Secure, my ass! The latest data protection warning from an Irish authority against WhatsApp shows that the messenger service is not only not very transparent with the data of its own users. But apparently WhatsApp does store data from people who don’t even use the service – without their knowledge, for an indefinite period of time, and inadequately encrypted.

If you don’t trust WhatsApp to protect your personal data, you don’t have to use the service. After all, there are enough alternatives. But as the latest data protection warning from the messenger service shows: even as a non-user, your data ends up with WhatsApp without your knowledge and without your consent. And not only that.

The company stores the phone numbers of non-users (!) in a special list indefinitely. The technology that WhatsApp uses to encrypt your data on this list is so low-threshold that it would be easy for WhatsApp to find out your phone number.

DSGVO violation: WhatsApp to pay 225 million euros

This means that WhatsApp may be in breach of the European General Data Protection Regulation (GDPR) and may have been collecting and storing personal data without permission for years. This is revealed by the latest data protection warning against WhatsApp.

In it, the Irish data protection authority DPC has ordered WhatsApp to pay a fine of 225 million euros. One of the reasons given by the authority was that the Facebook subsidiary violated the GDPR in several respects.

On the one hand, it was a matter of WhatsApp not explaining to its users in sufficient detail and in a comprehensible manner what personal data is stored for what purposes, in what form, and forwarded (among other things to parent company Facebook).

But beyond that, the authority was bothered by another practice of the messenger service: the app’s contact matching. And this goes much further than previously known.

Questionable contact matching

When you log in to WhatsApp, a synchronization with your contact list takes place. This way, WhatsApp wants to find out which of your contacts is also logged into WhatsApp and show you that directly accordingly.

This makes it easy to connect on WhatsApp, but requires WhatsApp to access your contacts. You agree to this when you sign up for the Messenger service. The only thing is, your contacts don’t do this unless they also use WhatsApp.

But in order to determine who is registered with WhatsApp and who is not, the service has to process all of your contact numbers, including the phone numbers of users who do not use WhatsApp. Accordingly, they have never agreed to this and know nothing about it.

This is problematic from a data protection perspective, which is why many companies prohibit the use of the service in their business.

It is precisely this contact matching that various European data protection authorities have raised with the DPC as a violation of the GDPR. The messenger’s intrusion into your personal data apparently goes even further than previously known.

WhatsApp stores data of your contacts after all

Until now, WhatsApp has always assured that these numbers from your contact list are not stored. So the company says:

We do not store these phone numbers and only process them for a short period of time to create cryptographic hash values that allow us to more efficiently establish a connection between you and these contacts when they join WhatsApp.

However, as the DPC document reveals, this is not entirely true and WhatsApp does store these contact numbers.

To that end, WhatsApp allegedly also uses a very strange practice: the numbers of people the service identifies as non-users are stored on a special “non-user list” for an “indefinite” period of time, according to the DPC document. It is unclear whether WhatsApp ever deletes this list.

Why does WhatsApp need to do this? Unclear. Does the Messenger service pass it on to Facebook? Who knows. Does this violate the GDPR? According to the DPC, yes!

Non-user data poorly encrypted

Of course, WhatsApp does not have this list of phone numbers unencrypted. The information of the non-users is encrypted in advance via a hashing process. In addition, the numbers are packaged in a code and alienated. This protects the data of the non-user:inside, the company says.

If one of your contacts is not yet using our services, we manage this information for you in a way that ensures that this contact cannot be identified by us.

But apparently this process is less secure than WhatsApp has made it out to be. This is because WhatsApp only uses a 39-bit hash value to mask the numbers. This hash value corresponds to a maximum of 16 other phone numbers known to WhatsApp, both from users and from non-users.

In other words, one hash value cannot be uniquely assigned to one number, but to 16 phone numbers. At most. Often, however, there are fewer numbers. That is not very secure, say experts. And it is precisely this that makes it extremely easy for WhatsApp to compare the numbers of non-users with those of users in the inference procedure and to unpack them again via an exclusion procedure.

WhatsApp stores data and finds this unproblematic

WhatsApp, on the other hand, justifies itself to the DPC and believes that the hashing practice is unproblematic. After all, the idea of someone unpacking the hash values and tapping the numbers is only theoretical. In practice, no one does that with WhatsApp. The private numbers are thus protected.

And because these numbers are pseudonymized via hash values, they are not personal data. But the Irish data protection authority has a different opinion. And just because someone hasn’t misused WhatsApp’s phone number list yet doesn’t mean it’s not possible.

Leaving aside the fact that WhatsApp assures its user:s of one thing and then possibly does something else in practice, which most likely violates data protection.

When asked by BASIC thinking, WhatsApp said that it was working to ensure that the information it provided was transparent and understandable.

We disagree with the decision regarding the transparency we offered people in 2018 and the penalties are completely disproportionate.

WhatsApp has appealed the penalty. But if the decision remains as it is, WhatsApp will have to change its methods in a timely manner. After all, those who use WhatsApp themselves can already restrict the practice of contact matching and prohibit the app from accessing their contact list in their settings.

Incidentally, the DPC’s statements refer exclusively to WhatsApp’s general service, not to Business WhatsApp.