Out-Law News 2 min. read

Privacy watchdogs identify problems with WhatsApp's data anonymisation measures


WhatsApp breached Dutch and Canadian privacy laws by collecting contact information about individuals who do not use the communication platform and then failing to delete that information, data protection regulators have said.

The Office of the Privacy Commissioner of Canada (OPCC) and the Dutch Data Protection Authority (CBP) said it had found faults with the way WhatsApp had treated information about “non-users” after the company had been given permission by subscribers to access their entire address books.

WhatsApp uses the information in users' address book to "facilitate contact" between those users and people they know who also use the app. However, the privacy watchdogs found that the app provider failed to delete the information relating to "non-users" using sufficiently effective data anonymisation techniques.

"In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list," the OPCC and CBP said in a joint statement. "Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users." 

"Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically," it said.

WhatsApp did take steps to anonymise non-users' personal data, but the watchdogs said that the measures taken were insufficient. Investigators had used "simple test programs" to convert the hashed numbers back into personal data form.

"We found that WhatsApp's treatment of out-of-network numbers was not an effective form of anonymisation," according to the watchdogs' report. "True anonymity is only achieved where information can never be linked to an individual, either directly or indirectly. In our view, WhatsApp's use of all digits in an out-of-network phone number, coupled with a fixed salt value for the hash function, does not result in a true anonymisation of out-of-network numbers. This is because the number could be recovered, with a modest amount of computing effort, if the out-of-network number database and salt value were breached."

WhatsApp has said that it will eventually give users the chance to manually add contacts to their WhatsApp address book to overcome the problem, according to the watchdogs.

The joint investigation also revealed that security measures WhatsApp had put in place to protect the privacy of messages communicated over its network were susceptible to being breached. The watchdogs said, though, that WhatsApp has taken action to address those concerns, although Jacob Kohnstamm, chairman of the CBP, said that the bodies were "not completely satisfied yet" with the company's actions.

The CBP has said it will monitor WhatsApp's efforts to offer greater privacy protections and warned it could impose "sanctions" on the communications provider if it is not satisfied with those efforts. The OPCC does not have order making powers.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.