WhatsApp privacy, and the pot of gold at the end of the rainbow.

WhatsApp has a new Privacy Policy. I think it’s not very good.

As The Guardian’s article rightly puts it, WhatsApp users are now basically Facebook users, and the past protections of the WhatsApp silo are gone. If you dislike this as much as I do, you’re out of luck. I have not yet accepted the new Privacy Policy yet (haven’t actually clicked the button), in hope of a miracle: that Facebook, to counter the backlash, walks back on the new policy, or that somehow most of my WhatsApp contacts, including Dutch public education related group chats, suddenly move to Telegram or something similar(ly better). Neither is likely.

The actual change, on the surface, is not that bad: your e2ee is still there, and your private chat is still private… although apparently your private keys being actually private is now gone from the specs, so you kinda-sorta have to go on Facebook’s promise on that one.

(This tweet is about WhatsApp’s security whitepaper by the way.)

But we all trust Facebook, don’t we?

As a private person with nothing to hide (copyright Eric Schmidt), this is still sorta-kinda fine. The problem is with the metadata. Facebook will now be sharing this across its platforms, and you can bet your e2e encrypted buttocks they will use your WhatsApp metadata to refine their behavioral tracking and targeting ever better ads to “improve your experiences” by sharing “battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account).”

Facebook issued a separate FAQ page to address the storm of angry responses (or “thoughtful questions” in Facebookese) to the new privacy policy. It’s a beautiful response, reassuring everyone that you are as private as you can ever be. But the thing with Facebook is, I tend not to trust them, they are very good with communicating half truths — a bit like populist leaders do. “We don’t store X” is, in my book, not the same as “we don’t have access to it for behavioral tracking”. “We don’t see the location you share in your e2ee chat” is true, but also, WhatsApp/Facebook has access to your location on app level if you grant it.

Facebook is also good at creating a labyrinth of a Privacy Policy that eventually allows them to share any information collected, with other Facebook companies. If I:

  1. read this part first,
  2. minding the “may include other information identified in the Privacy Policy section entitled ‘Information We Collect'” statement;
  3. then read the policy again and look for the ‘Information We Collect’ part,

then I don’t see what’s limiting Facebook to actually share any data WhatsApp collected, with the Mothership.

So yeah Facebook, a FAQ is nice, but you know what’s better if you want to ensure people you don’t do what we think you do?

Putting it explicitly in your privacy policy.

Then you are at least liable. That, to me, is easier to trust.

(Not to go deep into politics, but if you want to see how good Facebook is at half truths, you need to go as far as Sheryl Sandberg’s perfectly executed response on 6/Jan Qanon stuff.)

So what to do?

As an ordinary dude, not much I’m afraid.

Leaving WhatsApp, with school comms happening there, is not a realistic option.

In any case, I limited the app as much as iOS allows it:

And Containerised the web client (is that even a word) in Firefox:

But of I’ll eventually accept the new policy, and will sadly feed my Facebook shadow profile. At least my Pihole is taking care of filtering out all the ads I’d be targeted based on the data my WhatsApp shared.

And if you need to tell me something, you can always contact me on Telegram rather than WhatsApp.


Header image, as usual, is mine: a rainbow over the Waterland, near Amsterdam. you know, pot of gold, privacy, rainbow, nudge-nudge.

Leave a Reply

Your email address will not be published. Required fields are marked *