California-based Whatsapp inc., the ubiquitous internet messaging service that rapidly became popular on all SmartPhone platforms has been facing privacy issues since its humble beginnings, but it was stepped up another notch when Dutch and Canadian privacy investigators found some disturbing violations relating to how Whatsapp handles the contacts library. However, once the investigation was over, with Whatsapp offering to fix some flaws quickly, the issue seems to be partly resolved. But authorities say it is far from over, and there is more work to be done, from Whatsapp’s end.
The Dutch and Canadian investigators had found several flaws in the Whatsapp service, and they have published their findings in the course of the investigation. The first violation is that Whatsapp retains phone numbers of non users, which, even in, hashed form, is a threat to privacy of users who are not even part of the service. This violation didn’t apply only to iOS6 users on iPhone, where the app enables them to choose the contacts manually and let them get added to their favorites. Whatsapp does the contact matching on the server side and hence has the option of uploading details to its servers, in hashed form.
Another violation they found, during the course of the investigation is that, the messages sent between devices were unencrypted. This was promptly fixed, by Whatsapp encrypting the messages, but that led to another violation, in which the encryption was actually based on a combination of MAC address and the IMEI, which was easy to crack and had to be revoked to a better and a safer randomly generated encryption key for messages.
Now that Whatsapp has fixed the encryption issue, it’s now up to them to fix the non users contacts issue, which is clearly a violation of privacy, according the Dutch and Canadian authorities. We’ll keeping a close eye on how this progresses and let you know when we find anything. Till then, keep whatsapping!