This Was WhatsApp’s Plan All Along

This Was WhatsApp’s Plan All Along
Photo: Adam Hoglund, Shutterstock

Even if you aren’t the type of person who peruses WhatsApp on a regular basis, chances are you’ve tried perusing its new privacy policy.

Emphasis on “tried.” The roughly 4,000-word tome fell under fire from countless WhatsAppers across the globe after the company told its users that they’ll be ejected from the platform unless they abide by these new terms. Some eagle-eyed critics quickly noticed that buried under the rest of the usual slop that comes with your average privacy policy, it seemed like the new terms mandated that WhatsApp now had the right to share supposedly personal data — like phone numbers or payment info — with its parent company, Facebook, along with fellow subsidiary Instagram.

Naturally, people lost it. Over the past week, tens of millions of people have apparently flooded off of WhatsApp and onto rival messaging platforms like Signal and Telegram. Elon Musk weighed in, as did Edward Snowden. Turkish authorities opened a probe into WhatsApp’s data-sharing practices, followed by Italy’s regional data authority doing the same. On Thursday, authorities in India, WhatsApp’s biggest market, filed a petition alleging that the new terms weren’t only a threat to personal privacy, but to national security as well.

What became very clear very quickly is that, while everyone agreed on being outraged, there was a bit of fuzziness on what they agreed to be outraged about.

The confusion was the natural result of WhatsApp’s bungled rollout of these new policies. By shoving a scary-sounding ultimatum in front of countless users, and by tying that ultimatum to a privacy policy that (I think we can all agree) is near-impossible to comprehend, the bulk of WhatsApp’s users were left assuming the worst: that Facebook could now read their WhatsApp messages, snoop through their entire contact list, and know every time you leave someone on “read” within the app. These rumours eventually reached WhatsApp Head Will Cathcart, who issued his own lengthy Twitter thread debunking the bulk of these claims, before WhatsApp proper did its own debunking in the form of an FAQ page.

In a shocking turn of events, WhatsApp’s attempt to set its own tarnished record straight was regarded as bullshit by its more vocal critics. And honestly, they had a point: This is WhatsApp we’re talking about. When an encrypted chat platform that’s been widely praised by people in the privacy and security space very rudely announces it’ll be sharing your data — any data — with a company like Facebook, you can understand why that would raise some hackles.

The thing is, in the years since WhatsApp co-founders Jan Koum and Brian Acton cut ties with Facebook for, well, being Facebook, the company slowly turned into something that acted more like its fellow Facebook properties: an app that’s kind of about socialising, but mostly about shopping. These new privacy policies are just WhatsApp’s — and Facebook’s — way of finally saying the quiet part out loud.

I Don’t Have All Day, Gimme The Short Version

If you’re also the type of person that solely uses WhatsApp to message friends, family, and the occasional petsitter, nothing’s changing on the privacy front. In fact, what we think of when we talk about our “privacy” on WhatsApp has been largely unchanged since mid-2016, when the company first announced that WhatsApp would start sharing some of your basic metadata like your phone number and a grab-bag of “anonymous” identifiers unless you manually opted out. (Facebook ended up pulling the opt-out button pretty soon after, but that’s another story entirely).

Not too long ago, an anonymous developer reverse engineered the entire WhatsApp web app, and their findings are freely scannable through their GitHub. In a nutshell, if I messaged a petsitter after the 2016 updates, Facebook might be able to suss out my phone’s make and model, along with how dangerously low on juice my phone might be — but those pet-sitting conversations are entirely encrypted. None of that’s changing now.

That said, if you live in a country like India or Brazil where WhatsApp isn’t only a chatting app, but a chatting app for brands and businesses to reach their clientele, things are a bit different. Unlike the aforementioned pet-sitting conversation, chances are any conversations you might have with a given company aren’t only unencrypted, but they’re shared with way more parties than you might think.

WhatsApp’s privacy policy might be new to most of us, but this particular practice has already been the platform’s MO for years.

The WhatsApp You Know And The WhatsApp You Don’t

The backstory that led up to WhatsApp’s bungled announcements actually started around the same time Koum jumped ship from the platform that was earning him frankly grotesque amounts of cash. A few months later, WhatsApp quietly rolled out a new business-facing product that promised to milk even more revenue out of the multi-billion-dollar platform: the “WhatsApp Business API.”

As the name suggests, the Business API was geared towards businesses: airlines that want to use WhatsApp to send boarding passes, for example, or a grocery chain that wants to use WhatsApp to let someone know their order is out for delivery. These messages weren’t meant to be promotional the way, say, an ad on Instagram might be; they were meant to be transactional — kind of like a conversation you have with a store clerk when looking for shoes in your size. If the business in question answered a given inquiry within a one-day window, Facebook let them send their response free of charge.

Any message sent after the initial 24 hours comes saddled with a tiny fee — ranging anywhere from a fraction of a fraction of a cent to a few cents per message, depending on which third parties might be involved and the country a given brand is targeting. This fee gets divvied up by those parties, and–of course — by WhatsApp.

While a few outlets covered this burgeoning product as something like Facebook’s answer to the “customer support” emails and texts from days of yore, it went pretty much unnoticed by most outlets that (rightfully) saw the API as a pretty boring piece of adtech. Brands, on the other hand, couldn’t be more jazzed about the idea, and they kept on being jazzed while WhatsApp adopted new features meant to make it more commerce-friendly.

By 2020, WhatsAppers based in India weren’t only using WhatsApp to talk to their pet sitters — they were scrolling through WhatsApp-specific catalogues for new shoes, plunking their selected pair into a WhatsApp-specific cart, and then using a WhatsApp-specific payment processor to pay for their new kicks before following up with WhatApp to make sure their order arrived on time.

More brand appeal means more brands are flocking to plug into this API. In 2018, WhatsApp initially opened access to the new platform to roughly 100 hand-picked partners, like Netflix, Uber, and a few hotels and banks in regions where WhatsApp is the SMS platform of choice. Some analysts estimated that a year later, the number of enterprises plugged into the API went from 100 to roughly 1,000. At its current rate, the team said, WhatsApp is on track to get close to 55,000 businesses using this API by the end of 2024, all collectively racking up a hefty $US3.6 ($5) billion in messaging fees.

The thing is, it’s really hard to goad a brand to drop that kind of cash on your product when they can’t even read what their customers are saying because, again, WhatsApp’s chats are encrypted by default. This was one of the sticking points that ultimately led to Koum’s exit, according to the Washington Post: Facebook wanted to turn WhatsApp into a business-friendly platform, and WhatsApp’s team fired back that they couldn’t build that platform without weakening WhatsApp’s native encryption in some way.

They were right. But Facebook — again, being Facebook — didn’t really seem too bothered by the idea of baking a brand-sized loophole into an encrypted platform. But to trace this back which policy change ended up biting WhatsApp in the arse the most when it rolled out these new policies, you could say some of the creepiest parts actually stem from this one decision.

We reached out to Facebook regarding its changes and will update when we hear back.

What We Talk About When We Talk About Encryption

When the sea of internet outrage reached a critical mass on Twitter dot com, Instagram head Adam Mosseri tweeted out that he was seeing “a lot of misinformation” about WhatsApp’s new terms of service. The changes people were reading were strictly related to messaging businesses on WhatsApp, which, as he reminded people, is always optional. He then linked to WhatsApp’s own FAQ on the subject, which included another mealy-mouthed explanation of how, exactly, businesses use your WhatsApp data. In reality, though, it doesn’t really say much of anything: it doesn’t touch on the exact data that these partners are hoovering up from a (supposedly) encrypted platform, nor does it even discuss what “changes” in the privacy policy specifically apply to business-based messaging.

So instead of parsing apart… all of that, let’s go straight to the source. The Business API’s source code is actually easily searchable on Facebook’s dev-facing site, which means you can also find the data points this API hoovers from WhatsApp proper, and how it could — at least potentially — bypass WhatsApp’s encryption to do so. Or if you want, you can just visit this surprisingly cogent FAQ that literally asks “Is end-to-end encryption maintained through the WhatsApp Business API?.” WhatsApp’s response, which we emphasised here is just… something (emphasis ours):

WhatsApp considers communications with Business API users who manage the API endpoint on servers they control to be end-to-end encrypted since there is no third-party access to content between endpoints.

Some organisations may choose to delegate management of their WhatsApp Business API endpoint to a third-party Business Solution Provider. In these instances, communication still uses the same Signal protocol encryption. However, because the WhatsApp Business API user has chosen a third party to manage their endpoint, WhatsApp does not consider these messages end-to-end encrypted. In the future, in 2021, this will also apply to businesses that choose to leverage the cloud-based version of the API hosted by Facebook.

In addition, if you are using HTTPS when making calls to the WhatsApp Business API client, that data is SSL-encrypted (from your backend client to the WhatsApp Business API client).

Or put another way, WhatsApp’s telling us that when we have conversations with the business or brand on the platform — and that business or brand happens to be working with a given number of third parties — the encrypted WhatsApp we’re used to using goes out the window.

I should probably clarify who these third parties actually are. Facebook calls them Business Solution Providers, (or BSP’s for short), and they’re essentially an approved set of adtech vendors whose sole responsibility is making marketing on Facebook as easy an experience as possible. If you’re advertising a hip new line of CBD gummies and only want to reach, say, dog mums on Instagram between 18 and 21 that live in the U.S. but exclusively speak Portuguese at home, there are a few dozen BSP’s that Facebook can match you up with. If you want to reach them on other Facebook properties — like, say, Whatsapp — there are 66 partners that Facebook lists off as having the key to its Business API. Even if you can’t get your hands on it, Facebook’s essentially promising that your ads will be safe in these third-party players’ hands if you promise to give them a little monetary something-something.

The encryption-busting manoeuvre these BSP’s are allowed to do is, as always, openly available, courtesy of Facebook. If your brain hasn’t smoothed over reading about this API until now, I’d recommend flipping through those docs. For my fellow smooth-brainers, here’s the basic gist: When a BSP or any Facebook-approved partner downloads the Business API, it comes packaged with a port that directs data from WhatsApp conversations onto an external database that this partner controls. When that partner gets buddied up with, say, a pizza place that wants to use WhatsApp for customer support, every message that they get asking about the status of their slice ends up in this unencrypted bucket, along with a slew of contact info about the person who put that request in.

Once that data’s under a third-party’s purview, ultimately it’s no longer Facebook’s responsibility, even if it’s used to target ads on one of the company’s own platforms. WhatsApp cheerfully described this setup in yet another FAQ (emphasis ours again):

Some businesses and solution providers will use WhatsApp’s parent company, Facebook, to securely store messages and respond to customers. While Facebook will not automatically use your messages to inform the ads that you see, businesses will be able to use chats they receive for their own marketing purposes, which may include advertising on Facebook. You can always contact that business to learn more about their privacy practices.

In other words, if I’m using WhatsApp to ask this imaginary pizza place why my eggplant parm and diet coke haven’t gotten to my apartment yet, whatever data falls out of that conversation could be used to target me with more ads for parm and parm-adjacent products just about anywhere that pizza place’s trusted partner is able to do so. It’s just a happy coincidence if that means advertising on Facebook.

So just to recap, what WhatsApp (ok, mostly Facebook) is saying at this point is:

  • There’s tons of juicy consumer data in WhatsApp that marketers aren’t tapping into, but accessing it might mean paying a not-insignificant-fee to Facebook and to one of these trusted third parties (which, yep, also pay Facebook as part of terms for their title).
  • Once they have their hands on enough data, they’re free to pay Facebook again for the privilege of advertising against these same users. If you read between the lines, though, the decision to advertise on Facebook or not is pretty much made up for them before they even asked.
  • This exact cycle repeats likely thousands of times per week.
  • ???????
  • Somewhere down the line, Mark Zuckerberg gets rich enough to get those arse implants we’re sure he always wanted.

On one hand, I don’t really blame WhatsApp for flubbing this announcement. Like all things in adtech, explaining the specifics of WhatsApp’s Business API — or any of its specific data-sharing practices — is a mind-numbingly dull exercise that almost certainly couldn’t fit onto people’s lil phone screens. But by ignoring a lot of these nuances, the company’s left with hordes of people that filled this update with their own theories about what these seemingly sweeping privacy changes actually mean.

There’s got to be a happy medium somewhere. Until Facebook’s execs find where that is, they’re going to be left posting harried Twitter clips citing the same vapid privacy promises we’ve been seeing from the company until now. But if the WhatsApp debacle should teach us anything, it’s that peeling away at these platitudes can leave you with something deep rooted and disturbing — and sometimes, older than you’d think.