WhatsApp, Pakistan’s most widely used instant messaging application, has stirred controversy since announcing a change in its Privacy Policy for users, which will roll out in February 2021.
Acquired by Facebook in 2014, WhatsApp has always advertised itself as a safe, secure, and private messaging application. The new terms and conditions, however, allow Facebook to use users’ data from WhatsApp for, and on, all platforms belonging to the company.
The policy states: “WhatsApp must receive or collect some information in order to operate, offer, improve, understand, individualise, support and market our services. This happens, for example, when you install and use our services or access them.” This policy would not be rolled out for EU countries, as the EU has strong data protection laws, particularly the General Data Protection Regulation (EU).
In a clarification issued on January 12, WhatsApp stated that its “privacy policy update does not affect the privacy of your messages with friends or family.”
Commenting on the issue, Federal Minister for Science and Technology (MoST) Fawad Chaudhry, on January 10, said that the MoST is considering “introducing a strong data protection law to protect citizens’ privacy.” The minister elaborated that such a law would allow for wider consultation with the government “instead of a unilateral approach such [as these] policy changes.”
Explaining the details of the new policy, director of research and policy for the Digital Rights Foundation (DRF), Shmyla Khan told The Correspondent: “Given that there is no data protection law in Pakistan, unlike European countries where the General Data Protection Regulation (GDPR) prevails, Pakistani users have to accept the terms and conditions of the privacy policy laid out by WhatsApp and do not have the option of opting out.”
“The lack of options means that users are faced with a choice: either accept the privacy policy, or stop using WhatsApp,” she added. “The privacy policy entails that the metadata of users—including your phone number, IP address, your contacts, status, groups (including group name, group picture, group description), payments or business features, profile photo, your ‘about’ information, and your ‘last seen’—will be shared with third party websites such as Facebook. Contents of messages and calls, however, will remain encrypted and cannot be accessed by any third-party.”
When asked about how the new policy is any different from the privacy policy of widely used apps like Instagram or Facebook, Shmyla Khan pointed out the different user expectations from WhatsApp.
“WhatsApp’s conversations are still end-to-end encrypted, so it does offer more privacy protection than other, more public platforms,” Ms Khan opined. “However there is a higher expectation of privacy on WhatsApp than any other Facebook-owned platform, especially since it is touted as secure and private. There is more to be concerned about in terms of data sharing.”
When asked if users should shift to other platforms for greater privacy, she said: “Open source platforms such as Signal are always preferable as there is more transparency and you can know exactly how your data will be shared.
“However, it is important for people, as users of technology, to do their research with due diligence when it comes to switching apps. Currently, the public discourse has shifted to Signal and Telegram. However, this shift of platforms will allow for other contenders to enter the market. Therefore, it is important to always practise caution,” Shmyla Khan added.
The Facebook factor
Hija Kamran, projects manager at Media Matters for Democracy (MMfD), shared similar concerns with The Correspondent.
“The new update is worrisome in context of Facebook’s acquisition of WhatsApp in 2014. WhatsApp’s then-CEO clearly said that they’re not going to compromise on values that were based on privacy,” Ms Kamran said. “From then till now, there have been very drastic changes in the privacy policies. You can see how FB has gotten considerable control over people’s privacy on WhatsApp.”
“WhatsApp has so far been end-to-end encrypted, but at the end of the day it is owned by Facebook, which does not have a good track record of upholding people’s privacy. To begin with, WhatsApp was never fully trustworthy because of its affiliation with Facebook,” she added.
She pointed out incidents in the past where Facebook utilised users’ data without consent, for instance during the 2016 US elections to influence the democratic process. She also commented on Facebook’s complicity in inciting on-ground violence in places like India, Sri Lanka, and Myanmar through its lack of privacy controls and insufficient data moderation.
When asked about the collection of anonymous data from WhatsApp, Ms Kamran pointed out that the problem lies in the consolidation of anonymous data with identifiable data.
“Facebook has a lot of other information on its users, and over 2 billion Facebook users are WhatsApp users as well,” she pointed out. “A lot of people are using them simultaneously, so when you connect the information the two are collecting, you can consolidate a well-made profile of who that data belongs to.” This indentification places users’ security at risk.
“The issue is that even if no one uses this data to directly attack me in any way, the data can be be sold to other parties without my consent, and I would not know how this information will be being used,” she elaborated.
What should the public do?
Echoing Shmyla Khan’s opinion, Hija Kamran believes that users should stop using WhatsApp and consider safer alternatives.
“We are constantly, actively trying that people move away from WhatsApp and onto more privacy-respecting alternatives,” she said. She proposed shifting to Signal, as compared to Telegram, citing its history of reliably protecting users’ data.
She also emphasised on generating user awareness on privacy concerns, and advocating for laws that prioritise the protection of citizens’ personal data.
“It is also important to demand and advocate for data protection and privacy laws,” Ms Kamran said. “We do have a Data Protection Bill in the works. But the problem with these bills and legislations is that they are drafted keeping only one thing in mind—that the government can control people’s data, and not how people’s data should be protected.”
“The need is for Pakistanis to get involved in conversations around these legislations, along with changing their own behaviours, such as by switching platforms and also encouraging other people to do so,” she remarked.
Admitting that privacy concerns are not generally respected in Pakistan, Hija Kamran stressed that only actively engaging with such conversations can bring about positive change.
“Ask questions, follow the people who answer them, and hold corporations accountable whenever they infringe upon people’s rights.”
Balach Khan contributed to this story.
