WhatsApp could face prosecution on poor privacy

Dutch and Canadian privacy commissioners conducted a yearlong investigation into the popular mobile app

By , IDG News Service |  Security

A yearlong investigation by government privacy watchdogs in Canada and the Netherlands identified major weaknesses in the way the WhatsApp cellphone messaging application handled the personal information of its users.

Many of the problems have since been fixed, but Dutch authorities have yet to decide whether they will attempt to prosecute WhatsApp under Dutch privacy law, the two organizations said in a joint statement on Monday.

WhatsApp allows users to exchange messages like conventional instant messaging software, but rather than use screen names the system identifies users by their phone number. When a user signs up, they upload their cellphone's address book to WhatsApp to discover who among their existing contacts is available via WhatsApp.

That method was one of the things that originally drew the attention of the Office of the Privacy Commissioner of Canada and The Dutch Data Protection Authority.

Their investigation found that after uploading the address book and using the data to match existing users, the WhatsApp servers failed to delete the phone numbers of non-users as required by Canadian and Dutch law.

The app was also initially found to be sending messages in an unencrypted form, which leaves them vulnerable to eavesdropping and interception, particularly when sent over an unsecure Wi-Fi network. WhatsApp added encryption to messages in September 2012.

Finally, the investigation found the app was generating passwords for message exchanges based on things like the phone's IMEI (international mobile equipment identity) or MAC (media access control) address. Both are relatively easy to discover, opening the possibility that a third party could send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened password generation, but users need to update their software to benefit from the change.

WhatsApp, which is based in Silicon Valley, could not immediately be reached for comment.

News of the investigation comes as the issue of mobile app privacy is increasingly coming into the spotlight.

In December, the State Attorney General of California launched a prosecution of Delta Airlines for failing to comply with California's privacy laws. California's online privacy law requires commercial operators of websites and online services, including apps, which collect personally identifiable information conspicuously to post a privacy policy. The state attorney general has begun looking at apps that either don't include such a policy or don't make it obvious to users.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question