Daily Mirror - Print Edition

Compromising on the equation of protection: Can instant messaging apps put your privacy at stake?

05 Mar 2021 - {{hitsCtrl.values.hits}}      

 

 

  • Practical difficulties also exist when policies are not available in the local language
  • But even though we have consented to agree to ToS we don’t know what’s within those ToS or the privacy policy
  • When we consider data collection and use, not all data collection including meta-data is something that we should be worried about
  • Informed consent is when users are able to read through the policy and understand what is required within that particular policy or the ToS

 

 

Communication today is just a WhatsApp message away. With social media dominating a greater part of our lives, many of us have made it a daily ritual to update our status on Facebook or Twitter, post a story on Instagram and keep up with the trends. WhatsApp and other instant messaging applications too have made life easier; sometimes replacing emails when sharing documents, photos and the like. However, a recent policy update on WhatsApp raised concerns among digital media activists, who claimed that a third-party will now have access to personal communication threads. This also raises a question on whether we are fully aware of our privacy rights when using these applications. 

 

 

Latest policy update for WhatsApp business accounts 

“WhatsApp was designed to be simple, working on a low bandwidth so that it’s reliable and the core of it is privacy,” said Clair Deevy, WhatsApp Director for Public Policy in the Asia Pacific Region at a webinar organised by the Sri Lanka Press Institute. “Therefore it’s secured with end-to-end encryption and therefore WhatsApp and other third parties cannot see your messages and we use the same encryption protocol on Signal.

“However there are three different versions of WhatsApp which people most often get confused with. The WhatsApp consumer app is what most people are familiar with – then there’s a WhatsApp business app which could also be downloaded for free, but has more features such as automatic replies, being able to put business information, location and other information to promote the business. The third app is the WhatsApp Business API used by airlines for example to send boarding pass updates, used for one-time passwords, during COVID we had a number of governments who set up informational apps where people could login and have a chat book function where people could get information. Our research statistics suggest that more people want to message with businesses on WhatsApp and over 175 million people are already messaging with businesses every single day on WhatsApp,” she added.

“Since more companies want to use our API we thought it was important for us to update our privacy policy to be clear to people when they are communicating with a business versus when they are communicating with friends or family. This update is related to the optional business features on WhatsApp and it provides you with further transparency. We are trying to give our users a choice so that they receive a notification when they are messaging with a business and they can make a choice whether they want to interact with that business. This is the first update we have had worldwide since 2016 and it doesn’t expand data sharing abilities with Facebook from the 2016 update we did,” Ms. Deevy said, further explaining the update. 

She said therefore, the App has been made more transparent when you communicate with business and how that business may use your data. “If a business chooses to host their data on Facebook, you will get a notification to say that this business uses Facebook to manage its WhatsApp conversations. When Facebook is acting in this capacity as a cloud or a hosting service, we will have access to messages between the users, but we can only process them on behalf and on the instructions of the business. This is an industry practice when you’re a hosting service. We cannot use these messages automatically to inform ads that the user sees and anyone who gets these notifications.” added Ms. Deevy. 

Shedding light on the security aspect, she suggested that all users have a two-step verification. “This allows a second level of security and it’s one of the strongest things you could do by setting up the number to prevent your account being taken over by people or hackers. Secondly, we have added a function that allows you to have more control over who adds you to groups. So there’s an option of whether anyone could add you to a group or as only someone in your contacts who can add you? Reporting tools set us apart from some app predators and this is one of the reasons why we actually collect some of the data that we have. If something happens on WhatsApp against their terms of service if it is sending inappropriate information, scamming or spamming you have the ability to report and block. When you send us a report, about the equivalent of a screenshot, the last few messages you have, it would help us to take action on what has happened to you on WhatsApp. We think that it is important from an integrity point of view to have the ability to do this, to maintain that messages are end-to-end encrypted and this is the best way that we can do that,” she said. 

 

 

The legal perspective 

Sharing her thoughts on the threat to privacy when using instant messaging applications, Ashvini Natesan-Weerabahu, legal consultant, researcher and lecturer in information technology, media and telecommunications law said privacy could be understood as having access to some of our personal data and also meta-data through which it is possible for the entity that is providing us service to perhaps see certain information and at the same time they also can share it with a few other entities. So the questions in relation to privacy in an instant messaging application include what data are being collected, how secure is my communication, to whom and what are the entities to which my data could be shared and what are the purposes for which the data could be used?” explained Natesan-Weerabahu. 

“The answers to these are found in your privacy policy which should be read with the Terms of Service (ToS) that is in the messaging app itself. But even though we are consented to agree to ToS we don’t know what’s within those ToS or the privacy policy. This is why we are also worried about how exactly our data is being used. When we consider data collection and use, not all data collection including meta-data is something that we should be worried about. The question of data collection and use depends on your expectations on the use of the app. Having said that I also think it’s important to mention that although privacy and security are not the same, they’re closely linked to each other. Using an app that has privacy linked into it along with security is very important and is something that we shouldn’t lose focus on. For me the most important concern when it comes to privacy policy is whether the consent that we have given to use the app is informed or not.” said Natesan-Weerabahu. 

She said that informed consent is when users are able to read through the policy and understand what is required within that particular policy or the ToS. “But many of us haven’t read all the policies although we have accepted them. You may say there is a lot of legal jargon involved, but many policies tend to be very simple for us to read. So the real reason of not being able to read is the time. We see many policies on a daily basis, so we may not be reading the entire text. Practical difficulties also exist when policies are not available in the local language. This jeopardizes informed consent. 

“However, if you file a case saying that you’re worried about your privacy because the use of a particular app or because of a particular privacy policy, the law will provide protection. But unfortunately Sri Lanka does not have a constitutional right to privacy, but we do have Article 14 A of the Constitution which is the right to access information under which there is a valid restriction to refuse information if it violates privacy. But there are also some limited sectoral protections that can be afforded through the Computer Crimes Act and certain other legislations of such nature for unauthorised disclosure of information. But the most important and key legislation is the forthcoming Personal Data Protection legislation which is yet to be placed before the Parliament. Apart from that there’s a Common Law – but in Sri Lanka the Common Law is the Roman Dutch Law and from this Law we can take refuge under the fact that certain protection can be afforded through the delict of actio inuriarum which states that divulging personal information could be considered an affront to dignity. After all your decision to use a particular messaging platform should entirely depend on data that’s being collected and shared while taking security, privacy and other concerns into consideration.” said Natesan-Weerabahu. 

 

 

Watch where your phone came from  

In Sri Lanka, mobile phone connectivity exceeds that of the population. “Out of them, 65-70% are smartphones which people have been using with messaging applications such as WhatsApp,” said Indika De Silva, Huawei Technologies Lanka Co-Vice President, Enterprise Business Group. “When buying a device in Sri Lanka there’s a sticker saying TRC approved or TRCSL approved. This means that device is legally imported into the country and the specifications of the country have been met. But your security can be compromised in devices that are smuggled in because you don’t know the standards with which they are being made and what are in those devices. After you take devices you need to ensure that it’s protected with passwords etc. When you download unknown data somebody can break in and get your information. When you download anything there’s a privacy acceptance. Many of us don’t read what they are, but we blindly accept them or click yes. When you do that you’re giving access to things that you shouldn’t be giving. So you expose yourself by yourself without checking all those parameters. We need to decide on what groups we should get in and what groups we shouldn’t. We need to think of the equation of protecting ourselves. From a country point of view a few institutes such as Sri Lanka Cert, TRC, ICTA are in the final stages of drafting the data protection law. With those legislations coming in we will get more stringent laws with our ecosystem,” said Mr. De Silva.