Skip to main content

What’s up with WhatsApp’s privacy policy?

WhatsApp has been in the news recently after changes to its privacy policy caused a surge of interest in rival messaging app Signal. Initial reports may have worried a lot of folks, leading to inevitable clarifications and corrections. But what, you may ask, actually happened? Is there a problem? Are you at risk? Or should you keep using your apps as you were previously?

Setting the scene

WhatsApp users found themselves facing down an in-app notification this past week, letting them know of upcoming privacy policy changes. The message read:

By tapping Agree, you accept the new terms, which take effect on February 8, 2021. After this date, you'll need to accept the new terms to continue using WhatsApp. You can also visit the Help Center if you would prefer to delete your account.

Generally, I'm somewhat suspicious whenever a trusted app starts popping messages, or anything else I wasn't expecting. After the initial burst of "Is this genuine?", follows the part where I try to dig out the parts that have changed and see how it compares to what went before.

What worked…

Giving users a bit of time to see the upcoming changes, and work out if they want to be part of it, is good and should be encouraged. Often, privacy policy and EULA changes spring from nowhere, giving little to no time at all to digest them. Regardless of how everything else about this notification panned out, WhatsApp should be applauded for giving everyone plenty of forewarning.

…and what didn't

The key focus of concern around the update, was how data would be shared going forward. Aspects which people objected to included some data remaining on a device even after deleting an account, lines about "respecting privacy" being removed from the privacy policy, and things like phone numbers being shared with Facebook.

This would naturally be a cause for concern for some people.

The messaging fixer-upper

This situation wasn't ideal for WhatsApp, who had to clarify the mixed messages spreading online. They stressed that the upcoming update is related to messaging businesses on WhatsApp. Messages are still subject to the same privacy they were previously, and neither WhatsApp nor Facebook can read your messages or hear your calls.

Additionally, more clarifications had to be made that the changes don't apply to EU/EEA/UK regions despite people in those areas being shown the privacy policy popup. This is not ideal and raises questions as to why the notification was sent to everybody if it didn't apply to everybody. All that tends to happen in those situations is people get confused and start to worry. What happens after that, is lots of articles appear explaining what to do if you want to switch to other services.

Writers have described this potential migration away from WhatsApp as "self-inflicted", and that seems to be an accurate summary. Simply by having to explain the differences between forms of messaging, data collection is thrown into sharp relief. That is to say, you may not have known prior to this how much…or little…your favourite apps collect.

But now you do. The data collection genie is out of the bottle, and yet it may not matter too much.

Decisions, decisions

Ultimately, people will use what they feel most comfortable with. This misstep isn't going to kill WhatsApp, and if you still want to use it, don't worry. It won't be going anywhere. As with all things, informed choices are the best choices. We regularly remind people that it's time for a security password spring clean whenever a major breach takes place.

On a similar note, this may be a good time to brush up on all those T&Cs tied to your favourite apps. Dig into what they do, which pieces of data they collect and use. At the absolute minimum, ensure your messages are as secure as can be and that only you and the recipients can read them (look for "end-to-end encryption"). Some people are fine with data collection, for others it's a deal breaker.

Ultimately, the decision is down to you.

The post What's up with WhatsApp's privacy policy? appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

Chaos in a cup: When ransomware creeps into your smart coffee maker

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would've imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker , smart doorbell , or smart light bulb . Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note. Courtesy of Dan Goodin, Ars Technica Yes, Hron turned his coffee maker into a ransomware mach...
Read more

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware , a collection of various scraped data dumps , the protection of power grids , and how bad actors are using SMB vulnerabilities .   Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook) Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake , according to US law enforcement. (source: The Register) Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police) Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google) Windows 10 data collection: Reddit use...
Read more

Skimmer acts as payment service provider via rogue iframe

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain. A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn't be able to steal customers' credit card data. But this isn't always true. RiskIQ previously detailed how Magecart's Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming. The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the s...
Read more