WhatsApp’s new privacy policy makes it less private

An illustration of WhatsApp after its new privacy policies are implemented.

Facebook, the owner of WhatsApp, has forced an ultimatum upon WhatsApp’s users: share future transactional data and metadata from the end-to-end encrypted messenger with Facebook, or lose access to your WhatsApp account. 

Users are being informed of this new requirement via an in-app notification. If they do not accept the sweeping changes to WhatsApp’s terms of service and privacy policy by May 15 (originally Feb. 8), they will be locked out of their WhatsApp account.

It is important to note that this does not change the amount of data WhatsApp currently collects, but opens the door for more data collection in the future. For anyone who opted out of letting Facebook use their WhatsApp info for commercial purposes in 2016, WhatsApp says it will still honor that choice. 

In a victory for the EU’s privacy legislation, Facebook is also not able to use WhatsApp users’ data for ads if they live in Europe (and the post-Brexit UK), although these users will need to accept new terms.

Opening up WhatsApp to collect transactional data continues its slide from a relatively private messaging service to just another part of Facebook’s panopticon, something critics have been anticipating ever since Facebook purchased the company in 2014. This change means that all of WhatsApp’s over two billion users will have to give their personal data to the same company notorious for its disregard for privacy. Facebook enabled the Cambridge Analytica scandal, conducted mass psychological experiments without consent, and created today’s toxic information environment by targeting users with sensational ads and posts on the basis of their personal beliefs.

Many early users joined WhatsApp because of its commitment to privacy. But now WhatsApp is an important cautionary tale of how ruthless companies can be when trying to get their hands on user data.

WhatsApp privacy — then and now

WhatsApp was originally conceived in 2009 as a messenger that would have no ads, no games, and no gimmicks. In 2014, when Facebook first took a stake in WhatsApp, one of its founders addressed its users’ privacy concerns in a blog post saying, “Respect for your privacy is coded into our DNA, and we built WhatsApp around the goal of knowing as little about you as possible.” 

In 2016, it was one of the first messaging services to introduce end-to-end encryption to all its messages using the open source Signal Protocol shortly after Facebook completed its purchase. At the time, it was probably the largest proliferation of end-to-end encrypted messages in history. 

Unfortunately, Facebook considers privacy an impediment to its business model of collecting and monetizing its users’ personal data. Since 2016, WhatsApp has collected the following data and adds it to your Facebook profile:

  • Your WhatsApp phone number
  • Your profile name
  • Your profile picture 
  • Your status message 
  • A timestamp from when you were last online
  • Diagnostic data collected from app logs

According to WhatsApp’s global privacy policy, it is part of Facebook’s “family of companies.” As such, Facebook may use the information it takes from WhatsApp to help it operate (presumably operation includes generating revenue by using the personal data for targeted ads) and market its services, including other Facebook products. 

However, the same section in the privacy policy that covers the European Economic Area adds the following line: “Any information WhatsApp shares on this basis cannot be used for the Facebook Companies’ own purposes.” How Facebook will handle WhatsApp’s data from Europe is still murky, so much so that the Italian data protection agency warned the social network that it must clarify its privacy policy for the EEA.

Besides WhatsApp, the best-known Facebook brands are Facebook, Messenger, Instagram, Oculus, Portal-branded devices, Facebook Shops, Spark AR Studio, and the Audience Network, which is an off-Facebook in-app advertising network for mobile apps. Considering that all of these services collect their own types of data, the fact they can all be combined gives Facebook the ability to compile a massive dossier of personal data on each of its users. 

The crucial part of this pop-up is the second point, which explains how Facebook is trying to find ways to monetize WhatsApp with WhatsApp Business. In the future, WhatsApp all allow businesses to contact and communicate with WhatsApp users via the app. Businesses can also choose to be hosted on Facebook, which means the communications between you and that business could be stored and managed by Facebook, giving it the ability to access and share those conversations within the company. This new data will be added to the dossier Facebook has on you, allowing it to more finely target you with ads, but also increasing the amount of data authorities can collect with a data request.

Why privacy must be at the heart of services you use

In short, while Facebook is not interfering with WhatsApp’s end-to-end encryption, it is attempting to collect and monetize as much of its users’ data as it can. End-to-end encryption is a powerful tool, but it is not sufficient to keep all your personal data secure, especially if an organization’s revenue relies on the collection of personal data. As the current WhatsApp example shows, if a company relies on the collection of its users’ data to sell ads, it will do anything to collect and monetize more personal information.

It appears users are fed up with Facebook’s constant attempts to grab more of their data. Shortly after these in-app notifications began popping up for users, subscriptions to more private messaging services, such as Signal and Telegram, have skyrocketed.

People have also turned to ProtonMail to keep their data safe. The number of people opening a ProtonMail account has tripled in recent weeks.

People are choosing ProtonMail because we do more than just use end-to-end encryption and zero-access encryption to protect your messages. We also bolster this protection by minimizing the amount of data we collect for an account and using a business model that respects your right to privacy. (See our privacy policy.) We are also based in Switzerland, where metadata is subject to stringent privacy protections. Unlike Facebook, we do not sell the minimal personal information we have to advertisers or share it with anyone else. 

Instead, ProtonMail is supported by users that sign up for paid plans, which offer additional storage and features and priority customer support. These paid plans make up the entirety of our revenue (aside from what we sell in the ProtonShop). Users sign up for ProtonMail to keep their personal data secure, which means we have every incentive to protect their privacy. Our subscription business model ensures that our interests and our users’ interests are aligned. 

True online privacy means creating an internet that serves people, not companies. To achieve this, you need more than just strong technical solutions. You also need to have the right to privacy enshrined in law and business models that put their users’ rights first. We believe our business model is helping us change the internet for the better, and we thank all our users who have subscribed to a paid plan.

Frequently asked questions about WhatsApp`s privacy policy

What if I don’t agree to this change in WhatsApp’s privacy policy?

Unfortunately, if you don’t want WhatsApp to collect your future transactional data, there is not a lot you can do if you still want to use WhatsApp. Facebook has delayed kicking users off the platform until May 15. You’ll be able to use WhatsApp until then without making any changes. However, if you still have not accepted these changes by that date, Facebook will lock you out of your account until you do.

If I accept this new privacy policy, will Facebook be able to read my messages?

No. This new privacy policy will allow Facebook to access transactional data  However, the end-to-end encryption used to protect your messages is, for now, not being touched. The messages between you and your contacts will remain inaccessible to everyone else.

Messages you send to businesses that use WhatsApp business or are otherwise hosted by Facebook may be subject to different privacy standards.

How can I protect my privacy on WhatsApp?

There is no way to avoid WhatsApp’s new privacy policy while still using the app, and Facebook offers its users few privacy controls. Depending on your threat model, you may decide that WhatsApp is still private enough for you.

However, if you find WhatsApp’s new collection and sharing of personal data excessive, you will need to switch to a new messenger service.

Updated on Jan. 18, 2021, after Facebook issued clarifications regarding WhatsApp’s new privacy policy.

Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Comments are closed.

12 comments on “WhatsApp’s new privacy policy makes it less private

  • “However, the end-to-end encryption used to protect your messages is, for now, not being touched. The messages between you and your contacts will remain inaccessible to everyone else.”

    Granted… in theory. Whatsapp uses the encryption protocol designed by Signal, so it should work the same. However, since Whatsapp is not open source, I have long-standing doubts on the way that protocol is implemented. What guarantees Facebook from adding itself secretly into every conversation ?

    As very rightly said, “if a company relies on the collection of its users’ data to sell ads, it will do anything to collect and monetize more personal information.” Therefore I would assume that they keep any discussion hidden from third-parties and privy to the users in a discussion – in addition to themselves. Of course I have no proof of this, but neither do I have proof of the contrary !

    Signal, on the other hand, is open source and audited, and therefore users have the guarantee that a discussion will remain truly private – only the sender and the receiver(s) visible in the discussion will be able to read the messages and content.

    Anyone care to contradict or back up these assumptions ?

  • Thank you for you impressive update about privacy linked to Whatsapp and Facebook.
    Should a user who has only Whatsapp and no Facebook profile worry after 8 February (now 15th of May)?

  • I have a question related to how protonmail stores emails.
    does proton encrypts email content along with meta-data or it only encrypts email content.

  • In the light of the furore created by the WhatsApp changes (I’m a Signal user, and there were issues with the service for a few days as, I’m presuming, they had scaling issues)… I found myself wishing that Proton had a chat client that was somewhat integrated with ProtonMail (that could do nifty things similar to how with Outlook emails you can reply using TeamChats).

  • Hi guys, thanks for the input. Any chance Proton releases a messe going app at some point? Absolutely in love with you services.

  • ProtonMail-

    Thanks for this!

    Many have forgotten that Facebook also participated in the NSA’s Prism program.

    Your data is available to the U.S. government at any time. The U.S. has audited and prosecuted groups for political reasons. Even if a court were to somehow decline a U.S. request for your data, the FBI has over 1,000 instances of just looking at your data anyway (according to FISA court documents).

    And Facebook willingly participated in Prism in the first place. Then Facebook falsely tried to hide their participation by saying, “Facebook has never heard of the Prism program”. As if hearing the name, alone, was the relevant feature.

  • What happens when big money comes knocking? What happens when Amazon or any other big tech refused to allow like they are doing in the US with some voices…de-platforming etc. And yes, I might very well not be using the right words but I think that those companies could keep you off the internet???

  • I love Proton Mail. My Emails are not important, for the most part, but they are only meant for me and my recipients. I appreciate that Proton Mail exists to make my little world private. We are in strange times and we must be on guard.

    Like the song says ….

  • I recently lost my seventh Twitter account in two years. I only joined to spread the true word of God not the apostate dispensation hireling taught in churches today. I quit Facebook years ago. I’m grown I don’t need a mommy telling me what I can or can’t say. We are living in treacherous times being suppressed by a criminal government. I pray that people wake up because America as we know it is over. We are the generation with the most to loose and we are bending over and taking everything these criminals running the world give. So sad to see nearly all Americans have become order following cowards.

  • Your article states subscriptions to more private messaging services, such as Signal and Telegram, have skyrocketed.

    Signal I agree 100% with — it’s the most secure app out there, end-to-end encrypted and knowing much less about the user than any other app.

    Telegram, however, is NOT end-to-end encrypted (except for the “secret chats” feature, which only works as live chat and makes it impossible to look back at a later conversation as it’s deleted right after) and it’s therefore possible for hackers to gain access to unencrypted messages or law enforcement to force Telegram to turn them over. WhatsApp at least end-to-end encrypts all messages by default. Calling Telegram “more private” is HIGHLY misleading.