Canadian and Dutch privacy officials today accused the Whatsapp messaging app of mishandling users’ personal information with the way it scans their address books to find friends.
According to the investigation – conducted by the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (CBP) – Whatsapp scans a user’s contact list in order to find other Whatsapp users with whom they can chat.
“Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users,” the report said. “Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law, which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose.”
Consumers with an iPhone running iOS 6 or above are given the option of adding contacts manually rather than having their entire address book scanned, so they are not affected by this glitch, the organizations found.
The OPC and CBP have been investigating Whatsapp since last year, and Whatsapp has taken steps to secure portions of its app throughout the probe. In Sept. 2012, for example, Whatsapp moved to encrypt messages.
Meanwhile, the organizations also found that passwords generated via Whatsapp were using device information that could be exposed in a relatively easy manner. “This created the risk that a third party may send and receive messages in the name of users without their knowledge,” the OPC and CBP said. “WhatsApp has since strengthened its authentication process in the latest version of its app.”
That includes using a more secure key rather than pulling data from MAC (Media Acess Control) or IMEI (International Mobile Station Equipment Identity) numbers. The groups urged Whatsapp users to update to the most recent version of the app.
Going forward, the Dutch will conduct a further investigation to decide whether it takes any other steps, like sanctions. The Canadians, meanwhile, will monitor the situation, but said Whatsapp has “demonstrated a willingness to fully comply with the OPC’s recommendations.”
Whatsapp did not immediately respond to a request for comment.
The news comes shortly after Whatsapp ended 2012 on a high note, processing a record-breaking 18 billion messages on Dec. 31 alone.
For more, see PCMag’s review of WhasApp Messenger for Android and the slideshow above.
This is not the first time an app has found itself in hot water over address book privacy. Last year, it was revealed that social-networking iOS app Path was collecting address book data from its users without permission. Path CEO Dave Morin later apologized and released a new version of the Path iPhone app that allowed users to opt in or out of sharing contact information. Apple also issued a fix via an iOS update – hence why the Whatsapp issue does not affect iOS 6 and above.
By Chloe Albanesius, PCMag