This Was WhatsApp's Plan All Along

Image for article titled This Was WhatsApp's Plan All Along
Photo: Adam Hoglund (Shutterstock)

Even if you arent the type of person who peruses WhatsApp on a regular basis, chances are youve tried perusing its new privacy policy.

Advertisement

Emphasis on tried.The roughly 4,000-word tome fell under fire from countless WhatsAppers across the globe after the company told its users that theyll be ejected from the platform unless they abide by these new terms. Some eagle-eyed critics quickly noticed that buried under the rest of the usual slop that comes with your average privacy policy, it seemed like the new terms mandated that WhatsApp now had the right to share supposedly personal datalike phone numbers or payment infowith its parent company, Facebook, along with fellow subsidiary Instagram.

Naturally, people lost it. Over the past week, tens of millions of people have apparently flooded off of WhatsApp and onto rival messaging platforms like Signal and Telegram. Elon Musk weighed in, as did Edward Snowden. Turkish authorities opened a probe into WhatsApps data-sharing practices, followed by Italys regional data authority doing the same. On Thursday, authorities in India, WhatsApps biggest market, filed a petition alleging that the new terms werent only a threat to personal privacy, but to national security as well.

What became very clear very quickly is that, while everyone agreed on being outraged, there was a bit of fuzziness on what they agreed to be outraged about.

The confusion was the natural result of WhatsApps bungled rollout of these new policies. By shoving a scary-sounding ultimatum in front of countless users, and by tying that ultimatum to a privacy policy that (I think we can all agree) is near-impossible to comprehend, the bulk of WhatsApps users were left assuming the worst: that Facebook could now read their WhatsApp messages, snoop through their entire contact list, and know every time you leave someone on readwithin the app. These rumors eventually reached WhatsApp Head Will Cathcart, who issued his own lengthy Twitter thread debunking the bulk of these claims, before WhatsApp proper did its own debunking in the form of an FAQ page.

In a shocking turn of events, WhatsApps attempt to set its own tarnished record straight was regarded as bullshit by its more vocal critics. And honestly, they had a point: This is WhatsApp were talking about. When an encrypted chat platform thats been widely praised by people in the privacy and security space very rudely announces itll be sharing your dataany datawith a company like Facebook, you can understand why that would raise some hackles.

Advertisement

The thing is, in the years since WhatsApp co-founders Jan Koum and Brian Acton cut ties with Facebook for, well, being Facebook, the company slowly turned into something that acted more like its fellow Facebook properties: an app thats kind of about socializing, but mostly about shopping. These new privacy policies are just WhatsAppsand Facebooksway of finally saying the quiet part out loud.

I Don’t Have All Day, Gimme The Short Version

If youre also the type of person that solely uses WhatsApp to message friends, family, and the occasional petsitter, nothings changing on the privacy front. In fact, what we think of when we talk about our privacyon WhatsApp has been largely unchanged since mid-2016, when the company first announced that WhatsApp would start sharing some of your basic metadata like your phone number and a grab-bag of anonymousidentifiers unless you manually opted out. (Facebook ended up pulling the opt-out button pretty soon after, but thats another story entirely.)

Advertisement

Not too long ago, an anonymous developer reverse engineered the entire WhatsApp web app, and their findings are freely scannable through their GitHub. In a nutshell, if I messaged a petsitter after the 2016 updates, Facebook might be able to suss out my phones make and model, along with how dangerously low on juice my phone might bebut those pet-sitting conversations are entirely encrypted. None of thats changing now.

That said, if you live in a country like India or Brazil where WhatsApp isnt only a chatting app, but a chatting app for brands and businesses to reach their clientele, things are a bit different. Unlike the aforementioned pet-sitting conversation, chances are any conversations you might have with a given company arent only unencrypted, but theyre shared with way more parties than you might think.

Advertisement

WhatsApps privacy policy might be new to most of us, but this particular practice has already been the platforms MO for years.

The WhatsApp You Know And The WhatsApp You Don’t

The backstory that led up to WhatsApps bungled announcements actually started around the same time Koum jumped ship from the platform that was earning him frankly grotesque amounts of cash. A few months later, WhatsApp quietly rolled out a new business-facing product that promised to milk even more revenue out of the multi-billion-dollar platform: the WhatsApp Business API.

Advertisement

As the name suggests, the Business API was geared towards businesses: airlines that want to use WhatsApp to send boarding passes, for example, or a grocery chain that wants to use WhatsApp to let someone know their order is out for delivery. These messages werent meant to be promotional the way, say, an ad on Instagram might be; they were meant to be transactionalkind of like a conversation you have with a store clerk when looking for shoes in your size. If the business in question answered a given inquiry within a one-day window, Facebook let them send their response free of charge.

Any message sent after the initial 24 hours comes saddled with a tiny feeranging anywhere from a fraction of a fraction of a cent to a few cents per message, depending on which third parties might be involved and the country a given brand is targeting. This fee gets divvied up by those parties, andof courseby WhatsApp.

Advertisement

While a few outlets covered this burgeoning product as something like Facebooks answer to the customer supportemails and texts from days of yore, it went pretty much unnoticed by most outlets that (rightfully) saw the API as a pretty boring piece of adtech. Brands, on the other hand, couldnt be more jazzed about the idea, and they kept on being jazzed while WhatsApp adopted new features meant to make it more commerce-friendly.

By 2020, WhatsAppers based in India werent only using WhatsApp to talk to their pet sittersthey were scrolling through WhatsApp-specific catalogs for new shoes, plunking their selected pair into a WhatsApp-specific cart, and then using a WhatsApp-specific payment processor to pay for their new kicks before following up with WhatApp to make sure their order arrived on time.

More brand appeal means more brands are flocking to plug into this API. In 2018, WhatsApp initially opened access to the new platform to roughly 100 hand-picked partners, like Netflix, Uber, and a few hotels and banks in regions where WhatsApp is the SMS platform of choice. Some analysts estimated that a year later, the number of enterprises plugged into the API went from 100 to roughly 1,000. At its current rate, the team said, WhatsApp is on track to get close to 55,000 businesses using this API by the end of 2024, all collectively racking up a hefty $3.6 billion in messaging fees.

Advertisement

The thing is, its really hard to goad a brand to drop that kind of cash on your product when they cant even read what their customers are saying because, again, WhatsApps chats are encrypted by default. This was one of the sticking points that ultimately led to Koums exit, according to the Washington Post: Facebook wanted to turn WhatsApp into a business-friendly platform, and WhatsApps team fired back that they couldnt build that platform without weakening WhatsApps native encryption in some way.

They were right. But Facebookagain, being Facebookdidnt really seem too bothered by the idea of baking a brand-sized loophole into an encrypted platform. But to trace this back which policy change ended up biting WhatsApp in the ass the most when it rolled out these new policies, you could say some of the creepiest parts actually stem from this one decision.

Advertisement

Asked for comment, a Facebook spokesperson emailed soon after publication and pointed to a blog post announcing WhatsApp had postponed the implementation of its new privacy policy until mid-May due to how much confusion there is around our recent update.

What We Talk About When We Talk About Encryption

When the sea of internet outrage reached a critical mass on Twitter dot com, Instagram head Adam Mosseri tweeted out that he was seeing a lot of misinformationabout WhatsApps new terms of service. The changes people were reading were strictly related to messaging businesses on WhatsApp, which, as he reminded people, is always optional. He then linked to WhatsApps own FAQ on the subject, which included another mealy-mouthed explanation of how, exactly, businesses use your WhatsApp data. In reality, though, it doesnt really say much of anything: it doesnt touch on the exact data that these partners are hoovering up from a (supposedly) encrypted platform, nor does it even discuss what changesin the privacy policy specifically apply to business-based messaging.

Advertisement

So instead of parsing apart... all of that, lets go straight to the source. The Business APIs source code is actually easily searchable on Facebooks dev-facing site, which means you can also find the data points this API hoovers from WhatsApp proper, and how it couldat least potentiallybypass WhatsApps encryption to do so. Or if you want, you can just visit this surprisingly cogent FAQ that literally asks Is end-to-end encryption maintained through the WhatsApp Business API?.WhatsApps response, which we emphasized here is just... something (emphasis ours):

WhatsApp considers communications with Business API users who manage the API endpoint on servers they control to be end-to-end encrypted since there is no third-party access to content between endpoints.

Some organizations may choose to delegate management of their WhatsApp Business API endpoint to a third-party Business Solution Provider. In these instances, communication still uses the same Signal protocol encryption. However, because the WhatsApp Business API user has chosen a third party to manage their endpoint, WhatsApp does not consider these messages end-to-end encrypted. In the future, in 2021, this will also apply to businesses that choose to leverage the cloud-based version of the API hosted by Facebook.

In addition, if you are using HTTPS when making calls to the WhatsApp Business API client, that data is SSL-encrypted (from your backend client to the WhatsApp Business API client).

Advertisement

Or put another way, WhatsApps telling us that when we have conversations with the business or brand on the platformand that business or brand happens to be working with a given number of third partiesthe encrypted WhatsApp were used to using goes out the window.

I should probably clarify who these third parties actually are. Facebook calls them Business Solution Providers, (or BSPs for short), and theyre essentially an approved set of adtech vendors whose sole responsibility is making marketing on Facebook as easy an experience as possible. If youre advertising a hip new line of CBD gummies and only want to reach, say, dog moms on Instagram between 18 and 21 that live in the U.S. but exclusively speak Portuguese at home, there are a few dozen BSPs that Facebook can match you up with. If you want to reach them on other Facebook propertieslike, say, Whatsappthere are 66 partners that Facebook lists off as having the key to its Business API. Even if you cant get your hands on it, Facebooks essentially promising that your ads will be safe in these third-party playershands if you promise to give them a little monetary something-something.

Advertisement

The encryption-busting maneuver these BSPs are allowed to do is, as always, openly available, courtesy of Facebook. If your brain hasnt smoothed over reading about this API until now, Id recommend flipping through those docs. For my fellow smooth-brainers, heres the basic gist: When a BSP or any Facebook-approved partner downloads the Business API, it comes packaged with a port that directs data from WhatsApp conversations onto an external database that this partner controls. When that partner gets buddied up with, say, a pizza place that wants to use WhatsApp for customer support, every message that they get asking about the status of their slice ends up in this unencrypted bucket, along with a slew of contact info about the person who put that request in.

A sample of some of the data these partners can get their hands on, according to Facebook’s documentation.
A sample of some of the data these partners can get their hands on, according to Facebook’s documentation.
Screenshot: Facebook (Gizmodo)
Advertisement

Once that datas under a third-partys purview, ultimately its no longer Facebooks responsibility, even if its used to target ads on one of the companys own platforms. WhatsApp cheerfully described this setup in yet another FAQ (emphasis ours again):

Some businesses and solution providers will use WhatsApps parent company, Facebook, to securely store messages and respond to customers. While Facebook will not automatically use your messages to inform the ads that you see, businesses will be able to use chats they receive for their own marketing purposes, which may include advertising on Facebook. You can always contact that business to learn more about their privacy practices.

Advertisement

In other words, if Im using WhatsApp to ask this imaginary pizza place why my eggplant parm and diet coke havent gotten to my apartment yet, whatever data falls out of that conversation could be used to target me with more ads for parm and parm-adjacent products just about anywhere that pizza places trusted partner is able to do so. Its just a happy coincidence if that means advertising on Facebook.

So just to recap, what WhatsApp (okay, mostly Facebook) is saying at this point is:

  • Theres tons of juicy consumer data in WhatsApp that marketers arent tapping into, but accessing it might mean paying a not-insignificant-fee to Facebook and to one of these trusted third parties (which, yep, also pay Facebook as part of terms for their title).
  • Once they have their hands on enough data, theyre free to pay Facebook again for the privilege of advertising against these same users. If you read between the lines, though, the decision to advertise on Facebook or not is pretty much made up for them before they even asked.
  • This exact cycle repeats likely thousands of times per week.
  • ???????
  • Somewhere down the line, Mark Zuckerberg gets rich enough to get those ass implants were sure he always wanted.
Advertisement

On one hand, I dont really blame WhatsApp for flubbing this announcement. Like all things in adtech, explaining the specifics of WhatsApps Business APIor any of its specific data-sharing practicesis a mind-numbingly dull exercise that almost certainly couldnt fit onto peoples lil phone screens. But by ignoring a lot of these nuances, the companys left with hordes of people that filled this update with their own theories about what these seemingly sweeping privacy changes actually mean.

Theres got to be a happy medium somewhere. Until Facebooks execs find where that is, theyre going to be left posting harried Twitter clips citing the same vapid privacy promises weve been seeing from the company until now. But if the WhatsApp debacle should teach us anything, its that peeling away at these platitudes can leave you with something deep-rooted and disturbingand sometimes, older than youd think.

Advertisement

Update 2:58pm ET: Added response from Facebook.

DISCUSSION

By
My X-Runner carries bikes

This seems like it took a long time to write, so I just wanna say up front that I greatly appreciate the effort gone into explaining this complex topic.

WhatsApp had postponed the implementation of its new privacy policy until mid-May due to “how much confusion there is around our recent update.”

Hey, I’m getting better at reading PR-speak! This translates to “we’re waiting until this whole thing blows over.”