Microsoft, Google, Apple, Windows, Android, iOS, Internet, Cyber Security, Hacking, Malware, Smartphone, Mobile App


All the data WhatsApp and Instagram send to Facebook

When combined the ‘Facebook companies’ know a huge amount about you

At the start of 2021, a poorly communicated privacy policy change spurred a mass exodus from Facebook-owned WhatsApp. During the week after the announcement – which saw WhatsApp demand users accept a new policy or delete their accounts – downloads of rival Signal surged by 35 times to 8.8 million causing its servers to crash. Others switched to Telegram, which was downloaded 11m times during the week following the privacy update.

The uproar came after millions of people misinterpreted WhatsApp’s new terms to mean more data would be shared with its parent Facebook. This wasn’t the case: the update to WhatsApp’s policy covers the way people communicate with businesses, and the data shared with Facebook remains the same.

Yet the policy change and resulting backlash highlighted the large amounts of data WhatsApp can collect since its 2014 acquisition by Facebook. Spoiler: it is still a lot. But six months later WhatsApp is still by far the most popular messaging app, with two billion users.

Other Facebook-owned companies collect and share even more data. Instagram’s privacy policy is almost identical to Facebook’s, and the two can freely exchange information to serve you advertising.

So, what data does it actually get from WhatsApp and Instagram, and is there any way of limiting the amount of information siphoned off to the social media giant?

What data can WhatsApp share with Facebook?

First things first. WhatsApp does not share the content of your chats with Facebook and this will not change after the terms of service update. The messages are private. Your messages – including photos, videos and calls – are protected by end-to-end encryption, so they can’t be read by law enforcement or WhatsApp itself.

Data WhatsApp can share with Facebook includes your phone number and profile name. In addition, more detailed information underlying the message known as metadata, including when it was sent and your IP address, can be collected and shared with so-called “Facebook companies”.

The EU and UK are protected by the General Data Protection Regulation (GDPR) and Data Protection Act, which limits data sharing in these regions. WhatsApp claims metadata is only collected and shared in the EU for certain purposes, such as if it is instructed to do so by law enforcement.

Metadata is a valuable tool to analyse the contacts between people, says Rowenna Fielding, founder and director of privacy consultancy Miss IG Geek. “When you look at metadata, it turns out a lot of the time you don’t even need message content, because patterns of activity tell you a lot about someone. This isn’t just, ‘X is on Y’s phone’, it is ‘X is on Y’s phone and they are messaging each other every evening at around 8pm for an hour’. You can then start extrapolating inferences or relationships and build social graphs.”

WhatsApp says data is only shared with Facebook for purposes such as preventing spam, and not for advertising. It outlines that WhatsApp does not share your contacts with Facebook for its own use, and there are “no plans to do so”. WhatsApp also denies its data is used to inform Facebook’s People You May Know algorithm, but the social network has come under fire for incidents such as the time it recommended sex workers’ clients add them as friends.

Some of WhatsApp’s data sharing remains opaque. For example, WhatsApp’s privacy policy describes how personal data shared with Facebook “may include other information identified in the Privacy Policy….or obtained upon notice to you or based on your consent”.

Under GDPR, Facebook and its companies should be meeting accountability requirements by providing comprehensive and well-explained information, says Fielding. She says because what is happening to data is in many cases not clear, “it’s impossible to say exactly where data is going, which is a problem”.

The WhatsApp privacy change, which despite an initial delay is still rolling out, covers the way you communicate with businesses that use its API. WhatsApp chats between people and businesses are end-to-end encrypted as they are transmitted, but following the recent privacy update, they can be stored once received by a business using a Facebook-hosted service.

“The privacy policy change enables businesses to store your WhatsApp chats once they receive them, on Facebook-hosted servers, and therefore outside end-to-end encryption,” says Zak Doffman, CEO of surveillance tech firm Digital Barriers. “WhatsApp says Facebook can’t use this data, but the business can mine chats for advertising.”

After an initial delay, the update to WhatsApp’s terms of service is starting to roll out globally, but it may still falter in the EU, where it is facing an investigation by authorities.

What data does Instagram share with Facebook?

Instagram shares a lot of data with Facebook. Its privacy policy outlines how the social network “connects information about your activities on different Facebook products and devices” to provide a “more tailored and consistent experience”. For example, it can suggest you join a group on Facebook that includes people you follow on Instagram or communicate with using Messenger.

Facebook and Instagram share infrastructure, systems and technology with other Facebook companies. This means information shared from WhatsApp about accounts sending spam can be used to take action on Facebook, Instagram or Messenger.

Instagram can also collect your location, where you live, the places you visit, and details about the businesses and people you’re near to “provide, personalise and improve Facebook Products”, including ads, for “you and others”.

Yet despite hefty data collection and sharing, Instagram has fewer privacy controls than its parent, says Jake Moore, cybersecurity specialist at security company ESET. “Instagram has fewer privacy controls than Facebook and you can’t stop most of your data being shared between the platforms, but you can adjust how certain information is used.”

For example, he says, Instagram shares your location data with Facebook but you can curb the app’s access to your whereabouts and limit the audience to your posts in your settings.

Limiting data sharing

Facebook companies are numerous, including Facebook itself and its Messenger service, as well as 91 acquisitions by the social network such as WhatsApp, Instagram and Oculus. Limiting data sharing between Facebook and these companies is challenging, especially given the tracking and profiling that happens between the social network and other sites across the web.

“Every website, most apps and retailers, entertainment outlets and service providers are feeding your data to Facebook,” Fielding says. At least five million websites are using Facebook Pixel trackers, and people give away more of their data via the Login With Facebook API, which allows you to carry over Facebook profile information to other apps and websites. “That adds up to a huge amount of power over your online experience, beliefs and interactions,” says Fielding.

Yet there are some steps you can take to stop Facebook data sharing in general, says Fielding. “Don’t use apps that snitch to FB, don’t buy FB-reliant products, use FB in your browser not the app, if you have to at all. Stay off Instagram, delete WhatsApp or separate contacts lists by context, and have a separate work phone. Never use anything with ‘FB-powered’ on it.”

At the same time, secure messaging app Signal benefits from not being owned by Facebook, and according to Apple’s App Store privacy labels, doesn’t need vast amounts of data to operate. “Signal is far more security and privacy-focused as a platform and is best aligned with WhatsApp’s offering,” Moore says.


Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy