With the increase in regulations governing the privacy of personal information, such as GDPR which came into effect last week, organisations of all types and sizes must now consider how they gather and use customer data. Some organisations are being transparent in this behaviour, instilling a sense of trust in their customers, whilst others are not so clear. As an Enterprise Architect, you must ensure that changes to your organisation are done in accordance with these new rules, but what principles will drive your decisions? Are you respecting the individual, or simply meeting an enforced obligation? The story below is about the actual changes being made by Facebook (seemingly in the face of this new legislation) but it unearths a deeper issue: organisations that use the privacy of their customers as data, if it is for commercial gain (such as the case with Facebook) or just in an honest attempt to improve services, they will have to consider if the customers are actually better off with the exchange. It also shows that not all actions done in the name of improved privacy (regulation) in real world situations result in improved privacy
New Terms of Service
I received communication from WhatsApp. I need to agree with the updated Terms of Service and Privacy Statement. I use WhatsApp to communicate with the colleagues in my department (e.g. we use it in our fire drill to make sure everybody is out of the building). My children use WhatsApp a lot. The school uses it to communicate homework changes, last minute schedule changes, etc.. There is a WhatsApp-based neighbourhood ‘keep alert’ group, semi-supported by the authorities. WhatsApp is everywhere. But GDPR is coming, the stricter privacy laws in the European Union and that seems to create a change with a world wide ripple effect.
Everybody is updating their rules because of GDPR and generally, privacy is improved. Most people just click OK, but I tend to read these things (though in this case, I might not have initially, so some things may not be new). And here is what I noticed. First, there is something about Address Books. WhatsApp writes:
Address Book.You provide us, all in accordance with applicable laws, the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts.
What? I mean: WHAT?!
I have to give my all my contacts phone numbers to WhatsApp? Even those that are not in my WhatsApp contacts? Is that even legal? After all, I think that according to GDPR you’re only allowed to store data that you need to provide the service. They don’t need everything in my Address Book for that, let alone stuff that has nothing to do with my use of WhatsApp. Is the WhatsApp application going to stop working unless I allow it access to my iPhone’s address book? And is this legal? Maybe that is why the subsentence “all in accordance with applicable laws” comes in. It isn’t there to tell you Facebook will obey the law, it is there to say that you don’t have to provide this if the law doesn’t allow it or gives you freedom. This is like Apple for years charging people in Europe for extra warranty rights under Apple Care that those people already had under the law. They were convicted for this in Italy and had to pay a big fine. Now, everywhere in Europe they add the clause that some of the rights under Apple Care are already yours without you paying for it. I suspect it’s weaselese-legalese. But I digress.
Next: age. WhatsApp writes:
Age.If you live in a country in the European Region, you must be at least 16 years old to use our Services or such greater age required in your country to register for or use our Services. […] In addition to being of the minimum required age to use our Services under applicable law, if you are not old enough to have authority to agree to our Terms in your country, your parent or guardian must agree to our Terms on your behalf.
OK. There goes the entire WhatsApp use for the school of my children, the use of WhatsApp for families. What are they going to do instead? I can guess what Facebook hopes will happen: many will move to Facebook (Messenger). And instead of the end-to-end encrypted WhatsApp messaging, Facebook (WhatsApp’s parent company) is additionally getting access to all the content of the messages. It’s pretty smart to move the under-16’s off of WhatsApp to Facebook. They might stay. After all, they have been leaving by the millions. Numbers from the US at least show that the 13-17 year olds have been dropping Facebook. While 71% of them were using Facebook in 2015, only 51% are using it three years later. One could suspect Facebook wants to stop that worrying trend.
This is also telling: Facebook has decided not to implement a way for parents of children over 13 and under 16 to agree to the WhatsApp terms on the children’s behalf. Or: Facebook has decided not to invest in WhatsApp technology on this issue. They have invested in Facebook itself, though:
Under GDPR, people between the ages of 13 and 15 in some EU countries need permission from a parent or guardian to allow some features on Facebook — seeing ads based on data from partners and including religious and political views or “interested in” on your profile. These teens will see a less personalized version of Facebook with restricted sharing and less relevant ads until they get permission from a parent or guardian to use all aspects of Facebook.
The Legal and Privacy Statements make certain that it is clear that WhatsApp is part of the Facebook ecosystem.
We are part of the Facebook Companies. As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the Facebook Companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings.
The last sentence says your WhatsApp information (that is: everything except the content of your messages, such as who your contacts are, when and from where you interact with them, who else is in your address book, etc. etc. etc.) is used to market Services. You might think it is about marketing ‘services’ to you (after all, they constantly talk about Services when they talk about your use of WhatsApp) or even services by companies that advertise on Facebook, but you are not the client here. What Facebook markets is advertising, and it says here that it uses your WhatsApp data (including all that stuff that has nothing to do with WhatsApp, apparently) to improve its advertising offer to companies who can then target you. Oh, and by the way, don’t forget the information on everybody (including the children) that is collected on the web via ‘pixels’ and other types of web beacons.
Anyway, Facebook wants to use the data it gets from WhatsApp users. But that was blocked by the Irish and other European privacy watchdogs apparently, because the statement also says:
- We do not share data for improving Facebook products on Facebook and providing more relevant Facebook ad experiences.
- Today, Facebook does not use your WhatsApp account information to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook. This is a result of discussions with the Irish Data Protection Commissioner and other Data Protection Authorities in Europe. We’re always working on new ways to improve how you experience WhatsApp and the other Facebook Company Products you use. Should we choose to share such data with the Facebook Companies for this purpose in the future, we will only do so when we reach an understanding with the Irish Data Protection Commissioner on a future mechanism to enable such use. We’ll keep you updated on new experiences we offer and our information practices.
In other words, Facebook really, really, REALLY wants to use your WhatsApp data to sell ads on Facebook (or even on WhatsApp later) but the privacy watchdogs, especially the Irish one, were able to put a small finger in the dike. The question is how long and in how far internal Facebook algorithms can be trusted. So far, Facebook hasn’t earned my trust, to be honest, for the simple reason that I’m not their customer. I’m their product (actually, I’ve left Facebook personally and will probably end the Mastering ArchiMate Facebook page when I get around to it).
Facebook makes very clear that they will never offer an opt-out:
If you do not want your account information shared with other members of the Facebook Companies for any of the purposes described our Terms of Service and Privacy Policy, you can choose not to agree to these documents and not to join the WhatsApp service.
Facebook simply says: our business model is selling you, and if you don’t agree, take your personal data elsewhere.
What to think of all of this? Well, it is clear that Facebook really doesn’t like it can’t get at the content of WhatsApp messages and that it cannot (in Europe at least, they probably have no such problem in the rest of the world) use WhatsApp data in Facebook advertisement-targeting. As the EU protects its citizens against Facebook’s limitless attack on privacy, Facebook reacts by actions that in fact undermine WhatsApp, by excluding (in Europe) all under 16 year olds. They know that drives people to other free services, the most important of that is … Facebook. And it seems clear that they do not want to invest in WhatsApp unless they can start monetising you, the user. Which is logical, of course. Facebook apparently wants either to make serious money on WhatsApp or kill it. And as long as it cannot make money from it, it might be on a road to kill it. And they are under pressure to fix the problem of the 13-17 year olds leaving the platform, Zuckerberg and his people may be hoping that blocking those from WhatsApp might fix the leaking Facebook ship.
In other words, under the guise of conforming to GDPR and under pressure of European Privacy Watchdogs, Facebook is crippling WhatsApp in such a way that the effective end result is going to be that there will overall be less privacy if the youngsters (as Facebook probably hopes) will move to other Facebook services (such as Instagram or Facebook itself) instead. Trying to get to a situation with less privacy by using the guise of complying with regulation intended to improve privacy. One must admire the brazenness of it all.
WhatsApp’s Privacy Policy starts with this statement:
Respect for your privacy is coded into our DNA. Since we started WhatsApp, we’ve aspired to build our Services with a set of strong privacy principles in mind.
Yes, it originally may have been built with that in mind when WhatsApp was not yet part of Facebook. There has been an enormous amount of naiveté by the founders of these beautiful connect-the-world applications. There is no way to make money with WhatsApp. The naive idealists have long since left. The cynics remain. And they manipulate at will.
We need politicians, I’m afraid
I think that we need politicians to solve this fundamental issue, the issue that we the people have become an object more than a subject, and the market itself won’t solve this. Here are a few solutions I can imagine:
- One obvious solution is to legally force companies (e.g. through WTC rules) that have a business model based on paying for services by harvesting personal data, that they must offer a paid service that frees users from paying with their privacy. And yes, the nasty thing is that this means rich people will have privacy and poor people will not.
- National governments or even bodies like the EU may offer a free or minimal cost service for purposes like WhatsApp, to help their citizens connect without losing their privacy. E.g. for those neighbourhood alert channel, or for students at schools. If we consider services like WhatsApp to be of a fundamental nature for society (like transport of water, electricity), governments may deem it a public service and start providing it.
- And slightly off the topic of WhatsApp/Facebook: there should probably be a world wide ban on technologies such as web beacons where all kinds of data gatherers gather all kinds of data without consent, data that may be weaponised and used against the people who provided it in the first place (the public). The public must be protected.
