The messaging app WhatsApp has recently hit the headlines due to privacy concerns, that have come about due to a recent change in its terms of service.
Should this present a concern for law firms, however? We will look at the dynamics around this change and share our thoughts on the situation.
Background
In February 2014, Facebook purchased WhatsApp for $19 billion. WhatsApp is a free, multimedia messaging platform used by 80% of adults in the UK aged between 18 and 24.
However, due to its widespread use and secure end-to end-commutation, some businesses have also adopted WhatsApp as a tool to help them better communicate with their employees, clients and customers.
It’s proving particularly popular for projects with external contacts and with law firms that provide consumer services such as private client and personal injury work. It’s important to communicate with your clients using methods both parties feel comfortable with; given such a high usage rate of WhatsApp amongst the UK population, firms sometimes feel the pressure to communicate via WhatsApp alongside traditional channels, particularly when photos and videos are being sent.
The cross-platform nature of WhatsApp (it works on iPhone, Android and Windows devices) removes some of the barriers inherent in other solutions as does the private nature of the registration (i.e. it is not currently necessary to have a public profile which other social media platforms require).
WhatsApp comes in different sizes
There are three different versions of WhatsApp available in the market.
Standard WhatsApp
The version of WhatsApp most commonly used is the free version that can be downloaded from app stores. WhatsApp is free and can only be tied to one device, though you can access your WhatsApp messages through a web browser too.
WhatsApp for Business
The business version of WhatsApp is almost identical to the standard version. However, it does also include app automation. This allows the business to set up greeting messages, away messages, and quick replies.
WhatsApp Business API
This version is best for automation of processes via an API (Application Programming Interface). It’s mainly for central support and call centres at medium to large companies. The API can send messages through session and template messaging. Template messaging must first be approved by WhatsApp and an account can only be set up after applying to a WhatsApp approved partner.
Making the news or is the news making it up?
WhatsApp recently hit the headlines due to a change in its terms of use and privacy policy.
WhatsApp users were compelled to accept the new terms of service to continue using the app.
As part of a change in the privacy policy update, WhatsApp also removed a passage about opting out of sharing certain data with Facebook: “If you are an existing user, you can choose not to have your WhatsApp account information shared with Facebook to improve your Facebook ads and products experiences.”
This has caused some confusion in the media, as it appears that WhatsApp is now making a new and fundamental change to their data sharing activities. This is not strictly true, for the following reasons:
In August 2016, WhatsApp launched a major privacy policy update when it started sharing user information and metadata with Facebook. At the time, existing users were given 30 days to opt-out of some of that sharing activity. Any user that chose to opt-out at that point will still have that decision honoured by WhatsApp.
Anyone that has joined WhatsApp since 2016 will have had their user information shared with Facebook regardless. The 2021 privacy policy changes do not change that.
Facebook further clarified the scope of the changes by stating that data is only shared with Facebook if you are communicating with a business that integrates with WhatsApp. The data shared is likely to be used for better ad targeting, which allows Facebook to optimise ads based on user interests. These data-sharing policies only apply to businesses that use Facebook’s business hosting solutions. Facebook says that conversations with such businesses will be marked out with a label.
The data shared includes:
Phone Number
Device ID
Location
Transaction Data
Product Interaction
User identifiers
However, there is a key aspect to all this in relation to WhatsApp for users in Europe and the UK.
Facebook issued a statement saying that there would be no changes in the EU, EEA and post-Brexit UK. Specifically, Facebook announced:
“For the avoidance of any doubt, it is still the case that WhatsApp does not share European region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or advertisements”
This should provide some assurance for UK based users of WhatsApp.
Is WhatsApp data secure?
The important thing to remember is that at no point has WhatsApp shared data that most people would consider personal or sensitive.
- WhatsApp or Facebook cannot see messages or hear calls;
- WhatsApp does not keep logs of messaging or call participants;
- WhatsApp does not share user contacts with Facebook;
- All data can be deleted and/or downloaded
In addition to this, when WhatsApp users are messaging others in a personal capacity, all messages are secured by end-to-end encryption ensuring that only the sender and recipient can view the messages.
However, when a normal user communicates with a business using the WhatsApp for Business app or the WhatsApp business API the situation becomes more nuanced. WhatsApp states that
“WhatsApp considers chats with businesses that use the WhatsApp Business app or manage and store customer messages themselves to be end-to-end encrypted. Once the message is received, it will be subject to the business’s own privacy practices. The business may designate several employees, or even other vendors, to process and respond to the message.”
For this reason, firms communicating with clients may wish to make their privacy position around the use of WhatsApp clear.
Should WhatsApp be used in business?
With privacy and security around messaging retained, the risks of personal data being compromised remain low – so long as firms ensure they have implemented their own protocols around the use of WhatsApp. For example, firms may wish to ensure that two-factor authentication is used on WhatsApp accounts and ensure access and password details are limited to a small number of employees.
The wider privacy issue should be monitored, as the UK information commissioner is writing to Facebook to ensure a continuance of its commitment not to share UK users’ data.
WhatsApp remains a popular messaging platform, including amongst clients. It would seem to be a frictionless way of communicating with clients in an environment they feel comfortable with, alongside the more traditional channels.
We are using WhatsApp – Should we continue?
Several of our clients have contacted us to ask if they should stop using WhatsApp immediately. Indeed, several firms are talking about moving to other messaging platforms such as Signal.
It is not an easy question to answer and nor is there a one size fits all response. Each firm needs to determine its own situation, views and implement appropriate processes.
1. Some businesses allow staff to use their own personal phones and personal WhatsApp accounts for business processes.
2. In other firms WhatsApp is only allowed on corporate devices.
We recommend not rushing to jump from a problem with WhatsApp to unknown problems with another platform.
We’d recommend:
1. Identifying how WhatsApp is being used and for what purposes.
a. External (Client & Suppliers)
b. Internal
2. What settings should be used (e.g. 2 Factor Authentication)
3. For internal teams do you have professional tools such as Yammer or Teams which can easily be deployed
4. Does the WhatsApp privacy policy align with your own privacy policies?
5. If you use WhatsApp with external contacts, you may wish to look at alternatives. For example, many PMS vendors now have portal and app technology that can be used to provide messaging and file upload/access services.
By performing a risk assessment, firms can understand the risks presented and take appropriate action.
