WhatsApp has announced that it will start sharing your phone number with Facebook. The messaging service has updated its privacy policy to indicate the changes as well as other additions to the platform, such as WhatsApp Web, desktop clients, end-to-end encryption, and voice call service.

This is the end of era centralized communication!

WhatsApp is the only messaging app among those with over a billion monthly active users, which hasn’t started actual monetisation ...

WhatsApp detailed plans to sell ads and charge big companies that want to reach their customers through its service, launching its first major revenue streams as growth at Facebook’s main app is starting to decelerate.

WhatsApp also has the glaring vulnerability that Facebook could at any time reset your key to a compromised one without your knowledge, and WhatsApp will resend any hanging messages automatically upon the change, making any undelivered messages available to the one who has the decryption capability associated with that new key. It's possible they've put in a method to do this without notifying the user. Also, this "automatic resend" behavior means that a physical attack can be made simply by switching SIMs on the phone before the message is sent. It requires some careful timing to be a real vulnerability and anyone using a phone to communicate will certainly opt for a more secure platform for critical applications.

After a long dispute over how to produce more revenue with ads and data, the messaging app’s creators are walking away leaving about $1.3 billion on the table.​

Selon Elizabeth Dwoskin, journaliste au Washington Post, Facebook aurait tenté de mettre en place une passerelle visant à exploiter les données personnelles des utilisateurs de WhatsApp, tout en affaiblissant le chiffrement utilisé par la messagerie.

The Bottom Line

WhatsApps adoption of a strong encrypted protocol is a significant improvement in secure messaging, but problems remain. Although the data is well protected on the wire, there is still significant metadata leakage and there are significant privacy issues related to using the app.

Whilst WhatsApp might not provide full content of messages, the kind of metadata it provides is often enough to draw an informative map of a target's life, said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union (ACLU). She noted that WhatsApp already shares contact information with Facebook where users haven't opted out, which they may provide to government. And the WhatsApp privacy policy notes that it does store some location and contacts information where users have opted to provide them.

"The best practise is to purge information," Guliani added. "When it comes to metadata, how often is WhatsApp purging this kind of information?" As a comparison, the Signal messaging app doesn't store any such metadata and therefore doesn't need to purge it. And whilst it openly admits contact numbers are shared with Signal servers, they're garbled by an encryption algorithm into what's known as a "hash" (though former developer Frederic Jacobs told me it's "trivial" to bruteforce those hashes, so if in the unlikely event a fake Signal server is set up to target a user, their contacts could be exposed).

WhatsApp’s recent privacy policy update announced plans to share data with WhatsApp’s parent company Facebook, signalling a concerning shift in WhatsApp’s attitude toward user privacy. In particular, the open-ended, vague language in the updated privacy policy raises questions about exactly what WhatsApp user information is or is not shared with Facebook. WhatsApp has publicly announced plans to share users’ phone numbers and usage data with Facebook for the purpose of serving users more relevant friend recommendations and ads. While existing WhatsApp users are given 30 days to opt out of this change in their Facebook user experience, they cannot opt out of the data sharing itself. This gives Facebook an alarmingly enhanced view of users’ online communications activities, affiliations, and habits.

If you use both WhatsApp and Facebook, this change allows Facebook access to several pieces of your WhatsApp information, including your WhatsApp phone number, contact list, and usage data (e.g. when you last used WhatsApp, what device you used it on, and what OS you ran it on). With confusing wording, the update correctly points out that your phone number and messages will not be shared onto Facebook. This means that your data will not be shared publicly on your Facebook page or anywhere else on Facebook’s platform. Instead, it will be shared with Facebook—that is, Facebook systems and the “Facebook family of companies.” While WhatsApp’s privacy-friendly end-to-end encryption remains, and the company assures users it will not share their data directly with advertisers, this nevertheless presents a clear threat to users’ control of how their WhatsApp data is shared and used.

[...]

Most critically for user privacy, however, sharing this kind of metadata also gives Facebook an enhanced view of users’ online communication activities, affiliations, and habits, and runs the risk of making private WhatsApp contacts into more public Facebook connections. The new privacy policy, for example, permits Facebook to suggest WhatsApp contacts as Facebook friends. Facebook can also use the data to show “more relevant” ads. In an announcement accompanying the privacy policy update, WhatsApp offers the example of “an ad from a company you already work with, rather than one from someone you’ve never heard of”—a frightening prospect considering the data coordination and sharing required for Facebook to know the companies with whom you do business.

Nous sommes tout particulièrement préoccupés par la nouvelle politique de confidentialité de WhatsApp annoncée en août 2016, qui autorise le partage de données avec la société mère Facebook. Ceci accorde à Facebook le droit d'accéder à plusieurs éléments relatifs aux informations des utilisateurs de WhatsApp, y compris les numéros de téléphone sur WhatsApp et l'usage des données.

When Facebook bought the start-up WhatsApp in 2014, Jan Koum, one of WhatsApp’s founders, declared that the deal would not affect the digital privacy of his mobile messaging service’s millions of users.

[...]

WhatsApp said on Thursday that it would start disclosing the phone numbers and analytics data of its users to Facebook. It will be the first time the messaging service has connected users’ accounts to the social network to share data, as Facebook tries to coordinate information across its collection of businesses.

WhatsApp is changing its policy as it begins building a moneymaking business after long placing little emphasis on revenue. The company plans to allow businesses to contact customers directly through its platform. A similar strategy is already being tested on Facebook Messenger, a separate messaging service Facebook owns.

[...]

Among the changes, Facebook will be able to use a person’s phone number to improve other Facebook-operated services, such as making new Facebook friend suggestions, or better-tailored advertising, WhatsApp added. It said the data-sharing would also be used to fight spam text messages across it

The social network announced in August that it would begin sharing data from its 1 billion-plus user base, including phone numbers, from WhatsApp users with Facebook for the purpose of targeted ads. It gave users the option of opting out of the data being used for advertising purposes, but did not allow them to opt out of the data sharing between WhatsApp and Facebook.

The phone number associated with a user’s WhatsApp account will be used on Facebook to show them ads. This will form part of the targeting the company allows for paying advertisers, who can upload contact databases. Those who use Facebook and are in the contact database uploaded by the advertiser will then be shown the targeted ads.

The information will also be used to show how people interact with a specific ad, but Facebook said that it would not tell advertisers who specifically interacted with the ad.