zuckerpunch

The Federal Trade Commission has approved Facebook’s acquisition of WhatsApp. The deal, which was originally valued at $19 billion but is subject to changes in Facebook’s share price, is expected to close some time before the end of the year. The one condition? Facebook has to make sure it keeps WhatsApp’s continued promises of consumer privacy when the deal is finalized.

Jessica Rich, the director of the Bureau of Consumer Protection, warned the companies in a letter sent on Thursday that they will have to honor the promises WhatsApp made to its users. She notes that WhatsApp’s privacy protections “exceed the protections currently promised to Facebook users” and warns that any changes could be in violation of FTC rules and a previous order it made against Facebook in 2011. As it turns out, promising to protect user privacy to make an acquisition more palatable to regulators requires a little bit of follow-through.

There’s only one problem: WhatsApp doesn’t have to violate the FTC’s order to threaten or directly undermine its users’ privacy.

WhatsApp does make a lot of promises. Its chief executive, Jan Koum, has spoken at great length about how his experience growing up in Soviet Ukraine made him value personal privacy. But as Pando’s Yasha Levine pointed out just after Facebook announced its intent to acquire the company, WhatsApp has failed to implement basic security tools, been investigated for its privacy practices, and included clauses about personal information in its Terms of Service.

Levine describes WhatsApp’s carelessness when it comes to security:

In fact, since Koum launched WhatsApp in the summer of 2009, the company’s privacy track record has been horrible: It’s been aggressively incompetent and careless with user data. It has also repeatedly failed to provide users with even the most rudimentary security measures. As a result, WhatsApp left its messaging data wide open for potential surveillance and interception by intel agencies, scammers and Internet lurkers with basic hacker skills.

How bad was the problem?

It wasn’t till three years after the company’s launch — the end of 2012 — that Koum even bothered securing WhatsApp messages with the most basic encryption. From WhatsApp’s launch in 2009 to the end of 2012, the app transmitted messages and sensitive data over the Internet in simple text, allowing anyone with a basic sniffing tool to intercept and read everything its users were sending.

Here’s what he wrote about the privacy investigations:

In early 2013, Canada’s Privacy Commissioner and the Dutch Data Protection Authority released the results of their joint investigation into WhatsApp’s data handling. They ruled that the company violated several Canadian and Dutch privacy laws.

One of the violations had to do with WhatsApp’s practice of forcing users to upload their phone’s entire contact list in order to discover other WhatsApp users.

Among other things, the investigation found that WhatsApp permanently stores phone numbers of non-users and then fails to properly protect or anonymize the information. Canadian and Dutch privacy investigators tested the company’s internal encryption and found it to be generally useless. It was so weak that it could be cracked in under three minutes using a ‘standard, low-power desktop computer.’

And here’s what WhatsApp says about personal information in its Terms of Service:

We may use both your Personally Identifiable Information and certain non-personally-identifiable information (such as anonymous user usage data, cookies, IP addresses, browser type, clickstream data, etc.) to improve the quality and design of the WhatsApp Site and WhatsApp Service and to create new features, promotions, functionality, and services by storing, tracking, and analyzing user preferences and trends. Hopefully we improve the WhatsApp Site and Service and don’t make it suck worse. We may use cookies and log file information to: (a) remember information so that you will not have to re-enter it during your visit or the next time you use the WhatsApp Service or WhatsApp Site; (b) provide custom, personalized content and information; (c) monitor individual and aggregate metrics such as total number of visitors, pages viewed, etc.; and (d) track your entries, submissions, views and such.

So either the FTC is going to have to make a case against Facebook and WhatsApp for violating rules that it warned against breaking the same day it approved the acquisition, or it will have to let WhatsApp’s privacy claims go untested even as it’s assimilated into one of the greatest personal data purveyors of all time. So much for regulatory oversight, right?

[Illustration by Brad Jonas for Pando]