Two international government agencies which investigated a popular smartphone app for violating privacy laws, say the matter is still only partly resolved.
Cross-platform instant messaging application WhatsApp, recently came under fire by the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority.
Both parties formed a collaborative investigation into the handling of personal information by the US company, and found its actions to be in contravention of Canadian and Dutch privacy laws.
Although WhatsApp has taken steps to implement many recommendations to make its product safer from a privacy standpoint, there are still outstanding issues – one in particular relating to the storing of phone numbers.
Once the app users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users.
Non-users’ details stored
However, WhatsApp was found to have retained mobile numbers from people’s address books who were non-users – instead of deleting them.
This practice contravenes Canadian and Dutch privacy law which states that information may only be retained for so long as it is required for the fulfilment of an identified purpose.
Chairman of the Dutch Data Protection Authority, Jacob Kohnstamm, said: “We are not completely satisfied yet. The investigation revealed that users of WhatsApp, apart from iPhone users who have iOS 6 software, do not have a choice to use the app without granting access to their entire address book.
“Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.”
The coordinated investigation was a global first, as the two national data protection authorities worked together to examine the privacy practices of a company with hundreds of millions of customers worldwide.
Unencrypted passwords
At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception.
However, in partial response to the investigation WhatsApp has introduced encryption to its mobile messaging service.
The investigation also found that WhatsApp was generating passwords for message exchanges using device information that can be ‘relatively easily exposed’.  This created the risk that a third party may send and receive messages in the name of users without their knowledge.
WhatsApp has since strengthened its authentication process in the latest version of its app.
Both investigating authorities will now pursue outstanding matters independently.

[Image via]