If there’s a positive that can be taken from the whole issue, it is that there are signs users are now more aware and concerned about their privacy and security online. In response to WhatsApp’s move, millions of users resorted to installing and trying out seemingly more secure apps such as Signal or Telegram – as they took steps to protect their own data in the digital world.
But what would it take to protect our data in an age where everything is connected and our devices carry so much information on everything that we do? To get answers, CSA interviewed Kevin Shepherdson, CEO of Straits Interactive, who explained that in order to keep information truly safe, it takes more than just choosing a different app, much more.
Read on to find out about his views on WhatsApp’s policy blunder and what we as users can do to protect our online privacy.
CyberSecurityAsean: What does the WhatsApp updated policy mean for individual users, and how does it affect them?
Shepherdson: It depends on whether users want to interact with businesses that use WhatsApp for Business - for example, if users want to ask questions using WhatsApp before they purchase something through a business’s Facebook page and that business uses WhatsApp for Business.
WhatsApp LLC was already collecting information about a user's hardware model, operating system and phone number. However, the update states that WhatsApp will now also collect other information such as battery level, signal strength, app version and mobile operator. WhatsApp LLC also collects the user's IP address. Still, they have clarified that this is with only enough precision to estimate a user's general location (e.g. their city and country) unless the user permits the collection of more precise location information for a particular purpose (such as where the location is necessary for a service that the user wants to use).
*Note: It is metadata (data about data) and not the actual contents of the user's conversation that is shared. Many people have misunderstood and shifted to other messaging platforms due to fear for their privacy.
The major changes are where users decide to interact with businesses that use WhatsApp Business. Such businesses may provide WhatsApp LLC with information about their interactions with WhatsApp individual users. WhatsApp LLC clarified that the new update relates to how merchants using WhatsApp Business to chat with customers can share data with Facebook, who could use the information for targeting ads. In addition, where a user chooses to use Facebook information about their interactions may be provided by Facebook to WhatsApp LLC.
*Note: It is up to users to decide if they want to interact with businesses using WhatsApp Business and/or if they want to use Facebook. If they choose not to do so, there will not be any data relating to such interactions. Similarly, many people have misunderstood and shifted to other messaging platforms due to fear for their privacy.
If we look at the specific context where WhatsApp collects and shares personal data in the business context of the WhatsApp Business app in terms of :
Enabling customer service
Interacting or discovering a business online
Shopping experiences including enabling transactions
The image below is an example of a business promoting its business products and services on Facebook:
Currently, the “Message” button enables the user to utilise Facebook Messenger to contact the business. However, it may be possible that in the future there will be an additional option added so that WhatsApp users will be able to contact the business via WhatsApp instead of using Facebook Messenger. This may be more convenient and useful for people who do not use Facebook messenger and prefer using WhatsApp.
Next, the image below is another random example of a company that sells its products on Facebook.
In this example, the same “Message” button is used to enable an e-commerce transaction. Using Facebook’s new hosting services, businesses or business service providers can use the WhatsApp Business API (application program interface) to conduct their e-commerce services. This means that users can easily transact with businesses via the WhatsApp engine. This is where personal data could be shared with businesses in order to help fulfil the transaction. Additionally, WhatsApp states that in this context, personal data can be used in targeted advertisements and recommendations.
For individuals who engage in online shopping activities, these scenarios may be familiar:
recommended products that appear next to your chosen product
customised advertisements related to your previous purchases or activity
The above scenarios would not have been possible if the individual's website and product browsing history was not tracked and shared with third parties. Analytics and tracking results show that users respond well to recommendations. It provides them with convenience and reduces the time needed to research and compare other products.
Regarding tracking and analytics, the privacy concerns may be valid, at least if WhatApp is able to identify the individual concerned. In other words, the tracking options may be:
(1) track what a user does in the knowledge that the user is Jim Lim; or
(2) track what a user does knowing that it is the same individual, but not being able to identify them.
People may well think that option (1) above raises privacy concerns, while option (2) does not and/or that any privacy concerns are overridden by the benefit of receiving targeted advertising.
In any event, it is not only Facebook and its group of companies that does it. Every online business and mobile developer that provides a product or service free of charge is actually doing this with the good intention of enhancing your customer experience, albeit that it is done while monetising your personal data. It just so happens that in the case of WhatsApp LLC. it has perhaps been more transparent than some others and/or it’s simply been unfortunate to attract more attention than others - perhaps because Facebook has a less than stellar reputation in connection with privacy.
Be Wary of Not Just Facebook but any company you are dealing with online, especially if the product or service is free!
As businesses can now have access to such personal information, the onus is now on them (and not only Facebook or WhatsApp as they have their own privacy policies) to safeguard the personal data in their possession and put in proper transparent practices to ensure the data is used responsibly and according to their declared purposes.
This is where local data protection laws and the EU General Data Protection Regulation (GDPR) keep such companies in check by ensuring they follow specific rules when collecting, using, disclosing or storing personal data.
As part of our analysis of data protection trends in 2021, we expect to see more privacy breaches along with the usual data breaches. While WhatsApp is secure, there will inevitably be user ignorance - for example, where a user attaches unsecured documents containing personal data to messages in chat groups or where they mistakenly share personal data with the wrong recipient.
CyberSecurityAsean: What can users do to protect their personal data?
Shepherdson: In today’s digital economy, many people may find themselves engaging in more e-commerce or online entertainment activities. Thus, we are seeing a surge in online scams, including those in Singapore. To safeguard themselves, consumers need to be cautious when providing personal data about themselves, especially when they come across a message, an email or a telephone call that sounds too good to be true or raises alarm and promises a quick solution by clicking on a link, opening a document or giving a caller access to sensitive personal data such as a bank account. Before proceeding with an action e.g. sign up, buy or share, it is important to verify the actual source. Unfortunately, consumers need to learn to be suspicious by default and to keep in mind that both marketers and scammers use psychological triggers to entice consumers into sharing personal data about themselves.
Another good practice is to ensure that all online accounts have two-factor authentication. This means, say, a password (one authentication factor) plus a code sent by SMS to a registered mobile number (the second authentication factor) for signing into online accounts. Passwords should be strong by including a mix of numbers, symbols, upper-case and lower-case letters. The same password should not be used for several accounts at any time, and certainly not for access to bank accounts, etc. In addition, it is also good practice for consumers to change their passwords from time to time - say, at least every few months.
Besides that, it is recommended for consumers to read the privacy notice to figure out the permissions and access that they need to give to a mobile app developer or to know how the organisation uses and stores their personal data when downloading free apps or signing up for memberships on an organisation’s website. And for consumers to decide not to download and use an app if the privacy notice is so complicated that they can’t understand it or if they are worried about what it says about how the organisation uses and stores their personal data - for example, if it says that the organisation can share all of the user’s personal data with third party ‘business partners’ (which typically means they can share the app user’s personal data with anyone whenever they feel like it).
Before downloading an app, consumers should think about why the app has been made available and by whom. Where an app is made available by a well-known organisation to make it easier for consumers to acquire their products and services that make good commercial sense. Where an app is made available free of charge by an unknown organisation or for a frivolous, even if entertaining, purpose, consumers should proceed with care and ask themselves ‘why is this app being made available?’ and ‘How does the organisation that made it available make money from it?’. If there is no clear and logical answer, then, if it’s free, you are the product! Collecting and sharing personal data about you might be the only real purpose of making the app available.
CyberSecurityAsean: Why is it so important that public security attitudes and awareness are improved? Did the recent backlash (over Facebook’s actions) show that it has improved?
Shepherdson: Over the past decade, we have seen people become more comfortable with the digital landscape and actively engage in online activities and even trading their personal information for free services or convenience. Recent data and privacy breaches have, however, contributed to consumer distrust and raised consumer awareness regarding data protection and privacy. For instance, the Cambridge Analytica data scandal and the recent SolarWinds and SITA data breach.
The “Consumer Intelligence Series: Protect.me” research conducted by PwC United States in 2017 revealed that only 25% of survey respondents believe that their data is being handled appropriately by businesses. Meanwhile, 80% of respondents believe that new technologies should be regulated by the government for consumer protection. Although this research was conducted in the United States, it is also a strong indication of consumer concern regarding data protection. Meanwhile, the past decade has also seen data protection laws, including the EU GDPR, Philippines’ DPA, as well as Malaysia and Singapore’s PDPA coming into effect. Recent amendments to data protection laws are also a reflection of consumer concerns regarding data protection and privacy.
CyberSecurityAsean: How do the app’s new features comply with regional data protection guidelines, especially in ASEAN?
Shepherdson: As a company that is based in the United States, WhatsApp LLC faces few, if any, local legal requirements in relation to data protection/privacy; however, it seems that they have chosen to comply with the transparency requirements that are typically seen in data protection laws. Arguably, they have been more transparent than is required under the PDPA in Singapore.
CyberSecurityAsean: From the perspective of businesses or service providers, what are the key data privacy and protection policies/practices they should adopt to safeguard personal data?
Shepherdson: For companies, ensuring that the organisation has an effective GRC framework relating to personal data is crucial. It is also highly recommended for an organisation to conduct a risk assessment to identify if the organisation is collecting, using, disclosing or storing data according to the requirements of the PDPA law.
Organisations should create data protection committees to govern and protect the personal data they have in their inventory.
Organisations should identify all standard privacy and security risks within the organisation. For example, if the company has an online portal, website or mobile app, they should do a penetration test by ethically hacking into their software to look for vulnerabilities that a cyber attacker can exploit. After identifying the gaps, they should implement appropriate IT measures to resolve them. Additionally, the organisation should ensure that proper security measures and access controls are implemented.
In 2021, companies need to comply with the requirements of the data protection of the jurisdictions in which they are operating. For instance, the Personal Data Protection Act (PDPA) in Singapore requires organisations operating in Singapore to be accountable for complying with the PDPA, including protecting the personal data in their possession.
In short, individuals need to exercise caution by reading the privacy notices of the website or apps that they are using. Organisations need to be aware of the risks associated with the personal data in their possession or under their control and have appropriate policies and standard operating procedures (SOPs) to address these risks.
CyberSecurityAsean: How does Straits Interactive help businesses protect user privacy and practice responsible marketing?
Shepherdson: We help businesses protect user privacy and practice responsible marketing by assisting them in the development and implementation of their policies and SOP to enable them to manage their operational data protection risks through a combination of cloud technology and professional services. In addition, our services extend to assisting companies in navigating the various funding options available in Singapore for training and digitalisation of key business processes, of which data protection is part of such efforts.