Users vent out displeasure, want government to crack whip
Survey and analysis by Deepak Kumar
There is a thin line that divides respect for privacy and intrusion of privacy. In the age of the digital, this line becomes wavy and fuzzy as well. For big internet companies, the user data that resides behind the line is a gold mine. The more they get of it, the richer they get.
WhatsApp’s privacy-policy change and the aftermath
Users’ retort has indeed been quick, sharp, and massive. They poured out their disapprovals in words as well as in actions. Millions of users posted and tweeted their angst against the move and even signed up on alternative messaging apps such as Signal and Telegram. Tesla Founder Elon Musk’s two-word tweet, “Use Signal,” helped drive a switch from WhatsApp, particularly given his following of 41.5 million on Twitter.
The rush to leave WhatsApp was so high that servers of Signal were not able to take the load of new signups. At one point, Signal sent out a tweet, “Verification codes are currently delayed across several providers because so many new people are trying to join Signal right now…Hang in there.”
On 11 January 2021, Facebook’s shares declined 4.01% on a day when Nasdaq slipped just 1.55%. On 12 January, it further declined 2.24% on a day when Nasdaq rose 0.77%. On 14 January, it happened to be at the lowest in more than six months.
Better World ran a quick user survey, where 37% users said they considered the move a serious breach of their privacy, while 45% said they it was not good but they could live with it. Only around 18% said the change didn’t bother them at all. However, some of these 18% users were already using other messaging apps along with WhatsApp.
What’s the big deal about privacy in the age of social media?
In the age of social media, many of us have become comfortable sharing our thoughts and views on Facebook. In fact, many people don’t mind sharing sensitive personal information such as location and travel plans not just with friends but also with public at large.
However, when it comes to WhatsApp, the behavior often changes. Many of the users’ chats are peer-to-peer in nature and may not be meant for public viewing or consumption. The same would apply to the other activities they perform on WhatsApp, whether today or in future. These would include the financial and transactional activities performed on the WhatsApp platform.
In a digital living environment, if a Facebook wall may be considered comprising areas of the lobby and the living room, WhatsApp will certainly be akin to the bedroom and beyond.
In the wake of the user backlash, WhatsApp had to get into a defensive mode, sending out clarifications and explanations. However, a damage had been done by then. In a first reaction, 17% users responded to the Better World survey said they were quitting/had quit WhatsApp for good, while 45% said they would accept the change but start exploring other or additional options. Interestingly, 12% said they were already using another social messaging app. However, a good 26% said they would accept the changes and keep using WhatsApp as before.
The myth that users are unaware and don’t care for privacy is broken
Often, as an extension to the assumption that transparency is the hallmark of a digital age, it is argued that privacy is hardly a thing that users care about. The user backlash against WhatsApp’s privacy assumptions easily breaks that myth. It also reminds one of the “Free Basics” event a few years ago. Users had then considered it an attempt to compromise ‘net neutrality,’ and Facebook had to roll the offer back.
Notably, while the messages will remains end-to-end encrypted, the new policy means sharing a host of user-related information with Facebook and other third-party platforms. These include information about a user’s location, IP address, mobile operator, timezone, phone number, and receipt of a Facebook or WhatsApp account. Additionally, conversations associated with business accounts will now be shared with Facebook.
The damage-control measures may be too little too late; more is needed
WhatsApp has issued a number of clarifications and explanations pertaining to the change. Those clarifications, however, have been far from satisfactory. Its parent company Facebook says the new policy changes are directed only at Business WhatsApp accounts and not the individual accounts. Also, it says only certain ad-related information will be shared with Facebook and other group companies.
What if third-party service providers don’t follow the “instructions and terms,” as had happened when in 2018 Cambridge Analytica was found to have harvested data of 87 million users from Facebook in 2016 under the guise of a survey app? In September 2018, again, hackers were able to exploit an API vulnerability to gain access to data of around 50 million users. In September 2019, data of 419 million Facebook users, including names and phone numbers, was exposed online, said Techcrunch. Three months later, data of 267 million Facebook users was reported by Comparitech as being in the wild. In March 2020, Comparitech revised the number to 309 million after finding data of another 42 million residing on another server had been compromised as well.
Given Facebook’s not-so-stellar record in protecting user data from being exploited by threat actors, it may be concerning for users to let some of their WhatsApp data be mined by Facebook and other third-party service providers.
“I’m surprised that WhatsApp has done this even though India is their largest market. Effectively this means that WhatsApp, apart from sharing personal data, also discloses your transaction-associated information, which means including your credit card number, your debit card number, and your bank details. At the same time, they will share the IP address of users. It’s a very perilous situation, especially in a country that lacks a strong legal ecosystem around cyber laws and data security. Such policy changes can upsurge the probabilities of misusing users’ data by anti-social elements. I strongly believe that people should count on more secure platforms such as Signal and Telegram for their messaging needs now.”
“People are moving to Signal and Telegram, but they are also coming back to WhatsApp. I’ve been using Signal for some time, along with WhatsApp, and found it is not as mature as WhatsApp is. There are many missing aspects in Signal, like, the personal reply feature. I found even the deletion of chat a cumbersome process in Signal. I understand the privacy concerns, but that’s there across the app ecosystem, and here WhatsApp is at least telling users what it is sharing and what’s not. Most of the users are testing Telegram and Signal while keeping WhatsApp as a primary communication tool. It will be exciting to see if this behaviour fluctuates and WhatsApp could address some of the privacy concerns that users may have”
“While WhatsApp may try to dispel all fears about privacy expounding that its messaging platform is end-to-end encrypted, in reality, Facebook seems to trying to seize a lot of personal data to earn from its advertising business. To avoid such instances and provide users much-needed control over their data, India needs to implement its data protection law just like Europe’s stringent GDPR at the earliest. The world’s largest democracy, with a burgeoning IT sector, cannot risk the privacy of its citizens.”
There is a need for stakeholders to establish certain minimum privacy-policy norms
The right to privacy has been recognized as a fundamental right emerging primarily from Article 21 of the Constitution of India. Article 21 pertains to protection of life and personal liberty, and states, “No person shall be deprived of his life or personal liberty except according to procedure established by law.” In August 2017, Government of India had set up a committee under the chairmanship of retired Justice BN Srikrishna to submit a report on data protection. The committee submitted its report in July 2018.
In its opening note, the report recognized that “the protection of personal data holds the key to empowerment, progress, and innovation.”
The Committee had noted that “any regime that is serious about safeguarding personal data of the individual must aspire to the common public good of both a free and fair digital economy.” “Freedom refers to enhancing the autonomy of the individuals with regard to their personal data in deciding its processing which would lead to an ease of flow of personal data,” it added.
Justice Srikrishna Committee had emphasized that processing (collection, recording, analysis, disclosure, etc.) of personal data should be done only for “clear, specific and lawful” purposes. Also, only that data which is necessary for such processing is to be collected from anyone.
Based on the recommendations of the committee, amounting to a draft Personal Data Protection bill prepared in 2018, a revised Personal Data Protection Bill was approved and placed in December 2019. A joint Parliamentary Committee (JPC) chaired by Meenakashi Lekhi and comprising 20 members from Lok Sabha and 10 members from Rajya Sabha was constituted to submit its report. The JPC had conducted more than 55 sittings in 2020. Oral evidences were heard by the JPC from various state as well as non-state actors including Amazon, Google, Facebook, Jio Platforms, Paytm, and Twitter, among others. The final report of the JPC is awaited.
Despite the fact that right to privacy has been recognized as a fundamental constitutional right, experts have been of the opinion that a law on data protection should be dynamic and not statutory in nature. This is more so because as digital economy becomes more and more prevalent and mainstream, data itself becomes dynamic in nature.
Coming to data protection, it is important to first distinguish between stationary data and moving data. While it can be reasonably guaranteed to foolproof privacy and security of stationary data, it can get very hard to ensure privacy of moving data.
The velocity of a moving data can be lightning fast in today’s digital environments. So once a private data gets into a public domain, even the slightest lapse or gap at the end of a data custodian could be disastrous. The hacks and misuses listed out earlier in this report are a testimony to this assertion.
The choice of alternative reinforces that privacy is the key concern
Signal, which is considered to be the most privacy-oriented messaging app (see Table), was the first choice of those users who said they will look for WhatsApp alternatives. In this case, respondents had the option of selecting one or more apps, including WhatsApp. Telegram, which is considered second-most privacy-friendly app, had the second highest user preference.
While 34% of the users voted for Telegram as a WhatsApp alternative (and in some cases, as a replacement), a good 24% voted for Signal also. A fair percentage of respondents (15%) said they were sticking with WhatsApp even though they were using or considering to use apps other than WhatsApp as well.
The immediate user response, as evidenced from the survey, has been quite aggressive. While 18% of respondents said they had already quit WhatsApp as the only app, another 25% said they planned to do so within a week’s time and yet another 29% said they planned to quit in a month’s time. However, 28% said they had no plans to quit WhatsApp.
|Subscribers (Global)||2 billion||400 million||20 million|
|Video and voice call||Yes||Yes||Yes|
|End-to-end encryption||Personal messages and calls are end-to-end encrypted.||Only for secret chat||All features are end-to-end encrypted|
|Type of software||Closed-source privacy||Open-source privacy||Open-source privacy|
|Information collection||Users location, IP address, mobile operator, timezone, phone number, and details of a Facebook or WhatsApp account.||Device data, IP addresses for moderation, phone number and the User ID||Only phone number for registration|
|Group chats||Up to 256 members||Up to 200,000 members||1,000 members|
|File sharing capability||Videos with 16MB limit in size and regular files up to 100MB||2 GB||100 MB|
|Folder management||Chats can be stored through email||Chats can be moved in to folders||No such feature exists with Signal|
|Disappearing messages feature||Enables self-destruction of a message after 7 days||Enabled through self-destruct timer||Enable self-destruction after 5 seconds to 7 days once a user read the message|
|Data backup||Yes, online and offline backup on google drive||Yes, on Telegrams cloud||No, stored on its own cloud platform|
|Group chat security||E2E||No||E2E|
The key reason for such reconsiderations would be the huge user base that WhatsApp currently enjoys. While WhatsApp had a colossal global base of 2 billion subscribers, Telegram has a much smaller base of 400 million and Signal has a miniscule base of 20 million by comparison. Even if a few million WhatsApp users move to other platforms, it will not be fruitful if a significant percentage of their contacts also move to those very platforms. If that doesn’t happen, users could feel compelled to come back to WhatsApp for their daily messaging needs.
Notably, when considering alternative apps, 26% said they were sticking with WhatsApp. Further, when asked to provide a timeline for quitting, 28% said they had no plans to quit. It is quite possible that when it comes to actually quitting the platform, a much higher number of users will reconsider.
A consolidated view of respondents’ profiles
About the Analyst and the Survey Methodology
Deepak is an ICT industry analyst with more than 25 years of experience in researching and analyzing multiple domains. His focus areas are strategic business and marketing advisory, sales enablement, and public speaking. He has published reports, whitepapers, case studies, and blogs in areas of cloud, mobility, social media, and analytics.
He is Founder and Chief Research Officer at BM Nxt and Better World. He has earlier worked with IDC, Reuters, Voice&Data, and Dataquest in leadership roles spanning research, advisory, and editorial functions.
About the report
I take this opportunity to sincerely thank all the survey respondents for taking time out and providing their inputs, without which this report would not have been completed in a timely manner.