Security & Privacy Society Techonomy Events

The Facebook-WhatsApp Lesson: Privacy Protection Necessary for Innovation

Photo courtesy of Getty Images

Not less than one month after Mark Zuckerberg told almost fifty members of Congress that he was sorry about the Cambridge Analytica debacle and promised to do better, Jan Koum, the co-founder of the popular messaging app WhatsApp, said he was leaving the Facebook board of directors. The reasons? Ongoing concerns about Facebook’s business model and the protection of user data.

My organization — the Electronic Privacy information Center (EPIC) — is responsible for the 2011 Federal Trade Commission’s consent order that was supposed to get Facebook to clean up its privacy practices after the Beacon fiasco. We were pleased that more than a dozen members of Congress raised the consent order with Zuckerberg during the hearings. Our key point to Congress was that the FTC’s failure to enforce the consent order likely contributed to the Cambridge Analytica breach.

Even after the order, Facebook had little interest in what app developers did with the personal data of Facebook users. The company did not even bother to review Kogan’s terms and conditions. The order that EPIC helped establish required comprehensive privacy program and routine audits by an independent third party.  Did anyone at the FTC even bother to read the reports? Perhaps a future Congressional hearing will answer that question.

The Koum breakup with Facebook speaks to how the internet economy could evolve, how competition and innovation could be encouraged, if regulators simply do their job.

Koum’s original model for WhatsApp was wildly popular. Robust security. Minimal data collection. Worldwide reach. No advertising. And all for 99 cents a year. By 2014, WhatsApp had 500 million users. Koum was also a hero in the privacy world. A Ukrainian with a strong aversion to surveillance, Koum wrote “no one wakes up excited to see more advertising; no one goes to sleep thinking about the ads they’ll see tomorrow.”

The backstory

There is a long, complicated story about Zuckerberg’s courtship of WhatsApp, Facebook’s largest acquisition to date, but the interesting regulatory story concerns what Facebook would do with the data of WhatsApp users once it acquired the company. Koum understood the problem. And so did we.

In March 2014, EPIC filed a complaint with the FTC concerning Facebook’s proposed purchase of WhatsApp. As we explained at the time:

“WhatsApp built a user base based on its commitment not to collect user data for advertising revenue. Acting in reliance on WhatsApp representations, internet users provided detailed personal information to the company including private text to close friends. Facebook routinely makes use of user information for advertising purposes and has made clear that it intends to incorporate the data of WhatsApp users into the user profiling business model. The proposed acquisition will therefore violate WhatsApp users’ understanding of their exposure to online advertising and constitutes an unfair and deceptive trade practice, subject to investigation by the Federal Trade Commission.”

We explained to the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition.

Koum responded less than two weeks later: “Above all else, I want to make sure you understand how deeply I value the principle of private communication. For me, this is very personal.” He added, “Make no mistake: our future partnership with Facebook will not compromise the vision that brought us to this point.”

Two weeks later, in April 2014, the director of the FTC Bureau of Consumer Protection wrote to us, “if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC’s order against Facebook.” The FTC letter concludes “hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies’ practices to ensure that Facebook and WhatsApp honor the promises they have made to those users.”

So there it is. Once again. Assurance from the Federal Trade Commission to protect the privacy of internet users. Except they didn’t.

A call for action

As the Facebook acquisition of WhatsApp moved forward, European antitrust regulators served Facebook with a questionnaire of more than 70 pages to determine whether the merger violated antitrust laws. But the FTC remained strangely silent.

Fast forward to August 2016, WhatsApp announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. Users would have 30 days to opt-out of data transfers to Facebook, we believed, in violation of the law and the FTC’s order.

We reminded the FTC that it had warned the two companies they must honor their privacy promises to users. We wrote that WhatsApp’s plan to transfer user data to Facebook for user profiling and targeted advertising — without first obtaining users’ opt-in consent contradicts numerous FTC statements and violates Section 5 of the FTC Act.

And the Federal Trade Commission responded a week later. The FTC stated that it prohibits companies from engaging in unfair and deceptive practices and will enforce its 2012 Consent Order with Facebook and will “carefully review” EPIC’s complaint.

More than a dozen U.S. consumer organizations asked the Federal Trade Commission to pursue the complaint EPIC filed about WhatsApp’s plan to transfer user data to Facebook.

But the FTC never acted.

Europe reacts

However, a different story unfolded outside the United States. In the fall of 2016, Germany’s privacy regulator ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s new data transfer policy constitutes “an infringement of national data protection law.” EU Commissioner for Competition Margrethe Vestager opened an investigation into WhatsApp’s privacy changes, which contradicted previous commitments to users and regulators.

(The European Commission would eventually fine Facebook $122 million for “misleading” statements when the EU approved the WhatsApp takeover. The company claimed that it would not be possible to merge the two databases.)

And then India joined the international opposition to the WhatsApp privacy changes. India’s Deli High Court ordered WhatsApp not to transfer to Facebook any user data that was collected prior to September 25, 2016, and to delete data of users who opted out of WhatsApp’s new data transfer policy prior to that date.

Fast forward to April 2018: Jan Koum, the WhatsApp CEO, gave up his highly coveted seat on the Facebook board of directors. According to the Washington Post’s Elizabeth Dwoskin, Koum and Facebook disagreed over the advertising model, mobile payments, and strong encryption.

And here is the lesson: If the FTC had stood behind its commitment to protect the data of WhatsApp users, there might still be an excellent messaging service, with end-to-end encryption, no advertising and minimal cost, widely loved by internet users around the world. But the FTC failed to act and one of the great internet innovations has essentially disappeared.

Still the story is not over. There is still the possibility that the Facebook-WhatsApp deal could be unwound. There are five new commissioners at the FTC. And Joe Simons, the agency’s new chairman, recently told Congress that the U.S. government may have been “too permissive in dealing with mergers and acquisitions.”

Marc Rotenberg is President of the Electronic Privacy Information Center. He will be speaking at Techonomy NYC on May 8-9, as part of our discussions on the impact of net giants. He also helped establish the .ORG domain, that enables and promotes the non-commercial use of the internet.

Tags: ,