What about that Whatsapp privacy policy change?

You may have heard recently that Whatsapp’s privacy policy has changed ‘for the worse’ and that it is now sharing user account information with Facebook. What’s that all about and what should you do about it?

Whatsapp is a mobile phone app that provides messaging services between users of the app. Whatsapp accounts are linked to phone numbers. Facebook is an online social media platform with 1.7 billion monthly users (as of June 2016). Facebook bought Whatsapp for US $19 billion in 2014 and now Whatsapp has over 1 billion users. Prior to its acquisition, Whatsapp charged a fee to its users – a nominal $1. After the acquisition, the fee was eliminated, leaving the company’s business model unclear to users. Whatsapp announced earlier this year that they would introduce tools to let businesses connect to users.

One of the founders of Whatsapp, Jan Koum, was born in Soviet-era Ukraine and the matter of privacy is said to be personal to him. Whatsapp now encrypts all messages that are sent between users using updated versions of the app, meaning not even the company can read messages that are sent through the app.

Why then are we so concerned? The information that Whatsapp does have is metadata – data about data. Whatsapp has the contacts on your mobile phone (required to provide its service), the time you last checked the app, the person whom you messaged, when you messaged them, how many times, etc. Go back three years and you might recall that this is the kind of data collection by the NSA that caused a huge uproar when Edward Snowden blew the lid on it.

A record of phone calls or messages between you and a specialist doctor may reveal medical concerns of yours. Phone records between two parties may allow for inferences where nothing may be relevant – or they may give away something about one’s life that one prefers to keep private. The choice of whether these matters are made known to others belong to the people whom they concern – not to an internet / communications company, the government or advertising firms. You will lose that choice if your Whatsapp account data is transferred to Facebook. Facebook is an advertising company and the metadata is going to be used to serve you with advertisements from businesses.

What causes more worry is the manner in which this has been implemented. We have the option to opt out of the sharing of account data. The opt out is designed to be easy to miss. You still have 30 days to go back and update your settings, but after that the choice to opt out is removed entirely.

But does it really matter? Many of us do share a lot of information about ourselves publicly on our social media profiles. Even the content that is restricted to ‘friends’ can be copied, screenshotted and shared by our contacts. A certain level of sagacity is called for when sharing matters that one may think are not public and that is upto your own judgement.

Take the following steps now to take control of your Whatsapp account data: https://www.whatsapp.com/faq/general/26000016

Should we ban encryption so that terrorists can’t use it?

Short answer: No. Read on.

A pattern has been emerging in the last few years of terror attacks: An attack happens, then politicians and spying bureau chiefs call for increased powers of surveillance without oversight. They use (mostly unproven) statements about encrypted technology being used to communicate, preventing the ‘good guys’ from seeing what they are doing. This was certainly the case for the recent Paris attacks and Trevor Timm has written an excellent piece on the various political agenda that Paris is being used for – and on the incompetence of the spy agencies in failing to prevent the attack.

SMSes and phone calls that are used in normal communication are unencrypted. These can be snooped on and, despite the fact, the attackers’ SMS communications were not intercepted and the attacks happened. The simple matter is that there are too many people to monitor to effectively prevent an attack. Plenty of people who are known resent the ‘free world’ will never get around to actually kill in the name of that resentment. How does a spy agency know which communications to actually watch for when there are so many potential threats?

The other much simpler reason for not banning encryption is that encryption benefits humanity. It keeps our data safe from criminals. It allows us to log in to our Facebook, our emails, our dating apps, our bank accounts with some reassurance that people who intend to harm us in various ways are not able to do so. Banning encryption totally removes that security blanket. We are all harmed by banning encryption. To take such a drastic step is to acknowledge that the terrorists have won – that we are so terrorised that we would willingly enable criminals to view our bank accounts and our private lives.

What about the possibility of enabling backdoors (or ‘front doors’) that allow only the government to view encrypted information? To put it simply, this is not possible. If a backdoor (call it ‘front door’ if you wish) is created, criminals will find it and misuse it. Or perhaps hostile Governments. Don’t take my word for it. Take Barack Obama’s.

See my previous post: Did the Paris shooters communicate using Playstation 4?

Secure messaging

We send a lot of communication over messaging services that send a few characters of text per message. Have you ever considered how easy (or difficult) it would be for someone to spy on these communications? What if the messaging service provider wanted to spy on you? The Electronic Frontier Foundation (EFF), a non-profit organisation dedicated to “civil liberties in the digital world” has some answers.

The EFF has checked a number of messaging apps against security concerns. It continues to update the list as the app owners / developers make updates to the respective apps. Things that you might want to watch out for: Skype, Whatsapp, Facebook chat and Snapchat are all built with their customers’ security and privacy as afterthoughts. Even the once-popular Blackberry Messenger is terrible at security.

The page explains each criterion in detail. I shall explain two of them right here: “Encrypted so the provider can’t read it” – consider the fact that Google scans through your conversations to know what advertisements to serve you. How about the fact that any of these providers could be served with a subpoena to have a conversation of yours made available. Properly encrypted, this becomes impossible.

“Is the code open to independent audit” – it is possible to make the claim that one has built a secure system. It can be verified that the system is reasonably secure only if the code is open to investigation by independent parties. Trusting the maker to have done it right is not something that we do in the security world.

Read all about it: EFF’s Secure messaging scorecard
Exciting news: Signal messaging app has now come to Android

Protecting our privacy on social media

You are concerned about how the use of online social media is eroding your privacy. What measures can you take? Here are a few possibilities. You can choose more than one.

  1. Stop using online social media: you will enjoy none of the benefits of social media and suffer none of the drawbacks.
  2. Use social media that is built for privacy. There exists at least one social network (Diaspora– I do not endorse it) that claims to have such aims. I once came across a write-up that said that users of Facebook would be willing to pay a sum to use it rather than have advertisements served to them. The problem is that a subscription will automatically limit the number of users to the network. The value of the network (to users and to the owners) increases in proportion to the number of users. Any entry barrier is value reducing. It works only if you have a close-knit group who are accepting of the desire to share things merely among themselves.
  3. Lock down your privacy controls. See these posts on network-specific information on Facebook and LinkedIn.
  4. Avoid putting any information that you do not want your grandmother to read – the golden rule of social media. You do not have control of what your connections do with information that you have uploaded. Even if a post is privacy restricted, your connections are free to quote you or take screenshots of your posts and post them elsewhere. Do not display your date of birth and other private information that may be used as identity verification measures at banks and such.
  5. Separate social media and other browsing. Log in to your social media using one browser. Do all other browsing using another browser. Set your browser to automatically clear the browser cache each time you close it. The social network will have slightly less knowledge about what you do and are interested in and is unlikely to serve you advertisements for that vacation that you are planning to Bali in a few weeks. Note that if you click on any links within the social network, it will know.
  6. Reconsider the use of phone apps. Look at all the permissions that the app requests when you install it on your phone and consider whether you can indeed tolerate them. It can be hard to not use some apps as most of our social media usage may be on the phone. At the same time, if we do not use the app on our phones, the network has no access to the information in our phones. I have been most concerned about this when using LinkedIn and have (for now) removed the app. Given how much I use it, removing the Facebook app is unthinkable for me at the moment.
  7. Stop posting new things; just use it for getting information about other people. This would put you in the creepy or inactive person category. Some people may not accept connections from people who have no activity, particularly on Facebook.

Also see my previous post: Why do we have so many privacy concerns regarding the internet?

Why do we have so many privacy concerns regarding the internet?

We are provided with news all the time about how Facebook and Google are using our information and violating our privacy. Why is this a new concern that appears to have arisen only in the last decade?

Consider some traditional services: the purchase of goods at a shop, the transfer of money at a bank, the usage of a television channel. They all involve the customer paying the provider (shop, bank, cable provider) an amount of money for the service or good. There is clarity on who the customer is, i.e. the person who receives the good or the service.

How about someone who uses Gmail? He pays no money to Google for the service. Likewise a user of Facebook. How do these non-traditional service providers make their money? They serve advertisements to the users and get money from the companies that wish to advertise. Users are not the customers of Google and Facebook, advertisers are.

The money tends to come in depending on the number of clicks on the advertisements. Why would a user click on an advertisement? To state the obvious: an advertisement is more likely to be clicked if it is relevant to the user. Here is the interesting question: How do Google and Facebook find out what is relevant to their users? They collect data about their users: their browsing habits, the things that they search for, people who are connected to them and therefore are likely to have similar browsing habits…  This is where the privacy concerns come in. The catchy quote goes thus: “If you are not paying for it, you are the product.”

Apple’s CEO Tim Cook criticised this model of doing business – an easy task, since his company gets its money up-front from the user: “I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong.”

Take a look at this advertisement by Mozilla.

Imagine someone following you around and noting down everything that you are doing: where you are, how long you remain, what you looked at, what you wore. Some of the technology sites that we are addicted to are the digital equivalents of the creepy guy in the video doing exactly that. In real life we may get a restraining order trying to keep this person away from us. In our online lives, we have invited him into our homes.

More posts on this subject will follow.

My Telco Knows My Ethnicity. Should it?

I received something in the mail in April that caused me some irritation. It was a colourful card wishing me a “joyous new year” – in April. It turns out that various Indian and Indian-derived new years are celebrated in April. Inside, the card contained information about some celebratory programme.

Why would this card irritate me? In just the preceding few months, Christmas, New Year and Chinese New Year had passed without me getting any card. Somehow my telco found out my ethnicity and sent me a card that it figured was tailored to my interests (It wasn’t. I have no idea who those people in the pictures are).

How they figured it out is not a difficult question. Telcos in Singapore (and in many other countries) collect copies of one’s identity card perhaps mandated by law, and also to identify the customer during customer interactions. Singapore’s identity cards (ICs) clearly state the person’s race. My guess is that someone at the telco thought it a good idea to collect the personal information about ethnicity for some tailored marketing. It couldn’t hurt, right? After all it already holds on to the information. Not so.

Singapore enacted a personal data protection act (PDPA) a few years ago. One key idea of the law is that personally identifiable information (such as the information in one’s IC) should only be collected with consent for a stated purpose (such as identifying a person when he calls up the telco claiming to be a customer). Getting promotional material from the company about non-telephone services was not something that I had signed up for.

I exchanged a few emails with the telco’s data protection office. I was advised thus:

“We are using the individual’s ethnicity/race to ensure that we do not send offers/events that are not relevant or potentially offensive to the customer.”

I found this to be objectionable even on some non-privacy grounds but what I found really problematic was how they ended that email.

“If you could share the reason of why you would not consent to giving this information, it will be helpful for us to see how we can best address your concerns.”

The telco took for granted that I was giving up this information and I would be OK with them using it for the purposes they chose. Without asking me.

In the very last email, the DPO assured me that the telco would not provide my data to third parties for commercial purposes without seeking my explicit permission. I had no such worries. My concern was that they would abuse it internally for commercial purposes without asking my explicit permission, as they already had.

Companies can try to wiggle out of their responsibilities by finding loopholes with the law. My ethnicity is not really the personally identifying information (PII) that is the focus of the PDPA. The problem lies in the fact that it is collected from the IC, that treasure trove of PII and we have no visibility as to what else the company is doing with our information.

The PDPA was a step in the right direction for Singapore. Many companies have scrambled to follow the letter of the law in terms of visible implementation. They have put up notices on their websites stating who customers can contact if they wish to enquire about the privacy of their data. They have appointed data privacy officers with clear responsibilities. These are mandated by the law and an auditor can verify it.

What is difficult is to bring about a change in attitude toward customer data as something that belongs to the customer and not to the profit-seeking company. Appearing to obey the law may not be too difficult. Understanding and accepting the intent of the law will take some time and motivation.

This essay was originally posted at my LinkedIn page: https://www.linkedin.com/pulse/my-telco-knows-ethnicity-should-vijay-luiz