We use cookies to ensure that we give you the best experience on our website. Privacy Notice
Accept
BASIC thinking InternationalBASIC thinking International
  • SOCIAL MEDIA
  • MARKETING
  • ENTERTAINMENT
  • BUSINESS
  • TECHNOLOGY
  • GREEN
  • 🇩🇪
Reading: WhatsApp does store non-user data, indefinitely
Share
BASIC thinking InternationalBASIC thinking International
Search
  • SOCIAL MEDIA
  • MARKETING
  • ENTERTAINMENT
  • BUSINESS
  • TECHNOLOGY
  • GREEN
  • 🇩🇪
Follow US
© 2003 - 2023 BASIC thinking GmbH
Social Media

WhatsApp does store non-user data, indefinitely

Marinela Potor
Last updated: September 6, 2021
Marinela Potor Published September 6, 2021
Pixabay / Webster2703
SHARE

Secure, my ass! The latest data protection warning from an Irish authority against WhatsApp shows that the messenger service is not only not very transparent with the data of its own users. But apparently WhatsApp does store data from people who don’t even use the service – without their knowledge, for an indefinite period of time, and inadequately encrypted.

If you don’t trust WhatsApp to protect your personal data, you don’t have to use the service. After all, there are enough alternatives. But as the latest data protection warning from the messenger service shows: even as a non-user, your data ends up with WhatsApp without your knowledge and without your consent. And not only that.

The company stores the phone numbers of non-users (!) in a special list indefinitely. The technology that WhatsApp uses to encrypt your data on this list is so low-threshold that it would be easy for WhatsApp to find out your phone number.

DSGVO violation: WhatsApp to pay 225 million euros

This means that WhatsApp may be in breach of the European General Data Protection Regulation (GDPR) and may have been collecting and storing personal data without permission for years. This is revealed by the latest data protection warning against WhatsApp.

In it, the Irish data protection authority DPC has ordered WhatsApp to pay a fine of 225 million euros. One of the reasons given by the authority was that the Facebook subsidiary violated the GDPR in several respects.

On the one hand, it was a matter of WhatsApp not explaining to its users in sufficient detail and in a comprehensible manner what personal data is stored for what purposes, in what form, and forwarded (among other things to parent company Facebook).

But beyond that, the authority was bothered by another practice of the messenger service: the app’s contact matching. And this goes much further than previously known.

Questionable contact matching

When you log in to WhatsApp, a synchronization with your contact list takes place. This way, WhatsApp wants to find out which of your contacts is also logged into WhatsApp and show you that directly accordingly.

This makes it easy to connect on WhatsApp, but requires WhatsApp to access your contacts. You agree to this when you sign up for the Messenger service. The only thing is, your contacts don’t do this unless they also use WhatsApp.

But in order to determine who is registered with WhatsApp and who is not, the service has to process all of your contact numbers, including the phone numbers of users who do not use WhatsApp. Accordingly, they have never agreed to this and know nothing about it.

This is problematic from a data protection perspective, which is why many companies prohibit the use of the service in their business.

It is precisely this contact matching that various European data protection authorities have raised with the DPC as a violation of the GDPR. The messenger’s intrusion into your personal data apparently goes even further than previously known.

WhatsApp stores data of your contacts after all

Until now, WhatsApp has always assured that these numbers from your contact list are not stored. So the company says:

We do not store these phone numbers and only process them for a short period of time to create cryptographic hash values that allow us to more efficiently establish a connection between you and these contacts when they join WhatsApp.

However, as the DPC document reveals, this is not entirely true and WhatsApp does store these contact numbers.

To that end, WhatsApp allegedly also uses a very strange practice: the numbers of people the service identifies as non-users are stored on a special “non-user list” for an “indefinite” period of time, according to the DPC document. It is unclear whether WhatsApp ever deletes this list.

Why does WhatsApp need to do this? Unclear. Does the Messenger service pass it on to Facebook? Who knows. Does this violate the GDPR? According to the DPC, yes!

Non-user data poorly encrypted

Of course, WhatsApp does not have this list of phone numbers unencrypted. The information of the non-users is encrypted in advance via a hashing process. In addition, the numbers are packaged in a code and alienated. This protects the data of the non-user:inside, the company says.

If one of your contacts is not yet using our services, we manage this information for you in a way that ensures that this contact cannot be identified by us.

But apparently this process is less secure than WhatsApp has made it out to be. This is because WhatsApp only uses a 39-bit hash value to mask the numbers. This hash value corresponds to a maximum of 16 other phone numbers known to WhatsApp, both from users and from non-users.

In other words, one hash value cannot be uniquely assigned to one number, but to 16 phone numbers. At most. Often, however, there are fewer numbers. That is not very secure, say experts. And it is precisely this that makes it extremely easy for WhatsApp to compare the numbers of non-users with those of users in the inference procedure and to unpack them again via an exclusion procedure.

WhatsApp stores data and finds this unproblematic

WhatsApp, on the other hand, justifies itself to the DPC and believes that the hashing practice is unproblematic. After all, the idea of someone unpacking the hash values and tapping the numbers is only theoretical. In practice, no one does that with WhatsApp. The private numbers are thus protected.

And because these numbers are pseudonymized via hash values, they are not personal data. But the Irish data protection authority has a different opinion. And just because someone hasn’t misused WhatsApp’s phone number list yet doesn’t mean it’s not possible.

Leaving aside the fact that WhatsApp assures its user:s of one thing and then possibly does something else in practice, which most likely violates data protection.

When asked by BASIC thinking, WhatsApp said that it was working to ensure that the information it provided was transparent and understandable.

We disagree with the decision regarding the transparency we offered people in 2018 and the penalties are completely disproportionate.

WhatsApp has appealed the penalty. But if the decision remains as it is, WhatsApp will have to change its methods in a timely manner. After all, those who use WhatsApp themselves can already restrict the practice of contact matching and prohibit the app from accessing their contact list in their settings.

Incidentally, the DPC’s statements refer exclusively to WhatsApp’s general service, not to Business WhatsApp.

Marinela Potor September 6, 2021
Share this Article
Facebook Twitter Whatsapp Whatsapp LinkedIn Email
By Marinela Potor
Follow:
Marinela Potor is a journalist from Dortmund, Germany. He is also the editor in chief of the German online magazine Mobility Mag. Her interests include future travel, transport and innovations. Follow her on Twitter.
Previous Article LinkedIn says goodbye to its Stories
Next Article Netflix games: Netflix tests gaming offer – but not via streaming

Stay Connected

5.1k Like
180 Follow
1.9k Follow
260k Subscribe

Latest News

South Park ChatGPT
South Park: Producers let ChatGPT take part as co-writer
March 24, 2023
tiktok-challenges
New guidelines: TikTok wants to restrict deadly challenges
March 23, 2023
dall-e-bing
Microsoft integrates image generator DALL-E into search engine Bing
March 22, 2023
Amazon
Mass layoff: Amazon lays off another 9,000 employees
March 21, 2023
tiktok-feed-zuruecksetzen-1140x641
Reset function: How to reset the for-you feed on TikTok
March 20, 2023
TikTok ban US
TikTok ban: USA threatens nationwide censorship
March 17, 2023

You Might also Like

tiktok-challenges
Social Media

New guidelines: TikTok wants to restrict deadly challenges

Maria Gramsch Maria Gramsch
tiktok-feed-zuruecksetzen-1140x641
Social Media

Reset function: How to reset the for-you feed on TikTok

Beatrice Bode Beatrice Bode
TikTok ban US
Social Media

TikTok ban: USA threatens nationwide censorship

Maria Gramsch Maria Gramsch
Show More

About us

BASIC thinking is a modern media company that reaches over 25 million page impressions worldwide.

Categories

Ad Business Entertainment Green Marketing Social Media Technology

Quick Links

  • About us
  • Advertising
  • BASIC thinking Germany
  • Imprint
  • Privacy Policy
BASIC thinking InternationalBASIC thinking International
Follow US

© 2003 - 2023 BASIC thinking GmbH

Welcome Back!

Sign in to your account

Lost your password?