Cyber Privacy in SMS-Alternative Messaging Applications: WhatsApp Case Raises Novel Legal Questions

Messaging applications like Telegram and WhatsApp emerged as alternatives to SMS-based messaging, and significantly enhanced our ability to communicate with friends and family in other countries, irregardless of telecom networks and carriers. There are a range of concerns that may go into a user’s decision as to which messaging application to use to connect to their coworkers, friends and family. Privacy is often one of the main concerns. Privacy issues in this area are twofold: privacy related to the service provider and platform themselves, and privacy relating to outside third-party infiltration of the service. 

With respect to the first privacy concern, some users may have legitimate concerns about the access granted to the very company that provides the service in the first place. It is understandably essential for users to have some level of confidence in the provider of the service that connects them to their loved ones and colleagues. This is why the sizable acquisition of WhatsApp by Facebook in 2014, after its earlier acquisition of Instagram in 2012, raised privacy concerns alongside competition issues in different jurisdictions around the world. These concerns centered around the newfound ability of the parent company to share users’ data across its three platforms. 

To clear the deal, Facebook had to give assurances to U.S. Federal Trade Commission (“FTC”), among other authorities, that its use of WhatsApp data after the acquisition would not undermine the users’ privacy choices. Nevertheless, Facebook allegedly violated these promises. In July of this year, Facebook agreed to pay a $5 billion penalty to settle FTC charges, the largest fine ever imposed on any company for violating consumer privacy. The company also agreed to submit to new restrictions and a modified corporate structure that, according to the FTC, will hold the company accountable for the decisions it makes about its users’ privacy.

The company has faced similar issues in Europe, where privacy protections arguably are even stronger under EU’s General Data Protection Regulation (“GDPR”). These concerns came into the forefront again after reports earlier this year that Facebook planned to merge data from its three messaging services into a single platform in 2020. The UK Information Commissioner Office had ruled in March 2018 that an earlier plan to share user information between Facebook and WhatsApp would be illegal under GDPR.

The second privacy concern, noted above, concerns the ability of third-parties to infiltrate the otherwise secure systems and platforms provided by companies such as WhatsApp. A novel lawsuit filed this October by WhatsApp in federal court in the Northern District of California may become a precedent-setting case on this aspect of privacy (WhatsApp Inc. v. NSO Group Technologies Limited).

Starting in April 2019, a cybersurveillance firm named NSO allegedly used WhatsApp servers to send malware to approximately 1,400 mobile phones and devices. Their malware was designed to infect these “target devices” for the purpose of conducting surveillance of specific WhatsApp users. According to WhatsApp, NSO was unable to break WhatsApp’s end-to-end encryption. Instead, NSO developed its malware to access messages after they were decrypted on an infected target device, abusing in-app vulnerabilities and the operating systems that power our mobile phones. In May 2019, WhatsApp detected and stopped NSO’s unauthorized access and abuse of its service.

Cybersecurity attorney Scott Watnik of Wilk Auslander in New York has called WhatsApp’s lawsuit against NSO “entirely unprecedented,” explaining that service providers often avoid litigation for fear of compromising their digital security. WhatsApp says this is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users. But this might be because in other past similar incidents, the attacker was not a legally incorporated private entity that could be sued in court.

We have yet to see where these developments will lead. Important points to watch would be the result of the WhatsApp lawsuit, and also how Facebook will address the privacy concerns of its users and the relevant legal challenges it faces in different jurisdictions.

By Amin Bahrami, Legal Fellow

About the author: USIRCC