Sending the All Clear Signal: The Implications of WhatsApp’s New Data Privacy Policy

Popular messaging app WhatsApp announced new data privacy policy changes set to debut on February 8, much to the chagrin of its massive user base. The Facebook-owned app let users know that their data would soon be available to the Facebook parent company for commercial purposes, which was met with widespread backlash. If users refused to accept the new policy, their accounts would be deleted. Many users immediately threatened to leave WhatsApp in favor of the Signal messaging app, which is encrypted and inherently offers more security and data protection to its users.

Consumer Data Protection – and Collection – in the Age of Facebook

Facebook’s decision to collect data from one of its subsidiaries should hardly come as a surprise. The social media behemoth was a pioneer in commercial data collection, and continues to amplify its efforts to maximize its own profits. But there are other concerns – namely, consumer data privacy – that must be considered when any company combines data from multiple sources and intends on applying a blanket security policy to that data.

In the case of WhatsApp, there are many individual consumer privacy concerns that should be addressed. First off, the jurisdiction of this newly shared individual data, including where the governing data mandate is from (i.e. EU data falling under GDPR, or California individual data falling under the CCPA) needs to be considered. With any expansion of data use across multiple platforms, there is a greater potential of exposing PII and making it more vulnerable within the larger data surface.

There could also be a layered risk to data privacy in that business users of the combined data in jurisdictions with strict regulations on personal privacy may unknowingly breach personal privacy mandates due to the default access they possess to a new subset of data. This could make the classification of data custodians much more difficult for second- and third-party companies that market and conduct commerce in association with the larger data lake. In the US, the data security policies of many companies will vary state by state until an ironclad data protection or privacy mandate is implemented. With Facebook and WhatsApp being situated with operations in California, there is an additional complexity around data and consumer privacy under the shared model of user data.

Why Disgruntled WhatsApp Users Are Turning to Signal

Most of the now-former WhatsApp users have gravitated toward the Signal app in search of data privacy refuge. Signal is an encrypted cross-platform messaging app that is run by the non-profit Signal Foundation. The Signal Foundation was actually formed by WhatsApp co-founder Brian Acton in 2018, who had left the company he helped create the previous year over a dispute with parent company Facebook over...you guessed it – monetizing the data of its users.

The Signal app first went live in 2014, but the origins of its predecessors and its development by Open Whisper Systems date back as far as 2010. Acton’s additional funding enabled the app’s developers to expand to new platforms and to remain a non-profit organization. To date, Signal relies entirely on donations to operate. Despite its emphasis on individual security, the app’s privacy features and open-source nature have inadvertently fostered cybercriminal activity.

No Stranger to Malicious Cyber Threat Activity

Signal is an open-source application, a designation that has some benefits and some threats. Though the transparency allows users worldwide to witness and even monitor the code that is installed on their devices, the fact that it is visible for all means it can be stolen, replicated and modified. After modification, a threat actor could publish a malicious duplicate of the Signal app in any number of app stores and trick users into downloading that version, thereby infecting their devices with malware.

Hackers have long been using Signal as a more private arena to conduct black market business and plot elaborate cyberattacks with cohorts, as our research indicated in mid-2020. Signal is the only prominent instant messaging app that does not retain the messages and data sent by its users. But now the general public is catching on more and more that Signal offers them security and the ability to evade commercial data collectors.

It will be interesting to see how the influx of new users to Signal changes the cyber threat landscape in the coming months and years. Will hackers be able to exploit former WhatsApp users for financial gain? Will the Signal Foundation be forced to implement new data privacy parameters or turn over data to governing bodies for security purposes? Nothing is certain, other than the fact that, for now, users can be confident in using Signal to privately send messages without fear of their data being sold for commercial purposes.

To learn more about cybercriminal activity on instant messaging apps like Signal, read our research report, Instant Messaging Mayhem: Communication Channel of Choice for Cybercriminals.

Download Your Copy

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.