Cyber Privacy in SMS-Alternative Messaging Applications: WhatsApp Case Raises Novel Legal Questions

Messaging applications like Telegram and WhatsApp emerged as alternatives to SMS-based messaging, and significantly enhanced our ability to communicate with friends and family in other countries, irregardless of telecom networks and carriers. There are a range of concerns that may go into a user’s decision as to which messaging application to use to connect to their coworkers, friends and family. Privacy is often one of the main concerns. Privacy issues in this area are twofold: privacy related to the service provider and platform themselves, and privacy relating to outside third-party infiltration of the service. 

With respect to the first privacy concern, some users may have legitimate concerns about the access granted to the very company that provides the service in the first place. It is understandably essential for users to have some level of confidence in the provider of the service that connects them to their loved ones and colleagues. This is why the sizable acquisition of WhatsApp by Facebook in 2014, after its earlier acquisition of Instagram in 2012, raised privacy concerns alongside competition issues in different jurisdictions around the world. These concerns centered around the newfound ability of the parent company to share users’ data across its three platforms. 

To clear the deal, Facebook had to give assurances to U.S. Federal Trade Commission (“FTC”), among other authorities, that its use of WhatsApp data after the acquisition would not undermine the users’ privacy choices. Nevertheless, Facebook allegedly violated these promises. In July of this year, Facebook agreed to pay a $5 billion penalty to settle FTC charges, the largest fine ever imposed on any company for violating consumer privacy. The company also agreed to submit to new restrictions and a modified corporate structure that, according to the FTC, will hold the company accountable for the decisions it makes about its users’ privacy.

The company has faced similar issues in Europe, where privacy protections arguably are even stronger under EU’s General Data Protection Regulation (“GDPR”). These concerns came into the forefront again after reports earlier this year that Facebook planned to merge data from its three messaging services into a single platform in 2020. The UK Information Commissioner Office had ruled in March 2018 that an earlier plan to share user information between Facebook and WhatsApp would be illegal under GDPR.

The second privacy concern, noted above, concerns the ability of third-parties to infiltrate the otherwise secure systems and platforms provided by companies such as WhatsApp. A novel lawsuit filed this October by WhatsApp in federal court in the Northern District of California may become a precedent-setting case on this aspect of privacy (WhatsApp Inc. v. NSO Group Technologies Limited).

Starting in April 2019, a cybersurveillance firm named NSO allegedly used WhatsApp servers to send malware to approximately 1,400 mobile phones and devices. Their malware was designed to infect these “target devices” for the purpose of conducting surveillance of specific WhatsApp users. According to WhatsApp, NSO was unable to break WhatsApp’s end-to-end encryption. Instead, NSO developed its malware to access messages after they were decrypted on an infected target device, abusing in-app vulnerabilities and the operating systems that power our mobile phones. In May 2019, WhatsApp detected and stopped NSO’s unauthorized access and abuse of its service.

Cybersecurity attorney Scott Watnik of Wilk Auslander in New York has called WhatsApp’s lawsuit against NSO “entirely unprecedented,” explaining that service providers often avoid litigation for fear of compromising their digital security. WhatsApp says this is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users. But this might be because in other past similar incidents, the attacker was not a legally incorporated private entity that could be sued in court.

We have yet to see where these developments will lead. Important points to watch would be the result of the WhatsApp lawsuit, and also how Facebook will address the privacy concerns of its users and the relevant legal challenges it faces in different jurisdictions.

By Amin Bahrami, Legal Fellow

OFAC’s October 2019 Guidance for Foreign Governments and Foreign Financial Institutions Engaging in Humanitarian Trade with Iran

The Office of Foreign Assets Control (OFAC) is the financial intelligence and enforcement agency of the U.S. Treasury Department; more specifically, OFAC administers and enforces U.S. economic and trade sanctions. In the past, companies engaging in JCPOA-related, sanctions-exempt, or specifically licensed trade activities with Iran often sought, to little avail, detailed guidance from OFAC on what, in OFAC’s view, constituted sufficient due diligence and compliance programs. Until recently, interested parties relied on public releases of OFAC settlement agreements and financial penalty decisions for takeaways on best practices and mistakes to avoid, but this type of targeted analysis necessarily requires after-the-fact assessments and comparisons to complex, case-specific situations. OFAC’s May and October 2019 publications of additional guidance attempt to address these concerns in unprecedented detail.

OFAC’s May 2, 2019 General Guidance on Sanctions Compliance Programs 

Earlier this year, OFAC took steps to clarify its expectations of compliance programs, by issuing its most comprehensive guidance to date. On May 2, 2019, OFAC issued, “A Framework for OFAC Compliance Commitments,” to encourage companies to “develop, implement, and routinely update” a risk-based sanctions compliance program (“SCP”). The guidance was intended for U.S. companies as well as non-U.S. companies, and laid out five “essential components” of an effective SCP: (i) management commitment; (ii) risk assessment; (iii) internal controls; (iv) testing and audit; and (v) training.

OFAC’s October 25, 2019 Iran-Specific Guidance on Humanitarian Trade, Due Diligence & Reporting Expectations

Most recently, on October 25, 2019, OFAC published a four-page document called “Financial Channels to Facilitate Humanitarian Trade with Iran and Related Due Diligence and Reporting Expectations” (the “Mechanism”), which purports to provide further guidance and set forth OFAC’s expectations concerning humanitarian trade with Iran. OFAC clarifies that the Mechanism is “designed solely for the purpose of commercial exports of agricultural commodities, food, medicine, and medical devices to Iran” (i.e., humanitarian, sanctions-exempt trade). According to OFAC, the Mechanism “will provide unprecedented transparency into humanitarian trade to Iran.” The Mechanism specifically applies to foreign governments and foreign financial institutions, the near-totality of which have withdrawn or abstained from humanitarian trade with Iran out of fear of reprisal from U.S. secondary sanctions. 

The Mechanism was issued as part of the concurrent designation of Iran as a “jurisdiction of primary money laundering concern” under Section 311 of the USA PATRIOT ACT. This designation was not made by OFAC, but by a separate bureau of the U.S. Treasury Department, the Financial Crimes Enforcement Network (“FinCEN”), which collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes. The designation prohibits correspondent accounts in the U.S. on behalf of Iranian financial institutions, and prohibits foreign financial institutions from processing transactions involving Iranian banks.

Under the terms of the Mechanism, “participating governments and financial institutions must commit to conducting enhanced due diligence to mitigate the higher risks associated with transactions involving Iran.” It contains an “illustrative list” of comprehensive enhanced due diligence protocols that OFAC says it “may require” depending on the nature of the transaction. As OFAC explains: “this framework will enable foreign governments and foreign financial institutions to seek written confirmation from Treasury that the proposed financial channel will not be exposed to U.S. sanctions in exchange for foreign governments and financial institutions committing to provide to Treasury robust information on the use of this mechanism on a monthly basis.” 

In short, by committing to develop and implement enhanced due diligence procedures, and provide to OFAC a copious volume of information on a monthly basis, foreign governments and foreign financial institutions may be able to obtain written confirmation from OFAC that their intended humanitarian trade activities will not be exposed to U.S. secondary sanctions. 

Practical Considerations of OFAC’s “Enhanced Due Diligence and Reporting Expectations”

OFAC indicates that it has issued the Mechanism to bar against illegitimate trade under the guise of humanitarian trade, to ensure transparency, and to promote greater understanding of U.S. sanctions laws and regulations. The “illustrative list” contained at pages three and four of the Mechanism provides much greater clarity as to the depth of OFAC’s due diligence expectations. The list is profoundly comprehensive, and observes a wide range of due diligence and Know Your Customer principles. Sanctions compliance experts will recognize many familiar themes in the Mechanism, from identity verification to designated persons to transactional logistics. 

For the most part, none of this material should be surprising, particularly for large, sophisticated entities that have due diligence experience, sanctions-specific software methodologies, strong compliance programs, and budgetary resources to expend on due diligence of this nature. This being said, one of the counterintuitive and unintended consequences of long-term, broad economic sanctions is the erosion of a legitimate economic engine; this is because over time, sanctions push market forces into the willing arms of the black market, which in turn, stifles the development of transparent, sound business record-keeping practices. Thus, participants in heavily sanctioned economies such as Iran may struggle to meet the level of detail outlined in the Mechanism’s “illustrative list.”

OFAC acknowledges that the Mechanism includes a “great deal of information” to convey on a monthly basis. As noted above, much of it is information that generally would – and should – result from comprehensive, well-effectuated due diligence. But updating this amount of information and certifying its continued appropriateness and accuracy on a monthly basis is extremely costly and time-consuming. Thus far, OFAC’s monthly reporting requirements are proving to be the greatest source of concern for foreign governments and foreign financial institutions. Additionally, the proximity between OFAC’s October release of the Mechanism and Europe’s official launch of INSTEX in June 2019 has led some observers to opine that the Mechanism may be more of a deterrent to INSTEX and humanitarian trade, rather than – as suggested in the document’s title – to “facilitate” humanitarian trade with Iran. 

The Mechanism provides some much needed clarity as to OFAC’s due diligence expectations and reporting requirements for foreign governments and foreign financial institutions engaging in humanitarian trade with Iran. However, the Mechanism may be prohibitive in terms of its monthly reporting requirements. As foreign governments and foreign financial institutions consider and perhaps attempt to implement the Mechanism’s criteria, they should remain alert for additional guidance and clarifications from OFAC, or seek interpretive guidance from the agency. In the midst of procedures being developed in the wake of the U.S. withdrawal from the JCPOA, whether it be INSTEX or OFAC’s recent publications, one thing appears certain: the humanitarian crisis in Iran has no meaningful end in sight for ordinary Iranians.

By Fiona Yang