Submit Your Work
Internet
Privacy and Surveillance
Thursday, January 28, 2021

WhatsApp's New Privacy Policy: Collecting Metadata and Its Implications

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
Global

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

WhatsApp's New Privacy Policy: Collecting Metadata and Its Implications

Publisher

Global Views 360

Publication Date

January 28, 2021

URL

Representative Image WhatsApp

Representative Image WhatsApp | Source: Rachit Tank via Unsplash

According to WhatsApp’s new privacy policy, the app is set to collect “only” user’s Metadata. Metadata can reveal a lot more than merely the app usage of a person. Former NSA General Counsel Stewart Baker stated, “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.”

This article explores the ways in which WhatsApp is underselling the true estimation of the significance of Metadata.

Facebook owned WhatsApp recently announced the update of its privacy policy terms. 8th of February, 2021 was initially set as the deadline for users to either accept the new privacy policy or delete their account. By this time, most of us have already witnessed or been a part of the backlash that WhatsApp is experiencing. LocalCircles conducted a survey and the results indicated that 15% of India’s users are likely to move away entirely from the app while 36% will drastically reduce the usage and 67% of users are likely to discontinue chats with WhatsApp business accounts.

To reinstall trust in its users, WhatsApp released a clarification stating that the new policy update doesn’t compromise privacy of messages with friends and family. Furthermore, it explains that the update includes changes related to WhatsApp business accounts are optional too.

However, owing to severe backlash, WhatsApp has pushed the deadline to May 15 while they further clarify their policy updates.

It is true that WhatsApp cannot read our messages as it is end-to-end encrypted which implies that only a message’s sender and receiver can read it. The updated privacy policy intends to alert users that some businesses would soon be using Facebook-servers to store messages with their customers. By accepting the new privacy policy, users will be allowing WhatsApp to reserve all rights to collect your data and share it with the expansive Facebook and Instagram networks ‘regardless of whether you have profiles on those apps.’

A person using WhatsApp | Source: Andrés Rodríguez via Pixabay

By using WhatsApp, you may now be sharing your usage data, your phone’s unique identifier, your location when the location service is enabled, among several other types of metadata. A culmination of all your metadata is linked to your identity.

The value of metadata has been underestimated since the term isn’t clearly understood. Metadata is data about our data. For instance, in a cell phone conversation, the conversation itself isn’t metadata but everything except that is metadata. Data regarding who you called, how long you spoke for, where you were when you placed the call, where the other person on the line was and the time you placed the call. Consider a situation when every time you made a call to someone, you had to inform a particular person about who you called, how long you spoke for, when and where and all other details except the content spoken. This applies for every single call and everyone else’s metadata is also being recorded. The person owning the metadata can analyze and tell a lot about your personal life. Who you work with, who you spend time with, who you are close to, where you are at particular times and so on…

Kurt Opsahl, in his post in the Electronic Frontier Foundation, gives an example of how companies and governments collect intimate details about your life with the disguised use of the word called metadata. The following examples are an excerpt of his article:

“They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. They know that you called suicide prevention hotline from the Golden Gate Bridge.

They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour.

They know you called a gynaecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day. But nobody knows what you spoke about.”

Metadata provides more than required context to know some of the most intimate and personal details of your lives.  When this data is correlated with the records of other phone calls, one can easily obtain a lot more data and track our daily routines. This is merely about phone calls. WhatsApp includes a lot more features and will collect metadata of chats, businesses and money transactions.

In WhatsApp’s words:

“We collect service-related, diagnostic, and performance information. This includes information about your activity (such as how you use our Services, how you interact with others using our Services, and the like), log files, and diagnostic, crash, website, and performance logs and reports.”

In addition to this, WhatsApp also collects information about IP address, OS, browser information and phone number.

Stanford’s computer scientists conducted an analysis to understand the extent of intrusion of privacy using metadata. The scientists built an app for smartphones. The app was developed to retrieve metadata of calls and text messages from more than 800 volunteers’ phone logs. The researchers received records of more than 250,000 calls and 1.2 million texts. Their inexpensive analysis revealed personal details of several people like their health records. Researchers were also able to learn that one of their participants owned an AR semi-automatic rifle with only metadata.

Gen. Michael Hayden | Source: Wikimedia

Gen. Michael Hayden, the former head of the National Security Agency once stated that “the U.S. government kill[s] people based on metadata.”

In 2016, Facebook was involved in the infamous data privacy scandal which centered around collection of personal data of over 87 million people by Cambridge Analytica, a political consulting and strategic analyst firm. The organization harvested user data for targeted advertising, particularly political advertising during the 2016 U.S. election. While the central offender was Cambridge Analytica, the apparent indifference for data privacy to Facebook facilitated Cambridge Analytical and several other organizations.

In June 2018, Facebook confirmed that it was sharing data with at least 4 Chinese companies, Huawei, Oppo, Lenovo and TCL. Facebook was under scrutiny from the U.S. intelligence agencies on security issues as they claimed that the data with the Chinese telecommunication companies would provide an opportunity for a foreign espionage.

In September 2019, there were reports that the Indian government contemplated making it mandatory for companies like Google, Facebook, and Amazon, to share the public data of users.

The Ministry of Electronics and IT (MeitY) was planning on issuing new guidelines under the Information Technology Act which according to which tech giants would have been required to share freely available data or the public information that they collate in the course of their operations, including traffic, buying and illness patterns.

Europe is exempted from WhatsApp’s new privacy policy as EU antitrust authorities fined Facebook 110 million euros for misleading the regulators during the takeover of WhatsApp in 2014. EU’s strict privacy laws empowers regulators to fine up to 4% of global annual revenue of the companies that breach the bloc’s rules.

Your Metadata is extremely personal. By giving WhatsApp the authority to access it, you are giving access to several other organizations, businesses and it also makes you more vulnerable to third-party hackers and trackers. WhatsApp has given multiple assurances about its updated privacy policy being noninvasive. However, most of these assurances are cleverly worded and misleading statements. It is important to read through the fine print of the new policy before accepting it.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

February 28, 2021 11:13 AM

Internet Shutdowns in India: From Kashmir to Haryana

India has one of the world’s largest internet user base and also has the maximum number of internet shutdowns. In 2018, India recorded 134 shutdowns which is the highest the country has seen yet. The article delineates the implications of Internet shut-down—while looking at specific cases of Kashmir, CAA-NRC, and Farm Bill Protests—and the legal procedures associated with the same.

The internet shutdown imposed in Kashmir on 4th August 2019, when Article 370 of the Constitution was abrogated by the Parliament of India recorded the longest shutdown in India.  In the initial days, landline and mobile services were restricted as well. While the ban on landline and mobiles was lifted soon, 2G services were restored for “verified users” on 25th January 2020. Only whitelisted websites could be accessed and social media remained prohibited. A new order was passed on 4th of March 2020, by the administration of J&K, according to which the whitelist was removed but internet could only be accessed using 2G on verified SIM's. As Kashmir is still languishing without high-speed internet, at least 7 million have been affected due to the shutdown.

Anti CAA-NRC Protests in Lucknow | Source: Youtube

In December, 2019, during the notable protests against the Citizenship Amendment Act, the authorities in the states of Assam, Meghalaya and Tripura severed internet connection as they supposedly cited a threat of violence and false rumors. Parts of West Bengal and Uttar Pradesh were also under a digital lockdown. Internet shutdowns come with a great cost. Every time the central or state government decides to cut the internet, a large number of students, businesses, travelers, online journalists and influencers are affected resulting in a huge monetary loss. According to a report by TopVPN, India has lost nearly $2.7 billion due to all the 83 internet shutdowns in 2020 alone. This loss is greater than the combined loss of the next 10 countries in the list. The report also revealed that India also stayed offline for longer than any other country, at 8,927 hours last year. The largest contributor to this figure is the 213-day shutdown in Kashmir.

The Kashmir Chamber of Commerce reported that the cumulative loss due to the internet shutdown and restriction in the region was $5.3 billion. The authorities say that these shutdowns are simply to stop the spread of dangerous misinformation which they believe moves faster in social media like Facebook and messaging apps like WhatsApp. However, the internet shutdowns are usually enforced after a piece of misinformation has been spread widely. In 2018, 33 of the shutdowns were justified by the government claiming that they wanted to curb dis/misinformation. The problem is that, when you cut people off from being able to access information, the only access they have is to previous misinformation. In fact, cutting off the internet can turn a previously predictable situation into a highly volatile one. A study conducted by Stanford suggested that mass mobilization in India can occur even in the absence of social media and digital platforms. Another report published by Stanford stated, “Rumours and disinformation continue to spread with or without access to digital communication networks, whose primary role is that of accelerators of information diffusion.” In addition to this, the study found that internet shutdowns force protesters to substitute non-violent tactics for violent ones which are less reliant on effective communication and coordination. In April 2019, Sri Lankan government shutdown all social media platforms as a result of the Easter Suicide Bombings. The IFCN (International Fact-Checking Network) reported that fake news was rampant despite the shutdown. IFCN also noticed an increase in false reports on Facebook from that area. However, the above mentioned facts did not have the potential to stop India from once again disregarding the negative implications of Internet shut-down. India continues to be indifferent.

Protesting farmers at Singhu Border | Source: Harvinder Chandigarh via Wikimedia

The ongoing farmers’ protest in India against the three farm bills (now acts) passed in the parliament turned violent on 26th of January. A group of the protesting farmers who were on a tractor rally, deviated from their route and entered the Red Fort. The Union Ministry of Home Affairs temporarily suspended internet in Singhu border, Ghazipur border, Tikri border, Mukarba Chowk and Nangloi for 24 hours. On 29th of January, the State government of Haryana ordered telecom operators to shut down all mobile internet services, all SMS services, and all dongle services in 17 of the 22 districts of the state until 5 pm on January 30, 2020.

The shutdown was based on the grounds of preventing protestors from mobilising through social media and to constrain the plague of disinformation, which was spread due to the tensions at farmer camps between unidentified miscreants, farmers and later the police. But there was a lack of media coverage of the police violence while they highlighted the protestors’ response to it, essentially disseminating biased disinformation which they ‘intended’ to curb with an internet shutdown.

The Indian Telegraph Act, 1885 permits the government to block internet access in case of a public emergency. After 2017, Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules was deployed in cases of internet shutdowns. The Rule 2(1) describes the protocol and powers for the ‘competent authority’ to issue a direction for the suspension of Internet.  The ‘competent authority’ here refers to the Home Secretary of the Union government or the State government. If obtaining prior directions from either of these authorities is not feasible, the order may be issued by an officer, not below the rank of a Joint Secretary to the Government of India. This officer should be duly authorized by the competent authority to issue suspension order and must receive confirmation from the competent authority within 24 hours of issuing such order. In January 2020, the Supreme Court directed that in addition to the Telecom suspension rules, all internet shutdowns must be made public and the orders must be a committee must review all internet shutdown orders once every seven working days to ensure if it is in accordance with the Telecom suspension rules. In November 2020, a new rule was introduced stating that a single order cannot authorize a shutdown for a period exceeding 15 days. Despite several regulations, the Internet Freedom foundation found out that there is low compliance by state governments. Even in 2019, in multiple cities, including the national capital, the suspension orders were issued by the State Police. The New York times reported there were instances where local authorities of India ordered the shutdown with just a few phone calls to the local service providers.

In addition to repression of dissent, telecom shutdowns also have an impact on healthcare services, doctors and ambulances especially in the cases of violence when they certainly have a harder time communicating with people on the ground hence creating a vacuum of information.

Arbitrarily shutting down the internet is a fundamental right violation. The frequencies of internet shutdowns in India are highly alarming. Besides, it is ironic that in 2020, the government announced its plan to bring high-speed fibre-optic based broadband to all Indian villages in the next three years. While it is most certainly beneficial to those living in these villages and to those wanting to spread propaganda, all the effort would be insignificant if the nation continues to shut down the internet at this rate of recurrence.

Read More