WhatsApp caused a user stampede to rival encrypted messaging appSignal by sending users new terms and conditions.- Users were panicked by the notification WhatsApp sent out, thinking it meant the app would share more data with
Facebook , its parent company. - In fact, WhatsApp was already sharing their data with Facebook — all the notification did was draw attention to it.
On January 6, WhatsApp caused a user stampede.
The app sent users a notification asking them to sign off on updated terms and conditions, which stipulated it could share reams of metadata - including their phone numbers, locations, and contacts - with its parent company Facebook. If users did not consent, the notification said, they would lose access to WhatsApp.
The notification shocked users, at least some of whom use WhatsApp because the encrypted messaging app touts itself as privacy-focused. High-profile figures including Tesla's CEO Elon Musk, the world's richest man, recommended users switch to Signal, a much smaller rival encrypted messaging app.
People flocked to Signal in their droves. Signal amassed 7.5 million downloads in the week following WhatsApp's notification - up 4,200% from the previous week.
WhatsApp soon went into damage-control mode, putting up a new FAQ about the policy change and delaying the deadline for users to agree to the new terms and conditions from February 8 until May 15.
As it happens, it doesn't look like anything has really changed about how WhatsApp shares data with Facebook.
The updates to T&Cs were solely to facilitate business accounts on WhatsApp to link up with Facebook's back-end analytics infrastructure, WhatsApp said. They do not change anything about the way an average user's data gets passed back to Facebook, it said.
WhatsApp gave users 30 days to opt out of sharing some data with Facebook back in 2016 - Wired reported that this opt-out would still be honored, and WhatsApp confirmed the report to Insider.
What WhatsApp accidentally did with its notification was to highlight to users exactly how much of their data it was already sending back to the Facebook mothership.
"I suspect people were alarmed by being reacquainted with what WhatsApp already share"
Alan Woodward, a cybersecurity expert at the University of Surrey, said WhatsApp made new T&Cs look a lot more scary to users by telling them they'd lose access if they didn't consent.
"WhatsApp presented this as an ultimatum to users, which never goes down well: accept these new terms or stop using the service. They could perhaps have been a lot clearer up front about what the changes were, in which case many would have simply said okay," Woodward said.
"I suspect people were alarmed by being reacquainted with what WhatsApp already share," he said.
Professor Eerke Boiten of De Montfort University agreed that WhatsApp's method of sending a notification with what appeared to be an ultimatum was a misstep.
"The main thing they got wrong was putting it into the users' faces. They've alerted users to something that didn't get massively worse [...] in any significant sense, but was a looming problem all along," Boiten told Insider.
WhatsApp's shifting attitude to privacy has been a cause for concern among tech industry insiders and privacy advocates for a long time. The decision to increasingly link WhatsApp up with Facebook's ad business is what drove its cofounder Brian Acton to leave the company - the same is reportedly true for cofounder Jan Koum.
Acton subsequently helped found the non-profit Signal Foundation, which backs Signal.
"The move from WhatsApp to Signal is maybe not justified by the immediate incidence, but in broader terms it's a good thing," Boiten added.
You can see the difference between how much data WhatsApp collects compared to Signal using the Apple App Store's new privacy information feature. While WhatsApp cannot read the contents of messages because they are encrypted, it is able to hoover up metadata - i.e., data about an account and its messaging. That includes information like your phone number, as well as who you're messaging and when.
"Metadata is almost as telling as the contents [of a message]," Boiten said. It's hard to get a clear read on exactly what metadata WhatsApp is sending back to Facebook, Boiten said, as its privacy policy is written with lots of broad language, specifically by promising not to share "account information" but not specifying whether that includes metadata.
Woodward also pointed to WhatsApp's collection of metadata. "The perverse thing is that WhatsApp encryption is based upon the same as used by Signal, but whilst [WhatsApp] keep the content if your messages confidential they do harvest some metadata, and knowing who talked to whom, when and for how can be valuable data in targeting advertising by identifying affinity group," he said.
Signal's focus on privacy does come with a tradeoff: If you make it impossible to gather things like metadata tracking down illegal activity on a messaging app becomes difficult. Signal employees are reportedly worried the company's explosive growth could mean it attracts extremists, the Verge reported.
Their worries are not without precedent. Far-right users moved to rival encrypted messaging app Telegram after social media app Parler - which is famous for its popularity amongst far-right commentators and had a growth explosion following the US Capitol riots - was booted off its Amazon web servers.
But CEO Moxie Marlinspike thinks the benefits of a truly private messenger outweigh the potential abuses.
"I want us as an organization to be really careful about doing things that make Signal less effective for those sort of bad actors if it would also make Signal less effective for the types of actors that we want to support and encourage [...] Because I think that the latter have an outsized risk profile. There's an asymmetry there, where it could end up affecting them more dramatically," Marlinspike told the Verge.
While the new WhatsApp notification appears to be a PR blunder, Woodward doesn't think WhatsApp is in deep trouble long-term.
"WhatsApp still has a critical mass of users and many are quite relaxed about the unwritten social contract that says you can use our service for free in return for us using your data to make a profit," he said.