Georgetown Law
Technology Review

On January 6th, WhatsApp notified users of updates to its terms and conditions which are mandatory “to continue using WhatsApp.” The first change is that WhatsApp will now temporarily store forwarded media on its servers in an encrypted format. Second, WhatsApp will store an undelivered message for only 30 days, then it will be deleted. Third, WhatsApp will share user data, such as transaction data, IP address, registration information, and use frequency with Facebook and its affiliated companies. This last disclosure, which no longer includes language allowing for an opt-out of data sharing, is what prompted many to shift from WhatsApp to Signal.

The backlash over changes to WhatsApp’s privacy policies caused millions of users to flock to Signal, a comparable app endorsed by Elon Musk. While both apps are secure and encrypted, Signal is believed to be less vulnerable for two main reasons. First, Signal frequently updates its features. Second, Signal’s open-source code is routinely audited by independent security experts,  reducing potential for hidden vulnerabilities and exploits. Unlike WhatsApp’s closed-source code, which enabled an Israeli cyber intelligence company to install malicious code on the phones of WhatsApp users, Signal has resolved exploits before they are discovered.

Regardless of the privacy benefits, this transition to Signal may have been misinformed. WhatsApp’s original appeal as a fully encrypted communication app still exists. Although the changes created apprehension among users, WhatsApp’s notification ironically shined a light on WhatsApp’s existing policies, which allowed for sharing of personal account data with Facebook.

WhatsApp’s introduced changes only materially affects WhatsApp business accounts, because the policy intended to link WhatsApp to Facebook ads. For example, WhatsApp was seeking to make texting with your airline easier. While this mass exodus may have been misinformed—in an increasingly data driven society—this was the breaking point for many WhatsApp users. Similarly, WhatsApp’s co-founder, Brian Acton, left the company in 2018 citing concerns that WhatsApp was becoming too integrated with Facebook ads.

Signal was downloaded 7.5 million times following the WhatsApp notification. While the mass exodus from WhatsApp may be misguided, WhatsApp’s increased data sharing and monetization features justify the search for more secure alternatives.  While neither application reads your messages and both utilize end-to-end encryption, WhatsApp can view your metadata whereas Signal cannot. This difference has caused privacy advocates around the world to champion Signal..

The legal issues surrounding WhatsApp and Signal are broad, but almost all revolve around their encryption features. Recently, Parler—the communication medium used in the January 6th Capitol Hill terrorist attack—was essentially deplatformed. Officials at Signal and WhatsApp have been concerned for years about extremist activity on their platforms. These concerns were alleviated when these terrorists moved mostly to Telegram. Like with any privacy focused feature or application, the benefits always outweigh the potential for abuse. This is best exemplified by Apple v. FBI, where Apple refused the FBI’s demands to create backdoor access to the San Berardino terrorist’s iPhone. The FBI eventually contracted an Israeli company to gain access to this phone.

The governments of Italy, India, Turkey, and the United States have all raised individual concerns about the WhatsApp notification and its business practices more broadly. The Italian Data Protection Agency has contacted the European Data Protection Board raising concerns about the lack of clarity over WhatsApp’s notification. Under European Union Law and per the General Data Protection Regulation (GDPR) valid consent requires that users are properly informed of each specific use of their data and given a free choice over whether their data is processed for each purpose. The agency argues that it is impossible for WhatsApp to achieve this threshold given the confusing nature of the notification.

India—WhatsApp’s largest market—filed a lawsuit on the basis that WhatsApp’s changes violate surveillance laws and threatens national security “by sharing, transmitting, and storing user data in another country with the information thus governed by foreign laws.” The filing of the lawsuit was followed with an announcement from WhatsApp that the new update rollout would be pushed back to May 15.

Turkey launched an antitrust investigation into the changes believing they would result in “more data being collected, processed and used by Facebook.” The investigation alleges that WhatsApp is in violation of Article 6 of Turkey’s competition laws that prevent companies from “abusing their dominant positions.” Additionally, the Turkish Defense Ministry has announced it will no longer use WhatsApp to communicate with journalists.

Leaders, technologists, politicians, and activists are all seemingly making the transition from WhatsApp to Signal and other more privacy-focused apps. Signal currently ranks as one of the most secure messaging apps on the market and its recent popularity is well founded. Regardless, WhatsApp’s massive audience makes the recent legal challenges important. How WhatsApp responds to their users’ outcry could be the final push that drives their audience to other platforms.