Canadian Privacy Commissioner Report Says WhatsApp Violated Privacy Laws

The Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority this morning released the results of their collaborative investigation into popular third party messaging app, WhatsApp.

“Our Office is very proud to mark an important world-first along with our Dutch counterparts, especially in light of today’s increasingly online, mobile and borderless world,” said Jennifer Stoddart, Privacy Commissioner of Canada. “Our investigation has led to WhatsApp making and committing to make further changes in order to better protect users’ personal information.”

One major issue regarded privacy implications as users are required to share contact list data in order to use the app. Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, says “both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.” The lack of options to opt-in address book contacts contravenes Dutch and Canadian privacy laws.

According to the Office of the Privacy Commissioner of Canada investigation titled Report of Findings Investigation into the personal information handling practices of WhatsApp Inc., the following sections describes where the latter is accused of violating Canadian Privacy Laws:

8. Based on a technical review of the application, our Office initiated a complaint in respect of WhatsApp’s service registration process to investigate whether that process allowed for unauthorized access to a user’s account, contrary to Principle 4.7 of Schedule 1 of the Act. More specifically, this Office investigated whether a user’s WhatsApp account could be used prior to the completion of the user authentication process, thereby allowing a third party to create and control accounts associated with phone numbers which they did not own.

When the investigation started into WhatsApp, the latter’s messages were sent unencrypted and were prone to sniffing over unprotected Wi-Fi networks. In part response to the query, WhatsApp introduced encryption in late August of 2012.

It was also discovered during the investigation WhatsApp “was generating passwords for message exchanges using device information that can be relatively easily exposed,” which increased the risk of third parties being able to compromise users and send messages using their identity. WhatsApp has since improved its authentication process using more powerful and randomly generated passwords.

WhatsApp remains one of the most popular cross platform messaging networks, as it recently announced a record 18 billion messages sent on New Year’s Eve.

We’ve reached out to WhatsApp for comment regarding this investigation and will update this story when we hear back from them.