WhatsApp terms and privacy policy changes

WhatsApp has updated its terms and privacy policy, and effective February 8th, you’ll need to agree to let WhatsApp share information about you with Facebook, or discontinue use of the app.

XDA Developers explains it well:

The new terms and privacy policy update builds upon a similar change WhatsApp announced in July last year. However, in the previous update, WhatsApp gave users the option to “not have your WhatsApp account information shared with Facebook.” With the latest update, WhatsApp has done away with this option, and users will have to accept the new terms and privacy policy if they want to continue using the instant messenger. If you agree to the changes, here’s all the information WhatsApp will share with other Facebook companies:

“The information we share with the other Facebook Companies includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent.”

I have been using WhatsApp to keep in touch with family, and it has been useful. But with these changes, it has reached the point where WhatsApp and I will part ways. I will not agree to the new terms, and I will delete my account before February 8th. I’m now evaluating alternatives for me and my family.

Your mileage may vary, of course.

3 Likes

I’m kinda surprised you don’t use Signal.

My immediate family uses Kakaotalk. I’m not crazy about it, but it’s ok. Other than getting periodic customer messages in Korean, and having absolutely no customer support.

1 Like

I use Signal, the question is whether my family (and thence, extended family) does or not. :slight_smile:

Good recommendation, we’ve already used Kakaotalk, and 1.1 or so of us read/write/speak Korean.

1 Like

Our family has tried Signal and had lots of problems draining batteries. All my international partners use WhatsApp so this presents a challenge. Darn darn darn!

1 Like

Pete,
I think i accepted the terms w/o reading them, is it possible to UN-accept the terms that you know of?
Rob.

I wouldn’t think so, but it’s sort of moot anyway. The new terms don’t take effect until Feb. 8th, so you don’t have to worry until then; and to use the app after Feb. 8th, you will have to have accepted the terms.

So, just delete your account from inside the app before Feb. 8th, and you’re good.

Crossposting from a private list:

  1. A, B, C and others with international correspondents – dumb question, but can they start using Signal? I know most would not or could not, but maybe at least a few to start moving the needle? (I know the feeling – D is still in contact, solely through WhatsApp, with some of the successful asylum seekers she helped a few years ago, and they won’t be able to move out of WhatsApp because of their families back home. Still to see about them and D.)

  2. I’m a bit of an odd duck with Facebook. I use it, but sparingly; never from a mobile app where it would have too much access to information, but rather only from a desktop browser in incognito mode.

If you use Facebook in a regular (non-incognito window), or especially if you have Facebook or Instagram apps on your phone, I don’t think using WhatsApp is going to expose you to much more, and probably you should just continue using WhatsApp.

  1. I realized something in thinking through why I shy away from Facebook’s embrace. I think a lot of people think “MY privacy – I don’t want them to steal MY stuff.” Whenever I think about my life and its footprint on the world, I start globally, before thinking of MYself. So, I’m down on Facebook almost entirely because of what they do to all their subscribers, not because I don’t trust them with my individual data.

It’s the same thing we do with all of our decisions – do I buy this, where do I buy it, do I use this energy, do I discard this thing instead of finding a new home/use for it. The privacy question for me isn’t so much “how does this impinge on my life,” but rather “how does this impinge on other people in the world, on non-human intelligences, on the biosphere?” Social privacy affects all of us more than it affects you as an individual.

(With an obvious caveat; if you truly have a secret you need to convey, the individual privacy between you and your recipients is obviously of paramount concern.)

  1. Along with Facebook, Amazon-Google-Microsoft-Apple also have astonishing amounts of purview into our personal and private lives. I’m not ghosting the others; why am I (more or less) ghosting Facebook?

This is, certainly, a personal answer for each of us. In my case, the others (except Microsoft, I just don’t really use them) provide me with I’m-living-in-the-future technology and affordances, in return for invading my privacy. I could be more principled and avoid them too, but I’m very much less bothered by the Faustian bargain.

Facebook, to my eye, exists almost entirely to be A) addictive, and B) to get bigger. That’s the entirety of their offer of value to me. It is an offer I can refuse. And on the flip side, the cost to society is huge; their stewardship of the addiction cycles and social lives of billions is reckless and uncaring, dividing and conquering entire societies, for again, their goal of being A) addictive, and B) getting bigger.

  1. E asked about content (esp. photos of kids) in WhatsApp. I’m not an expert on WhatsApp or its future (at this point, it has become dead to me), but I think content in WhatsApp will generally continue to be safe and private (with some caveats). I think it makes a lot of sense not to post kids’ photos on Facebook; it’s just too easy for them to escape into the wild through some permissions mis-affordance. For years, though, I think, WhatsApp content will continue to be private between your conversation endpoints (and of course, WhatsApp, and probably Facebook, servers and admins). (The caveat is that I would not be surprised if Facebook has internal research and archiving it does with photos and other content; you’d have to sort of assume that someday WhatsApp content could get sucked into that. It might not happen; but OTOH, it might.)

  2. Yay, you’ve made it to the part where I actually talk about alternatives! :slight_smile:

It turns out the answer is complicated by context dependence. I.e., there is no one “best” answer, because everybody has different needs and requirements.

But still, a walk through a few alternatives:

6A. Continue using WhatsApp. As noted in #2, if you’re all in on Facebook, your incremental use of WhatsApp matters little.

6B. If I had to use WhatsApp because I had correspondents who would not or could not switch, and I wanted to stick to my guns about Facebook, the alternative I would consider is to have an alternate phone and phone number that I only used with WhatsApp. For convenience (lol, this whole answer is inconvenience), I would leave that phone at home, and use WhatsApp web on my desktop, and probably my main phone. Again, YMMV; this is an odd duck solution.

6C. Signal is the best, security/privacy-wise. (But again, you may not need security/privacy for ordinary day-to-day messaging.) Caveat, until they have a way to sign up without a phone number (they say it’s coming), you’re still trusting them with a personal identifier. Consider using it for now with your phone number, and then burning all that history by creating a new account and connecting to everyone again when they support non-phone number signup.

6D. Consider looking at https://www.securemessagingapps.com/ – but only if you promise :slight_smile: to read and understand the context of the list at https://www.securemessagingapps.com/about/.

The secure app that I still use occasionally which is not in that list is Keybase. It is, however, on my “keep on watchlist for changes in their status and think about that every time I use it” because of their purchase by Zoom.

6E. On OGM Forum, Bill Seitz mentioned that he uses KakaoTalk; this would be an interesting choice for me and my family because we’ve already used it (F is tied into the Korean language and some culture, and we’ve used it in that context). This is obviously a big, corporate company, but at least to me, they are much less scorched-earth than Facebook, so I include it as an example of where I personally could imagine using them for ordinary day-to-day conversation, even though they’re primarily not about security. In internal family conversation, it was noted that we don’t know where their servers for US users is, and it would be a little weird to route all our chatter through servers in South Korea. We’ll probably go with Signal instead of KakaoTalk, for at least that reason (and more, but it helps simplify to have a single, clear disqualifier).

6F. Oddball suggestion that even I did not consider (well, for more than a second): set up your own Mattermost server, sort of like the Collective Sense Commons Mattermost, but private. It’s very similar to Slack, works well, reasonably easy to set up, and private if you control the server. On the flip side, it would require all your correspondents to use Mattermost; there’s no network effect for them to take advantage of. You might as well set up a private IRC or something, lol.

1 Like

An additional, more detailed reply about Signal:

Signal is the best choice for most complete, long-term privacy. (I will observe that complete, long-term privacy is probably not the most important thing for most people choosing a messaging app.)

A big caveat is that they require a phone number to start. They say (and I more or less believe) they don’t do anything nefarious with it, but it is a glaring hole in their privacy promise. They say it is a legacy feature, and they will fix it. (And if you need privacy badly enough, having to contrive an extra phone number to use to register is not the worst problem in messaging apps.)

One list of a few decent alternatives, and more non-alternatives, is here: https://www.securemessagingapps.com/, and you must also read and understand the context of that list at https://www.securemessagingapps.com/about/. I think it’s a decent list, and I recommend it, but have not evaluated it deeply enough to give it 100% endorsement. (Neither do I have any particular negative endorsement, except that it doesn’t list Keybase, but the maintainer gets a pass from me on that one; Keybase is a joke now to some security folks, after the Zoom acquisition, even though I think it still has value.)

That site has a fairly long list of the criteria you might use to judge your preferences between any “secure” chat apps, although I don’t think your ToS criterion is one of them. (For practical reasons, ToS are nice to have, but also of course, not absolute guarantees.)

Signal’s ToS are here:

For sensitive security matters, I place my faith more in technical measures and public oversight (i.e., source code review) than in legal ones. I have not reviewed Signal’s source code https://github.com/signalapp personally, but for my purposes, knowing that they publish source code and that presumably others have looked through it a bit is good enough.

Signal is free to use in a way similar to the ways Archive.org or Wikipedia are free to use: generous and public-minded founders; grants; and donations.

You can see on Signal’s home page that they purport to be endorsed by Edward Snowden, Laura Poitras, and Bruce Schneier. (And Jack Dorsey, which in this context I’ll evaluate as neither a positive nor negative endorsement, YMMV.)

The start of more context can be found here:

Disclaimer: I am not a lawyer. This is not legal nor professionally-supported IT security advice.

Pete thank for sharing information, difficult situation.

I wonder if the people that downplay Facebook privacy invasion know exactly how much they are being tracked by FB and Google. For anyone reading here, the first step is shore up your browser security and tracker blocking. Currently i use Microsoft Edge (the new version based on Chrome) and Safari if a site breaks. On both, i have installed privacy tools:

uBlock
Privacy Badger
DuckDickGo Privacy tools

Use DuckDuckGo for search.

I went to CNN.com and there were 24 trackers (which i block) as an example…

2 Likes

and telegram doesn’t make the cut it seems?
i’ve seen critiques of their safety, and also loads of popularity among some circles and cultures. i’m a habitual telegrammer…

Everybody has their own criteria, so if it makes your cut, it makes your cut. :slight_smile:

From the information I’ve seen, Telegram has less privacy, and more troublesome issues, than Signal. Which may or may not matter for any particular situation.

Telegram is on the https://www.securemessagingapps.com/ list, so you can see how the maintainer scores it according to their criteria.

1 Like

¡¡ gracias pedro !!

1 Like

from mila on the email list

No. This is denial and whitewashing. Don’t you remember that they assured, ASSURED their users on acquisition that WhatsApp won’t share customers/user’s data with Facebook? And before that, didn’t (at least some people) explicitly pay/join WhatsApp for the purpose of not having their data/contacts known/correlated by Facebook? Don’t care, not my problem, pretty dumb to entrust any of these companies with anything.

1 Like

agree, < sigh …

---------- Forwarded message ---------
From: Peter Kaminski
Date: Mon, Jan 11, 2021 at 5:03 PM
Subject: Re: [OGM] WhatsApp terms and privacy policy changes

Thanks for sharing, Mila!

This came out on a UK newspaper yesterday:
https://www.independent.co.uk/life-style/gadgets-and-tech/whatsapp-new-privacy-terms-facebook-rules-explained-b1784469.html?am

The article does a good job with two pieces of information, and a terrible job with the third.

  1. Message content has been, and will continue to be, encrypted.

  2. If you live in the “European Region”, [1] you have a different set of terms. [2]

  3. The article says, “The really significant recent update is that WhatsApp has added new features to allow people to communicate with businesses – and those businesses could be hosted by Facebook.”

I would judge this to be dangerously uniformed and irresponsible reporting. The new terms do discuss this communication with businesses, but that’s not the really significant part of the update.

The significant concern with Facebook and WhatsApp has always been what Facebook does with the metadata around conversations. Who your contacts are, which of them you chat with and when (down to the millisecond), what everybody’s IP address is, where your phone says you’re located (down to which store, and potentially which aisle), etc., etc.

The article misses that most significant point.

(I could also quibble about Facebook/WhatsApp’s obfuscatory description of its privacy practices and what they really do, but that would be asking a leopard to deny its spots.)

It turns out that WhatsApp has been sharing that sort of information with Facebook for a couple of years now, anyway, unless you were lucky enough to opt out during the first part of the acquisition.

Separately, Facebook has been working on encryption for its own Messenger service. Messenger content wasn’t originally encrypted, and Facebook could scan the content itself. When encrypted messaging became popular, it was embarrassing that Messenger’s messaging was not, and they decided to start encrypting it.

The watershed moment, for me, is that Facebook has decided it’s time to close the WhatsApp opt-out loophole, which means to me that they have improved their metadata analysis for Messenger, and want to consolidate more metadata into their galaxy of surveillance, and have chosen to do that at the expense of user agency over privacy (for those lucky enough to have retained it thus far).

This might – and conversely, probably should not – be a watershed moment for many other people.

As I said in a previous message, if you’re a regular Facebook user, you should probably just continue using WhatsApp; the new terms don’t change your relationship with Facebook much.

But, on the other hand, perhaps it’s a good time to learn more about Facebook and metadata?

Some more background articles I think are good:

“WhatsApp Has Shared Your Data With Facebook for Years, Actually” (Wired, 2021-01-08)

“WhatsApp Users Suddenly Get This Surprise New Boost From Facebook” (Forbes, 2020-05-23)

“Forget About Backdoors, This Is The Data WhatsApp Actually Hands To Cops” (Forbes, 2017-01-22)

[1] Andorra, Austria, Azores, Belgium, Bulgaria, Canary Islands, Channel Islands, Croatia, Czech Republic, Denmark, Estonia, Finland, France, French Guiana, Germany, Greece, Guadeloupe, Hungary, Iceland, Ireland, Isle of Man, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Madeira, Malta, Martinique, Mayotte, Monaco, Netherlands, Norway, Poland, Portugal, Republic of Cyprus, Réunion, Romania, San Marino, Saint-Martin, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, United Kingdom sovereign bases in Cyprus (Akrotiri and Dhekelia), and Vatican City. See https://faq.whatsapp.com/general/security-and-privacy/who-is-providing-your-whatsapp-services

[2] https://www.whatsapp.com/legal/updates/terms-of-service-eea

(crossposted from the mailing list)

Peter, how do you feel about KakaoTalk compared to those three? [Threema, Wire, Signal]

My feeling is that KakaoTalk has better mascots:

https://store.kakaofriends.com/en/info/charInfo#/en

As an aside, I may or may not possess a family selfie of us, posing with big smiles, in front of an 8-foot Ryan the lion figure at the Kakao Friends store in Seoul https://goo.gl/maps/aoRwC5ZEsz8X756h9. We won’t talk about the Kakao Friends pop-up merch shop at the Jeju airport. I miss traveling. ::sigh::

I think we’re going with Signal over KakaoTalk, mostly because I’m a geek, and my daughter’s fiancé works in cybersecurity (and from there, so do many of his friends), so within the family, we have the social momentum to go with Signal.

But seriously, for our family comms – cute animal videos, recipes, dinner plans, and flora/fauna of the Tecolote Canyon Natural Park?

KakaoTalk would be at least as good as the others, and probably better, because it’s friendly (like better mascots! lol), easy to use, and has good adoption (if you’re connected to South Korea in some way).

Remember, my reason for shying away from Facebook/Whatsapp is that they mindlessly, carelessly, dangerously warp the societal fabric of billions of people and I do not want to participate to the extent I can.

KakaoTalk cannot, because it doesn’t have the global reach to do it, so (selfishly, perhaps, as a US resident; they’re ubiquitous in South Korea) I think they’re in the middle of the good/bad bell curve of all the other 100 or 1,000 or 10,000 consumer brands I interact with every day to get through life in the modern world.

As Bruce Schneier and Randall Munroe say, when you’re evaluating security, pick your threat model first:

https://www.schneier.com/academic/archives/1999/12/attack_trees.html


For secure comms, I use Signal or Keybase or other more arcane things. YMMV.

Pete

1 Like

“when you choose an app you are actually choosing between: american, russian or chinese intel

and whichever you choose a small israeli consultancy can also crack it haha”

(aaron perlmutter, @ thread https://www.facebook.com/100009762915954/posts/1382353138766770/?extid=0&d=n )

1 Like