Recently we explored the WhatsApp TOS. We were planning to get beyond WhatsApp, but the TOS were long. We’re splitting it up instead. This time we’ll paraphrase the WhatsApp privacy policy. It’s boring. But I’ll bet you’ll be surprised.

First of all, the Privacy Policy for us is different than the Privacy Policy for people who live in the “European Region”, which is basically the European Union plus the United Kingdom. The reason for this, one might speculate, is the General Data Protection Regulation (GDPR) that governs personal data collection and sharing in the region.

WhatsApp is a Facebook company. You knew that right?


What Facebook collects

The first part of a Privacy Policy is the disclosure of data collected. WhatsApp collects your mobile phone number, profile name, all of the phone numbers in your phone address book whether or not they use WhatsApp, and anything else such as profile picture, email address, and etc. that you fill-in on your account.

WhatsApp does not ordinarily keep your messages once they’ve been delivered. Before they’ve been delivered they might reside on WhatsApp servers up to thirty days. End to end encryption of messages is enabled by default so that only you and the recipients can see inside of them.

The people, groups, and lists you join or that others put you in, as well as any names, pictures and descriptions you give to groups are collected by WhatsApp. Your activity using WhatsApp is collected. Not only diagnostic, performance information, logs and what features you are using, but also whom you communicate with, when, how often, and for how long.

If you use WhatsApp payment services, there’s a separate policy for that. When you contact customer support, anything you provide them is collected.

When you install, access, and use WhatsApp, your device information is recorded. This includes the hardware model, operating system, battery level, signal strength, browser information, mobile network, ISP, phone number, language, time zone, device identifiers and Facebook tracking identifiers.

WhatsApp collects your location information when you share your location or use the app to view locations nearby. When using a browser, WhatsApp uses cookies for just about everything you can use cookies for. There’s a whole separate page describing cookie usage. You look at it. It doesn’t say much more.

Other businesses will send WhatsApp data about you that is associated with you through identifiers such as your phone number. Third party service providers and the Facebook companies all share your data with each other. Data that one collects, all have.

One Way

What Facebook does with it

The next part of a Privacy Policy is disclosures about what is done with the data. This includes general things like, “to operate and provide our Services”, “understand how people use our Services”. It may be used to market services of the Facebook companies. Businesses you interact with send messages about transactions you have with them as well as marketting messages. Those businesses also receive marketting analytics that measure in aggregate how people interact and respond to their messages.

You share information from your profile as well as whether you have read messages and when last seen with others who use WhatsApp. Businesses may store this information and further share it.

There’s an FAQ about what data is shared with Facebook. It’s interesting to see that your contacts on WhatsApp are not shared with Facebook companies. Your identity is, for various reasons, including to match accounts. Facebook does not use your WhatsApp activity to influence what you see on Facebook. Oh wait. That was a European Region page.

Elsewhere, outside of GDPR coverage, WhatsApp contacts and activity are used by Facebook to suggest products, friends, connections, and decide which content to show you.

The data collected is used to enforce the TOS and may be shared with law enforcement and for fraud detection and detection of illegal activity.

Your information may be transmitted and stored anywhere in the world.


The Facebook companies

Who are the Facebook companies? Other than the Facebook application that lets you post content and see content that others post, and WhatsApp, there are:

  • Facebook Payments and Payments International Limited.
  • Onavo
  • Facebook Tech (aka Oculus)
  • CrowdTangle

Onavo is a mobile application maker. The only app found to be discussed on the Onavo site is an app called “Onavo Protect”. That is a VPN app, no longer supported, which they ask you to uninstall.

The privacy policy for Onavo indicates that all of your internet activity was shared with Facebook when you used it. It was Facebook’s answer to Google Chrome, or possibly worse.

Occulus is a maker of virtual reality goggles, kind of cool, games, and other applications that work with them.

CrowdTangle is a data analytics company. At the top of the privacy policy they state that the platform “helps publishers and media companies surface stories that matter, measure their social performance and identify influencers on social media platforms.” The company provides their customers access to data from the Facebook app, Instagram, and Reddit. As an example, a product called “Condor” provides access to URL shares in all public and private Facebook account posts, impressions, interactions, views, and searches.

Social network

So what?

WhatsApp provides Facebook with a living map of who has contact with whom, who talks with whom, when, how often, and how long. This is something that phone companies, back in the day when we used wires, were prohibited from sharing with anyone, the exception being a legal warrant. Facebook sells it.

How valuable is it? According to the Facebook 3Q 2020 earnings report, about twenty-one and a half billion over three months. That’s roughly three dollars from every one of the seven, nearly eight billion human beings in existence. Multiplying by four quarters gives twelve dollars a head each year.

How do you suppose your cell phone provider can offer unlimited WhatsApp bandwidth for all of their customers? Who pays for that? WhatsApp does. Why? Because having everyone using WhatsApp is worth loads more than the cost. How much more?

From the same document we see that (only) one in four human beings on earth interacts with Facebook (including through WhatsApp). That means each Facebook or WhatsApp user person on average earns Facebook about forty-eight dollars each year. The document puts their expenses at fifty-five billion, about twenty dollars a head. They’re getting 100% return, two dollars out for every dollar in.

The point?

The point isn’t that Facebook profits from WhatsApp. It’s that the data we give to them using their application is valuable. The company works incessantly to make it more so. As a shareholder, that’s supposed to be a good thing. As a citizen, one wonders.

Your data is valuable because it is used to predict and to influence your behavior, not only that you spend your cash or where you spend it, but also your opinion, what you care about, what you know about, even how you vote.

An October, 2019 article in the New York Times has United States Democratic primary candidates collectively spending thirty-two million dollars with Facebook in 2019.

According to data collected by the Wesleyan Media Project, the major U.S. presidential candidates in the 2020 election spent, combined, about one hundred and ninety million dollars on Facebook.

No turns

Further, and considerably more troubling, is the asymmetry of the information. While you provide all of this data to Facebook, in reality, the privacy policy (or non-privacy policy) doesn’t provide you with any transparency about how your data is used. It discloses things in general terms; but, you can have no information about any specifics whatsoever– how many times, with whom, specifically, when? Who has bought? How has the data been combined with data from other sources? How complete is the picture?

If people could see the complete picture that Facebook compiles, their dossier, and know specifically who has accessed it, I think they would be uncomfortable with what they saw.

See no evil

Facebook cares

If you happen upon the WhatsApp Privacy presentation, they tell you that they keep you private.

That document tells you that you can choose who can see your last seen and status. They mean other users. The privacy policy tells you that Facebook can always see whether you are using the app and your status. They tell you that the content of your messages is invisible to them. The privacy policy tells you that the length, destination, time sent, device from which sent, location from which sent, and other metadata are all shared with Facebook.

It’s important to WhatsApp that you think it is private and secure. Take their word for it. Don’t read the privacy policy.

Photos from Wikimedia commons