Facebook Messenger and WhatsApp: is your data private?
Privacy, data monetization, encryption... here’s what you need to know about those popular apps.
WhatsApp: a delayed update
This gives users more time to understand how their data is being used by tech giants, WhatsApp and Facebook. We humbly attempted to understand this better ourselves and present the results of our readings in this article.
How is user data secured?
Facebook Messenger encrypts messages in the same way as WhatsApp, except that the encryption is not automatically activated. To do so, you must activate the “secret conversation“ mode. Instructions on how to do this can be found here.
WhatsApp uses end-to-end encryption to secure user interactions. In a dedicated FAQ, WhatsApp states, “End-to-end encryption ensures only you and the person you’re communicating with, can read or listen to what is sent, and nobody else in between. Not even WhatsApp.”
This encryption is automatic: no need to activate any settings. Note that the encryption protocol is the Signal protocol (which is open source).
Are communications private?
The same data use policy applies to all Facebook products except WhatsApp, which is not listed.
Facebook states: “We collect the content, communications and other information you provide when you use our Products.”
To the question, does Facebook have access to Messenger user conversations? The answer is yes unless they are encrypted.
Concerning privacy, WhatsApp states: “End-to-end encryption means that your messages are encrypted to protect against us and third parties from reading them.”
WhatsApp also specifies that messages are stored on user devices. Messages are deleted from servers after they are distributed unless they cannot be sent (30 days retention) or when content is considered “popular“ (such as repeatedly shared videos).
Does WhatsApp have access to user conversations? The answer is no (except in the exceptional cases mentioned above).
Is data shared with advertisers?
On its site, Messenger specifies that it does not use “the content of your messages with other people for ad targeting, which means advertisers can’t target you based on what you say in messages.”
However, its Data Policy states: “We use the information we have about you-including information about your interests, actions and connections-to select and personalize ads, offers and other sponsored content that we show you.”
It’s therefore not possible to completely exclude that unencrypted communications may be used for marketing purposes. However, it’s essential to specify that the data that Facebook conveys to advertisers is “anonymized,” as explained quite clearly in the screenshot below:
Data transmission between Facebook and advertisers. Source
The company also specifies that it permits communication between companies and its users, “We will allow you and third parties, like businesses, to communicate with each other using WhatsApp, such as through order, transaction, and appointment information, delivery and shipping notifications, product and service updates, and marketing.”
To summarize, WhatsApp does not display banner ads but allows companies that a user is already in contact with to offer marketing content through the application.
To date, do Facebook and WhatsApp use user data for ad targeting?
This question has raised the most concern among users, and it is also the one we find the most difficult to answer accurately. Here’s what we can tell from reading the content produced by WhatsApp and Facebook.
In a FAQ page dedicated to the exchanges between the two entities, WhatsApp writes that today, Facebook does not use WhatsApp account information “to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook.”
A sentence that does not, however, exclude that advertisements can be proposed outside of the social network. Further, WhatsApp states it is looking for “ways to build a sustainable business,” including “exploring ways for people and businesses to communicate using WhatsApp,”. An exploration that leads the company to “include working with the other Facebook Companies to help people find businesses they’re interested in and communicate with via WhatsApp.
Again, it seems impossible to completely rule out the hypothesis that the two entities exchange data for offering advertising targeting.
Where is user data hosted?
Both Facebook Messenger and WhatsApp explain that user information is “transferred or transmitted to, or stored and processed in, the United States or other countries,“ without mentioning which ones.
Both companies also state that they rely on the adequacy decisions of the European Commission. As it explains on its website: “The European Commission has the power to determine, on the basis of Article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection. The adoption of an adequacy decision involves a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries, the adoption of the decision by the European Commission.”
In other words, Facebook declares that it complies with the EU instructions on data transfer and storage.
GDPR compliance: Facebook on thin ice
However, as the French Commission for Information Technology and Civil Liberties states on its website, “the GDPR requires complete and accurate information. Transparency allows the people concerned: to know the reason for various data collections concerning them, to understand the processing that will be done with their data, to ensure control of their data by facilitating the exercise of their rights. For data controllers, it contributes to fair data processing and establishes a relationship based on trust with the data subjects.”
Today, unfortunately, it’s this “relationship based on trust“ that Facebook is struggling to rebuild. The firm has until May 15, 2021, to win back its users’ hearts.