WhatsApp Has Shared Your Data With Facebook for Years, Actually

A pop-up notification has alerted the messaging app's users to a practice that's been in place since 2016.
two guys on the phone
Your encrypted messages are still safe, but it's a rude awakening for many WhatsApp users.Photograph: Noam Galai/Getty Images

Since Facebook acquired WhatsApp in 2014, users have wondered and worried about how much data would flow between the two platforms. Many of them experienced a rude awakening this week, as a new in-app notification raises awareness about a step WhatsApp actually took to share more with Facebook back in 2016.

On Monday, WhatsApp updated its terms of use and privacy policy, primarily to expand on its practices around how WhatsApp business users can store their communications. A pop-up has been notifying users that as of February 8, the app's privacy policy will change and they must accept the terms to keep using the app. As part of that privacy policy refresh, WhatsApp also removed a passage about opting out of sharing certain data with Facebook: "If you are an existing user, you can choose not to have your WhatsApp account information shared with Facebook to improve your Facebook ads and products experiences." 

Some media outlets and confused WhatsApp users understandably assumed that this meant WhatsApp had finally crossed a line, requiring data-sharing with no alternative. But in fact the company says that the privacy policy deletion simply reflects how WhatsApp has shared data with Facebook since 2016 for the vast majority of its now 2 billion-plus users.

When WhatsApp launched a major update to its privacy policy in August 2016, it started sharing user information and metadata with Facebook. At that time, the messaging service offered its billion existing users 30 days to opt out of at least some of the sharing. If you chose to opt out at the time, WhatsApp will continue to honor that choice. The feature is long gone from the app settings, but you can check whether you're opted out through the “Request account info” function in Settings. 

Meanwhile, the billion-plus users WhatsApp has added since 2016, along with anyone who missed that opt-out window, have had their data shared with Facebook all this time. WhatsApp emphasized to WIRED that this week's privacy policy changes do not actually impact WhatsApp's existing practices or behavior around sharing data with Facebook. 

“Our updated Terms and Privacy Policy provide more information on how we process your data, and our commitment to privacy,” WhatsApp wrote on Monday. “As part of the Facebook Companies, WhatsApp partners with Facebook to offer experiences and integrations across Facebook’s family of apps and products.”

None of this has at any point impacted WhatsApp's marquee feature: end-to-end encryption. Messages, photos, and other content you send and receive on WhatsApp can only be viewed on your smartphone and the devices of the people you choose to message with. WhatsApp and Facebook itself can't access your communications. In fact, Facebook CEO Mark Zuckerberg has repeatedly affirmed his commitment to expanding end-to-end encryption offerings as part of tying the company's different communication platforms together. But that doesn't mean there isn't still a trove of other data WhatsApp can collect and share about how you use the app. The company says it collects user information "to operate, provide, improve, understand, customize, support, and market our Services.”

In practice, this means that WhatsApp shares a lot of intel with Facebook, including  account information like your phone number, logs of how long and how often you use WhatsApp, information about how you interact with other users, device identifiers, and other device details like IP address, operating system, browser details, battery health information, app version, mobile network, language and time zone. Transaction and payment data, cookies, and location information are also all fair game to share with Facebook depending on the permissions you grant WhatsApp in the first place.

“WhatsApp is great for protecting the privacy of your message content,” says Johns Hopkins University cryptographer Matthew Green. “But it feels like the privacy of everything else you do is up for grabs."

Facebook purchased WhatsApp in 2014 and noted at the time that it and the company's chat platform Messenger would operate as “standalone” products. The slow shift toward integration has been controversial internally, and may have contributed to the departure in late 2017 and 2018, respectively, of WhatsApp cofounders Brian Acton and Jan Koum. A few months after leaving, Acton cofounded the nonprofit Signal Foundation. The organization maintains and develops the open source Signal Protocol, which WhatsApp and the secure messaging app Signal, among others, use to implement end-to-end encryption.

“Today privacy is becoming a much more mainstream discussion,” Acton said at the WIRED25 conference in 2019. "People are asking questions about privacy, and they want security and privacy built into the terms of service.”

Though this week's WhatsApp privacy policy revisions don't actually alter the messaging service's behavior, it's significant that users may have thought the company was offering an opt-out option all these years that didn't actually exist. A level of data-sharing that some users disagree with and even fear has already been going on. Given the reality that Facebook has owned WhatsApp for the better part of a decade, this clarification seems to some like simply reckoning with the inevitable.

“I don’t trust any product made by Facebook,” says Evan Greer, deputy director of the digital rights group Fight for the Future. “Their business model is surveillance. Never forget that.”


More Great WIRED Stories