By Luca Belli and Nicolo Zingales
Recently, WhatsApp pushed an in-app notification requesting users to accept its new privacy policy by February 8, 2021. Before publicly changing its position and postponing the deadline to May 15 in reaction to public backlash, the company announced that anyone who did not accept the new rules would have their account suspended.
This example perfectly encapsulates what is wrong with the so-called “privacy paradox”. The concept, first studied in the early 2000s, highlights the striking divergence between the fact we claim we care about privacy and our actual behavior online. Indeed, we seem to often accept disclosing a significant amount of personal information in exchange for rather modest benefits.
However, it has been noted that individuals may agree to poor privacy settings simply out of powerlessness and resignation, rather than from deliberate choice. This is particularly the case for the users of dominant social media platforms.
First, users may not understand their options as they are often presented in complex terms of service which require multiple clicks to even read them, while the ACCEPT option is a simple flashy button on top of all the rest. Second, even well-informed and privacy-attentive users may reluctantly accept any condition unilaterally imposed by these cyber-regulators, fearing that otherwise they will be socially excluded.
Third, in most countries, WhatsApp and Facebook are the only sponsored or “zero rated” apps. Internet access fees remain hefty or simply unaffordable for the majority of the world’s population. This means that for billions of low-income individuals in the world the only “choice” is using the “free” social networks, under the conditions set by these apps.
What it takes to rebalance this asymmetric situation is a truly coordinated movement- possibly one of international nature. Privacy backlash like the one generated by WhatsApp’s privacy policy update could provide the trigger for that, and evidence for this is the fact that Signal is now the top downloaded app in India. Signal is an instant communication app that, unlike WhatsApp, is managed by a non-profit organization and does not collect personal data other than what is needed for the service’s core functionalities. It runs on donations and uses open-source software, so that everyone can inspect the code and verify its adherence to the company´s principles and values.
So, what is really changing with the new WhatsApp privacy policy update?
The new privacy policy confirms that Facebook can access a wide range of personal data for each WhatsApp user – such as phone number, IP address, contact list, profile image – as well as metadata.
Metadata are extremely important. They are that technical information about personal data generated using technology: for instance, which users you chat with, how often you chat with a user, which groups you are a member of, etc. The fact that you are a member of a religious, political, or LGBT discussion group, and the frequency with which you interact with them can reveal details you might not have disclosed in the content of your communications.
Interestingly, WhatsApp published FAQs a few days after its update stating that “group participation” data will not be used for advertising purposes. However, what is conspicuously missing is detailed information about the way in which Facebook or third parties use such metadata. This omission makes it difficult to assess compliance with the stated data collection purposes.
The FAQs can also be confusing for an average consumer when stating that “WhatsApp and Facebook cannot see the location you share.” Ostensibly, this refers to the location shared between users as content of the conversation. Not the one that the application has access to by default (although you can change this by revoking the permissions in the settings of your phone).
Lessons from the past
WhatsApp’s new privacy policy consolidates a business strategy that became apparent with its first update, in 2016. To understand it, we need a short trip back in time to 2014, when WhatsApp was acquired by Facebook for US $ 22 billion. At that time, several experts warned that the acquisition of WhatsApp by Facebook would have reduced competition, led to data sharing between companies, undermined the privacy of millions of individuals, and even jeopardized national sovereignty.
When the European Commission evaluated the acquisition, the company executives announced consumer profiles would not be integrated. This operation would have faced “huge obstacles” because Facebook identified users through email, while WhatsApp via phone number. Based on this, and noting that there were several equivalent apps on the market, both the European Commission and the US Federal Trade Commission authorized the acquisition.
The European Commission observed that, while WhatsApp demanded at that time to pay a registration fee of 1 USD in certain countries, most of the communication applications were “free”, with monetization being done mainly through advertising. Considering this, it was clear that WhatsApp, after the acquisition by Facebook, would be able to align itself with this prevalent market practice. But does this benefit account for the real cost for users, whose data and attention are now traded with third parties?
If anything, the WhatsApp saga teaches us that competition authorities should be more skeptical of company´s promises in this regard. Note that Brian Acton, WhatsApp’s co-founder, left the company in 2017 precisely over a dispute about Facebook’s plans to monetize WhatsApp through ads and data-sharing with Facebook. He then went on to create Signal in order to continue pursuing WhatsApp´s original privacy-preserving mission. That same year, the European Commission fined Facebook €110 million for providing misleading information on the feasibility of the integration of consumer profiles with WhatsApp, after it became clear that it was core to the company´s strategy.
It should also not be forgotten that telecom operators and Facebook signed zero rating agreements in multiple jurisdictions under which some applications would be “offered” to users. Again, experts warned that such applications were not “offered” but paid for with loss of control over personal data, reduced competition, reduced tax revenue and, ultimately, loss of national sovereignty, with all data concentrated and processed on foreign servers.
This reasoning was well understood by the Indians that, in 2016, declared zero rating as contrary to net neutrality and banned the practice. What is the result? Indian users can really choose because they can access all the Internet, not only subsidized apps. The fact that Signal is now the most downloaded app in India is not a coincidence.
By contrast, in countries that allow zero rating, collective migration to Signal is enormously difficult because, to use this app, people may need to pay substantial Internet access fees. Signal is not sponsored, as it has little bargaining power to close zero rating agreements. Facebook and/or WhatsApp are sponsored in all low-income countries.
In short, it is not because of the privacy paradox that people are not using more privacy-oriented services. It is our misconception of “free” that led to a situation where most users are simply denied a real chance to choose. Public authorities should recognize this and step in, not let us be governed by vague, extractive and often misleading terms of service.