique customer IDs, unique device IDs, user push IDs, user profile names, user status updates and the contents of user messages.
- In-app authentication has to be genuinely secure. WhatsApp automatically generated usernames and passwords for each user so that their device could be identified and authenticated on WhatsApp's systems. WhatsApp used the user's device IMEI number or WIFI MAC address to generate passwords though, and these are relatively easy to obtain, for example through snooping on WIFI networks. As a result, the Dutch authorities felt it was unduly easy for someone to potentially hijack a WhatsApp user account. (One commentator referred to this being "shockingly easy".) There was no means for a user to beef up a password, or replace it if compromised. WhatsApp therefore fell foul of the EU Data Protection Directive's requirements on security.
- A security fix for some users is not a job well done During the course of the Dutch authority's investigation, WhatsApp fixed the password security issue for active users of its app. They are forced to keep up to date with new releases, in which appropriate fixes were introduced. Inactive users are in a state of limbo though. Because they are not using the app, they cannot be forced to update to the latest release, and in the meantime their vulnerability remains. This constitutes an ongoing breach of the EU Data Protection Directive's security requirements in the eyes of the Dutch authorities.
- Data has to be encrypted in flight, period. WhatsApp introduced this in May 2012 in response to the Dutch authorities' findings. It did not exist previously.
- Hashed data has to be properly hashed. If you still hold the key to the hash, or could find it out relatively easily, the underlying data is not effectively anonymised, is still therefore “personal data” and subject to regulation. WhatsApp fell foul of this point in hashing and then permanently storing each user’s contacts, whether or not those contacts were actually in the WhatsApp network.
- Apps access to user data on a device must only be with consent. WhatsApp accesses a user's full address book to see iftheir contacts are already using WhatsApp and to enable them to get in touch. User consent is required to do so, and this was not built into the functionality of the app (something that is now partially cured by Apple's new, if somewhat broad-brush, controls in iOS 6). WhatsApp argued consent was implicit from a user downloading the app, but this did not wash with the Dutch authorities for non-users (although it does seem to have done for users themselves).
- The new cookies laws apply to apps! Point 6 above in part comes from the "new cookies laws" which have had so much press attention in recent times. The label "new cookies laws" is actually horribly misleading. The rule has far broader application, and actually requires (in layman's terms) user consent to any computer program (apps included) placing or accessing any information on a user's device. Cookies are just the tip of the iceberg. Helpfully, in the UK the Information Commissioner's Office has not really flagged up the full scope of this regulation in its guidance.
- Beware the use of non-user data. As mentioned above, WhatsApp pulled all phone numbers from each user’s contacts into their own servers and hashed them. They then stored them indefinitely for future matching purposes. The catch was that the hashing was ineffective, so in law they were retaining and using the personal data – the phone numbers – of non-users on an ongoing basis. To do so lawfully, WhatsApp had to either obtain the individual’s consent, or establish that such use was in accordance with WhatApp’s “legitimate business interests” and didn’t unduly prejudice the privacy rights of individuals concerned (these are both requirements of the first principle of the EU Data Protection Directive). WhatsApp didn’t meet either of these criteria. Obviously consent had not been obtained from the non-users . The Dutch authorities also felt that WhatsApp’s use was not objectively “legitimate”. It would have been ok had WhatsApp restricted themselves to temporarily accessing the numbers to see who in the WhatsApp community was known to a new user (a compare and forget exercise). It would have also been ok if WhatsApp had properly hashed the non-user data so it was truly anonymous. As it was, WhatsApp had gone far further, and were therefore in breach.
- Give people choice over what data you collect. The EU Data Protection Directive has a proportionality element to it; in broad terms you are not allowed to use data which is excessive for the purpose for which it is intended. WhatApp fell foul of this requirement. The Dutch authorities felt that whilst it was in principle ok for WhatApp to collect and store details from a new-user’s contacts about people already using WhatsApp, so that the new-user could get in touch, it was not proportionate for WhatsApp to assume the new user automatically wanted to get in touch with all of their contacts using the app. WhatsApp should have given new users the option to just upload some of their contacts initially, and add to them over time.
- Status messages are personal data. We touched upon this point above, but it is worth considering in a bit more depth because status messages have some specific nuances. In WhatsApp a user can tailor his/her status message to whatever they want. This message is then broadcast to all users. On the facts the Dutch authorities felt this was reasonably well understood, not least once WhatApp changed their terms and conditions to make this point very clear. Since a user had to actively create it own message, the authorities also felt a user’s consent to WhatsApp broadcasting that message was self-evident. That said, they also felt best practice would be to present a user with notice on changing its status message to highlight the fact that it would be available to all WhatsApp users; the reason being that a user could change his/her status to something sensitive in ignorance (not unlike recent, well-publicised problems with impulse Tweets). The Dutch authorities also seemed to criticise the fact that a user could not block such messages from going to all users, only their own contacts.
- You can’t cling to personal data forever. The EU Data Protection Directive says that personal data can only be retained for as long as is necessary for the purpose for which it was obtained. WhatsApp breached this requirement in a couple of ways. Firstly, there was the ineffectively hashed non-user data which was being kept for ever (as mentioned above). Secondly, WhatsApp hung on to inactive user data for 1-2 years (depending on the circumstances) after the user’s account expired. They made no attempt to flag this issue to a user. WhatsApp attempted to justify this position on the basis that they needed the data for account continuity in case the user came back, but the Dutch authorities gave this short shrift; in their view WhatsApp could have simply informed inactive users their data would be deleted if their account was not used / renewed, given a period of notice, and after that period, deleted the data (or presumably, properly anonymised it). There was simply no need to store the data for inactive users for the timescales claimed by WhatsApp.
- Being 100% based in the US has not insulated WhatsApp. Interestingly, the Dutch authorities have used the location of a Dutch user's smartphone in the Netherlands to claim jurisdiction. Without delving into the underlying law too much, their logic is based on the fact that mobile apps obviously process user's personal data via the device on which they are installed. To the casual reader, this position arguably stretches the reach of the EU Data Protection Directive to its limits. It certainly means that no app which is globally available for download is likely to escape the EU’s jurisdiction. That said, this position is consistent with the interpretation given by the EU's overarching data protection guidance body, the Article 29 Working Party. Whether a court would take the same view remains to be seen.From a practical point of view it will be interesting to see how the Dutch authorities react if WhatsApp don't respond to the issues it has flagged. At present there is no immediate means for the Dutch authorities to enforce any penalty against WhatsApp in the US. That said, WhatsApp have a global brand to protect, so arguably cannot afford to be seen to act with impunity. Furthermore, the more digging the Dutch authorities do, the greater the chance of them sparking US regulator interest, and the US authorities can have real bite.
- Even if you are not based in the EU, you might need an EU representative. It is not widely known, but technically, if your organisation is not based in the EU but processes personal data in such a way that you are caught by the EU Data Protection Directive (as was the case for WhatsApp) you are meant to have appointed a representative in the EU. That representative is then the go-to-organisation for the purposes of regulatory enquiries. Needless to say WhatsApp had not complied with this little-known obligation, compounding their breaches.
- Watch your back! Just giving potential cause for investigation can be expensive. WhatsApp have been presented with at least 2 questionnaires by the Dutch and Canadian authorities. These have not been made public but it should be self-evident from the conclusions above that they went into a lot of detail. As such they will have been complex to complete, probably gone through their board and necessitated legal review. WhatsApp now also have a series of additional developments to bring on stream to solve the issues flagged, or potentially face regulatory sanction. All these actions will have not inconsiderable time, effort and cost implications to them. In addition, WhatsApp's brand has arguably been sullied by global press coverage; whether or not this impacts on their extensive global user base remains to be seen.
- This is not a simple or easy regime to navigate! As should be clear from our comments above, data protection compliance requires detailed consideration at each step of the application design process. With the advent of agile development techniques, this can pose quite a challenge. Do you need a privacy expert on board from the outset? Food for thought.