Popular texting service WhatsApp violated foreign privacy laws by requiring users to share their contacts' mobile phone numbers, Dutch and Canadian officials said on Monday.
"Users of WhatsApp -- apart from iPhone users who have iOS 6 software -- do not have a choice to use the app without granting access to their entire address book," Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, said in a report issued on Monday. "The address book contains phone numbers of both users and non-users. This lack of choice contravenes (Dutch and Canadian) privacy law."
The app allows smartphone users to send text messages without incurring SMS fees from their carriers. When mobile users first install WhatsApp, the service asks for permission to upload the phone numbers of their contacts, in order to determine if they also use the app. The company then enables messages between people who have installed WhatsApp, while anonymizing the numbers of the contacts that have not installed the app.
But the Canadian and EU officials say that WhatsApp didn't need users' entire address books to function. Instead, WhatsApp could give users the option to upload contacts individually, the authorities said. (The company now offers that ability to iPhone users running iOS 6 software.) The officials also criticize WhatsApp for anonymizing the numbers of non-users instead of deleting them.
Privacy laws in Canada and the EU are broader than in the U.S. In general, the EU and Canada require companies to follow fair information principles, which provide that businesses can't collect more information than necessary for a service to function.
WhatsApp doesn't appear to violate U.S. laws by asking users for permission to access their address books or by retaining that data for longer than necessary. But the app still might have to cut back on its data collection in order to comply with other countries' laws, says Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum. "The global success of apps means that the standard for many U.S. apps may increasingly be set by international data authorities," he says.
Dutch and Canadian officials, who conducted a joint probe of the app, also criticized WhatsApp for sending unencrypted messages over WiFi and other questionable security practices. After the investigation began, WhatsApp started encrypting messages and beefed up other security features.
Polonetsky says that some of those security issues came to light last year.
Kohnstamm and Jennifer Stoddart, Privacy Commissioner of Canada, said in their report that WhatsApp has only addressed some of their concerns. Dutch officials will decide whether to launch an enforcement action, while Canadian officials intend to continue to monitor WhatsApp. "In most cases, companies are cooperative in meeting their obligations, and WhatsApp has demonstrated a willingness to fully comply with the OPC [Office of the Privacy Commissioner of Canada] recommendations," the report says.
Several years ago, Stoddart criticized Facebook for allowing third-party developers to access information about members and their friends. After that report came out, Facebook introduced new privacy controls.
WhatsApp has not yet responded to requests for comment from Online Media Daily.