WhatsApp with that Privacy Policy, Facebook?
A deeper look at WhatApp’s privacy policy and what happened
Hi All,
I hope you all are doing well and welcome (if you aren’t new then again) to Dozen Worthy Reads. A newsletter where I talk about the most interesting things about tech that I read the past couple of weeks or write about tech happenings. You can sign up here or just read on …
A couple of weeks ago WhatsApp revealed a new piracy policy that informed users to either accept the policy or they will not be able to continue using the product. Users being users, completely flabbergasted created memes such as the below -- probably spreading disinformation about WhatsApp on uhh well WhatApp, Facebook, and Insta. How ironic is that (Author note : I got this as a forward on WhatsApp and sent it to a few close friends). I am a misinformation spreader, stop me!
Thing is for most of the part people (and governments freaked out for absolutely no reason!)
From : Here's WhatsApp's New Privacy Policy Really Means
The confusion was the natural result of WhatsApp’s bungled rollout of these new policies. By shoving a scary-sounding ultimatum in front of countless users, and by tying that ultimatum to a privacy policy that (I think we can all agree) is near-impossible to comprehend, the bulk of WhatsApp’s users were left assuming the worst: that Facebook could now read their WhatsApp messages, snoop through their entire contact list, and know every time you leave someone on “read” within the app. These rumors eventually reached WhatsApp Head Will Cathcart, who issued his own lengthy Twitter thread debunking the bulk of these claims, before WhatsApp proper did its own debunking in the form of an FAQ page.
This is plain incorrect and minus the threat of not being able to use WhatsApp and all the other things that Facebook does wrong, this was just an announcement they bungled up more than anything else. It is interesting that a company with 50k employees and probably super huge and large comms departments messed this up. I think this was an attempt at not providing ‘too much’ information resulting in many more questions. More on that later, lets see what happened here
What data does Facebook really collect?
People do not understand “data”. There are, for all practical purposes, two types of data, Metadata and actual data. Metadata is just “data about data”. I’m kinda hacking this concept but for all practical purposes unless you opted out in mid-2016, Whatsapp would share some basic metadata with facebook.
What was that metadata? Things such as ..
Phone Number
Phone Make
Phone Model
Battery Levels.
You can argue why they care about any of these things especially battery level (I googled it and I still have no freaking clue what they do with it. To me this seems like a “lets uhh rob everything we can and figure out if its worth anything later”. Entire list of collected metadata is here
Now assume back in 2016 you did not opt out of the privacy policy then whenever you messaged a friend your metadata and not the conversation that you exchanged would get sent back to Facebook.
What changed now?
Well in the prior scenario nothing much. Your chat messages still cannot be read by anyone. That is end-to-end encryption.
From Wired :
A few months later, WhatsApp quietly rolled out a new business-facing product that promised to milk even more revenue out of the multi-billion-dollar platform: the “WhatsApp Business API.”
As the name suggests, the Business API was geared towards businesses: airlines that want to use WhatsApp to send boarding passes, for example, or a grocery chain that wants to use WhatsApp to let someone know their order is out for delivery. These messages weren’t meant to be promotional the way, say, an ad on Instagram might be; they were meant to be transactional—kind of like a conversation you have with a store clerk when looking for shoes in your size. If the business in question answered a given inquiry within a one-day window, Facebook let them send their response free of charge.
These are not ad’s, they are your transactional interactions with WhatsApp since a lot of people use WhatsApp for business and Facebook is of course trying multiple avenues of monetizing WhatsApp -- eCommerce (with Jio), Payments with WhatsApp in India, and Business Messenger (the API mentioned below)
Now this API is starting to become a large business for Facebook. The number of enterprises targeted to use it is 55k amounting to $3.6B in messaging fees
What does the API do? Glad you asked. From the dev FAQ
WhatsApp considers communications with Business API users who manage the API endpoint on servers they control to be end-to-end encrypted since there is no third-party access to content between endpoints.
Some organizations may choose to delegate management of their WhatsApp Business API endpoint to a third-party Business Solution Provider. In these instances, communication still uses the same Signal protocol encryption. However, because the WhatsApp Business API user has chosen a third party to manage their endpoint, WhatsApp does not consider these messages end-to-end encrypted. In the future, in 2021, this will also apply to businesses that choose to leverage the cloud-based version of the API hosted by Facebook.
In addition, if you are using HTTPS when making calls to the WhatsApp Business API client, that data is SSL-encrypted (from your backend client to the WhatsApp Business API client).
OK what the hell does that mean. Yep yep getting there now. Now recall this does not impact the below:
Private Conversation
Me → You (private encrypted conversations) → NO ONE HAS ACCESS
Me : Hi
My best friend : Whatsup
Metadata → Sent if not opted out on 2016 → FACEBOOK HAS ACCESS
Brand Conversation
BSP/Partner → Brand → WhatsApp Business API → YOU (Whatsapp consumer)
Me : Hi Brand → FACEBOOK PARTNER HAS ACCESS
Brand : Hello customer → FACEBOOK PARTNER HAS ACCESS
When you as a customer have a “conversation” with a brand on Whatsapp and that Brand outsources to a “Business Solution Provider” then your chat data, via the API, goes to that Business Solution Provider ...
From Wired:
They’re essentially an approved set of adtech vendors whose sole responsibility is making marketing on Facebook as easy an experience as possible. If you’re advertising a hip new line of CBD gummies and only want to reach, say, dog moms on Instagram between 18 and 21 that live in the U.S. but exclusively speak Portuguese at home, there are a few dozen BSP’s that Facebook can match you up with. If you want to reach them on other Facebook properties—like, say, Whatsapp—there are 66 partners that Facebook lists off as having the key to its Business API. Even if you can’t get your hands on it, Facebook’s essentially promising that your ads will be safe in these third-party players’ hands if you promise to give them a little monetary something-something.
The encryption-busting maneuver these BSP’s are allowed to do is, as always, openly available, courtesy of Facebook. If your brain hasn’t smoothed over reading about this API until now, I’d recommend flipping through those docs. For my fellow smooth-brainers, here’s the basic gist: When a BSP or any Facebook-approved partner downloads the Business API, it comes packaged with a port that directs data from WhatsApp conversations onto an external database that this partner controls. When that partner gets buddied up with, say, a pizza place that wants to use WhatsApp for customer support, every message that they get asking about the status of their slice ends up in this unencrypted bucket, along with a slew of contact info about the person who put that request in.
Once that data’s under a third-party’s purview, ultimately it’s no longer Facebook’s responsibility, even if it’s used to target ads on one of the company’s own platforms. WhatsApp cheerfully described this setup in yet another FAQ (emphasis ours again):
Some businesses and solution providers will use WhatsApp’s parent company, Facebook, to securely store messages and respond to customers. While Facebook will not automatically use your messages to inform the ads that you see, businesses will be able to use chats they receive for their own marketing purposes, which may include advertising on Facebook. You can always contact that business to learn more about their privacy practices.
In other words, if I’m using WhatsApp to ask this imaginary pizza place why my eggplant parm and diet coke haven’t gotten to my apartment yet, whatever data falls out of that conversation could be used to target me with more ads for parm and parm-adjacent products just about anywhere that pizza place’s trusted partner is able to do so. It’s just a happy coincidence if that means advertising on Facebook.
So just to recap, what WhatsApp (okay, mostly Facebook) is saying at this point is:
There’s tons of juicy consumer data in WhatsApp that marketers aren’t tapping into, but accessing it might mean paying a not-insignificant-fee to Facebook and to one of these trusted third parties (which, yep, also pay Facebook as part of terms for their title).
Once they have their hands on enough data, they’re free to pay Facebook again for the privilege of advertising against these same users. If you read between the lines, though, the decision to advertise on Facebook or not is pretty much made up for them before they even asked.
This exact cycle repeats likely thousands of times per week.
Somewhere down the line, Mark Zuckerberg gets rich enough to get those ass implants we’re sure he always wanted.
Hell, I work in tech and that was hard to understand and explain so can’t blame Facebook/WhatsApp for goofing that up and delaying their privacy policy update by 3 months not
The core of the issue though is not the privacy policy at all, this is about trust and brand association. From a 2019 fastcompany post :
The poll found that 60% of Americans don’t trust Facebook with their personal information. Further, 57% of Americans agreed with the statement that social media sites do more to divide the country than unite it. “Social media–and Facebook, in particular–have some serious issues in this poll. If America was giving social media a Yelp review, a majority would give it zero stars,” said Micah Roberts, a pollster at Public Opinion Strategies, which conducted the poll along with Hart Research Associates.
Other findings from the poll for comparison:
28% of Americans don’t trust Amazon with their data.
37% of Americans don’t trust Google with their data.
35% of Americans don’t trust the federal government with their data.
74% of Americans think that letting social media companies collect and use data about them in return for free services is not a fair trade-off.
By tying the WhatsApp and Instagram brands back to Facebook, I wonder if Facebook is hoping that they’d be able to restore trust in Facebook but it seems like things are the other way around. Facebook has likely lost this battle and while people will continue to use their products trust might be permanently lost as long as their business model of selling data does not change.
In fact given the Apple IDFA changes Facebook is trying to get people to allow access to their IDFA with a message that says …
Allow Facebook to use your app and website activity?
Get ads that are more personalized
Support businesses that rely on ads to reach customers
To provide a better ads experience, we need permission to use future activity that other apps and websites send us from this device. This won't give us access to new types of information.
Blatantly false given that they will suffer significantly, financially
From : Facebook predicts ‘significant’ obstacles to ad targeting and revenue in 2021
In the “CFO outlook” section of the earnings release, Facebook said it anticipates facing “more significant advertising headwinds” this year.
“This includes the impact of platform changes, notably iOS 14, as well as the evolving regulatory landscape,” the company wrote. “While the timing of the iOS 14 changes remains uncertain, we would expect to see an impact beginning late in the first quarter.”
This is Facebook speaking to two different audiences, their not so savvy customer and a bunch of savvy tech people. How can a company expect to build trust when they are afraid to even admit (in their own popup) that this will materially impact Facebook’s own business?
From :Apple’s Privacy Change Will Hit Facebook’s Core Ad Business. Here’s How
Facebook warned this week that Apple’s new feature, which is expected to roll out this quarter, will pose risks for its business, but the company hasn’t detailed how it is exposed. Facebook in August pointed to a small corner of its business that facilitates ad placements on third-party sites and apps. It has also played up how the change would hit small developers.
The core of Facebook’s business, its flagship app and Instagram, would be under pressure, too. The Apple change will require mobile apps to seek users’ permission before tracking their activity, restricting the flow of data Facebook gets from apps to help build profiles of its users. Those profiles allow Facebook’s advertisers to target their ads efficiently.
The change will also make it harder for advertisers to measure the return they get for the ads they run on Facebook—how many people see those ads on mobile phones and take actions such as installing an app, for example.
I'm going to call it. It almost seems like Facebook’s left hand doesn’t know what the right hand is doing and this is the price to pay for a large company. I recall not too many years ago, Facebook was the darling “press” child who could do no wrong. You can’t build a long term business without customer trust, we all know that. Facebook (well at least now) knows it but they are not doing much to fix it. They is some “Trust Building Theater” but for all practical purposes unless Facebook monetizes another non-data (read ad’s) channel and their revenue is de-risked this will not change much. The street wants that growth
Thank you for reading. Stay safe, be well! If you enjoyed reading this please consider sharing with a friend or two (or sign up here if you came across this or were forwarded this)
Reads on this topic
India asks WhatsApp to withdraw new privacy policy – TechCrunch
Americans' views of social media amid Facebook lawsuit: Fast facts
More than 60% of Americans don’t trust Facebook with their personal information