The world is buzzing with a kerfuffle about WhatsApp’s new Privacy Policy. Competing apps like Signal and Telegram have had a surge in users in the last few days (but organisations like the European Commission had defaulted to it long ago). Trade groups in India are wondering why Europe is being treated differently to the rest of the world (hint: It’s the DPC putting a marker down in 2016). And I even wound up on lunchtime radio chatting about all of this.

So What’s Up with WhatsApp?.

What’s Up, App?

The potted summary is that Facebook, the owners of WhatApp since 2014, have pushed out a ‘take it or leave it’ notice to WhatsApp users basically telling everyone about data sharing that is going to happen between WhatsApp and Facebook. This, of course, is the exact antithesis of what Facebook and WhatsApp assured regulators back in 2014 when Facebook bought the relatively privacy respecting instant messaging application for $19 billion. WhatsApp founder Brian Acton has disclosed that Facebook coached him on what to say to get that deal past Regulators.

Communications content data won’t be shared because WhatsApp shares the end-to-end encryption capabilities of Signal as it incorporates some of Signal’s protocols. But the metadata (data about the data) associated with WhatsApp messages is not encrypted and is available to be shared. This includes things like userIDs, phone numbers, location (either derived from GPS or from IP addresses), frequency of messaging, duration of messaging, interactions with businesses, payments (in markets where WhatsApp offers payment processing), and other data that can build a very interesting map of social interactions and relationships without having to read a single message.

For users in Europe, there is a stay of execution on some of this because the Irish DPC has required FB and WhatsApp to hold off on any sharing of data for “advertising and product improvement purposes” since 2016 when a previous change to policies required people to opt-out of data sharing within 30 days of receiving a notification. However, data could still be shared for other purposes.

It’s worth noting that the DPC has also asked Facebook to explain their roadmap for WhatsApp and its proposed integration with Facebook and Instagram. And, in other news, the DPC has also sent a draft decision in their investigation into WhatsApp transparency to the EDPB just before Christmas. WhatsApp Ireland have set aside €77.5 million this year for fines.

Face Eating Tiger Companies want to eat faces – SHOCK!

The pendulum swing in respect of WhatsApp is triggered, in part, by a lack of transparency and confused messaging and, in part, by a realisation on the part of users that they have been doing business with a Face-Eating Tiger Company and they are no longer comfortable with the level of nibbling the tiger is doing as it seems to be getting ready to take a big bite. The “take it or leave it” approach (which worked so well for Facebook in 2016 when people had to opt-out of sharing their WhatsApp contacts with Facebook).

But this is the nature of the beast. Facebook is an advertising business with some communications tools bolted on to help them gather data about who is worth marketing to about what. In fairness to it, it makes little pretense to be anything else. It is a tiger. That eats faces. It paid $19 billion for Whatsapp because FaceEating Tiger Companies require a regular supply of faces to nibble on (hence the acquisition of Instagram and Giphy).

When people use Facebook or WhatsApp or any of the applications in the Facebook bundle of businesses, they invite a tiger to tea. A tiger that eats faces. And when that tiger has nibbled through the cucumber sandwiches and entertained us with tricks, inevitably the realisation dawns that the tiger may be planning to have us for dessert.

The migration from WhatApp to other platforms in recent days is a signal (no pun intended) of that realisation dawning and of people turning to the tiger and saying “BAD KITTY!! WANTING TO EAT UP ALL OUR FACES”.

But that is the nature of the tiger. It likes eating faces. So we should not be surprised that it wanted more faces to eat.

Why do we have hungry Face-Eating Tiger Companies?

Bluntly: because regulators let it happen because, historically (and still today) there is a limited level of data literacy and understanding of data as an abstract thing not as a technology discipline. In this context I do not limit my criticism to Data Protection regulators. The European Commission’s Competition regulators signed off on the Facebook acquisition of WhatsApp, even though it later transpired they were “mislead” by Facebook during the vetting of that deal, resulting in a €110 million fine.

Worryingly, we see the same “we promise not to be bad, you can trust us” assurances being given by Google in respect of the acquisition of Fitbit. Google says their deal is about the devices not the data. However, this is akin to McDonalds buying a cattle farm and insisting it was only interested in the tractors.

I will be unsurprised in a few months when people are crying out for overstretched data protection regulators to “do something to stop this sharing of data” when that tiger stops smiling at the devices and starts nibbling on faces again. Bear in mind that the data Fitbit can share with Google is an order of magnitude more intimate than the social network map metadata that WhatsApp can share with Facebook.

We see belatedly attempts by the FTC to begin the process of breaking up Facebook, citing its monopoly power. But therein lies the real strength of a Face Eating Tiger Company. Once it has invited itself to tea, and has provided entertainment and ingratiated itself to the point where it it is integrated into how we do things, it becomes very difficult to tame the tiger. It is nigh on impossible to turn it into a less avaricious domestic cat.

And as people use the services of the Face Eating Tiger Companies, accepting that for the benefit of social interaction and sharing, or community organisation, or figuring out home-schooling assignments during a lockdown that the tiger will have to nibble at their face a little, the tiger gets a bit plumper.  Facebook users are estimated to be worth about $20 a month to Facebook, before we consider the increase in value from integrating WhatsApp and other data.

But are Face Eating Tiger Companies really a bad thing?

You can’t blame a tiger for eating faces. That’s what face eating tigers do. The problem that all cat owners will be aware of is what happens to the cat’s meal when it has worked its way through the system.

For individuals, the impact of having your face nibbled might be minimal. The impact on your daily life might be little more than some slightly more specific than you might be comfortable with adverts for ointments to cure an itch. However, the cumulative effect of the data we generate when we interact with Face Eating Tiger Companies is that our data is crunched through algorithms that filter our view of the world. From what appears in our news feed on Facebook, to what videos appear in our recommendations on Youtube, what we like, what we share, who we share things with, when we share it etc. provides all the essential vitamins and minerals a growing Face Eating Tiger needs to keep going through the day packing our attention and selling it to companies who want to liberate us from the burden of money in exchange for stuff.

The negative by-product effect here is the creation of ‘filter bubbles’ where the content we are presented with is curated and filtered so that our view of the world can become distorted, which can have significant impacts in the real world as we have seen in recent years.

Even a tame and playful tiger has the potential to eat your face off.

What does people running away from the WhatsApp Tiger tell us?

This is a key signal of a trend that has been developing over the past few years as people who were concerned about the diets of Face Eating Tigers sought out privacy enhancing or privacy protecting tools and technologies. From the rise of ad blocker plugins in web browsers or privacy-respecting web browsers like Brave (disclosure: Brave is a Castlebridge client) to the current exodus from WhatsApp, we are seeing a ‘mainstreaming’ of understanding of the eating habits of these tigers and changes in consumer behaviours to favour taking back what control they can over their digital selves.

This is consistent with what over 30 years of studies on consumer attitudes to data protection and digital privacy has been telling us.

Of course, the current stampede away from WhatsApp will only be meaningful if it translates into long term changes in communications tool choices to favour more privacy respecting technologies. That will depend on the self-same network effects and peer-influence that allowed Facebook, and in turn WhatsApp, to grow to Face Eating Tiger scale. Because voting with your feet only counts if you keep walking, and if there is nothing tying you to the tiger.

The Ethical Moral in the Tale of the Face Eating Tiger.

Signal’s status as a not-for-profit organisation focussed on delivering a specific product and associated customer experience is an interesting juxtaposition in business models to WhatsApp (which originally had an annual subscription model pre-2016). Likewise, Threema’s €3.99 fee is a different business model again, which if they are hitting hundreds of thousands of new users a day represents a substantial revenue stream.

Both of these reflect different motives for the business and different ethical frames. Signal is very much a stakeholder theory / social justice theory model, as evidenced by its not-for-profit status. Threema has a commercial drive so is grounded in shareholder theory/stakeholder theory.

When the face eating tiger announces to its prey that it is about to nibble harder on their face, people object to being the dinner and not the invited guest. In such contexts, other business models and services will appeal to customers as their expectations of information and process outcomes become crystallised.

Data Protection and Privacy isn’t dead. It’s open for business.

 

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.