Imagine that chats with a business account are not a 1vs1 chat but a 3-persons group: you, the business, and a third person called 'Facebook'.
Now think all the info you can get from another person in a group chat. The phone, the public name/picture, the description, all they say (in that group)... That's the info Facebook will get about you WHEN you chat with a business account, and ONLY from that business chat.
That's apparently the change (or at least what the privacy policy says, what they do in reality is, as with everything, a mystery).
"Bigger businesses, like an airline or retailer, might hear from thousands of customers at a time - asking for information on a flight, or trying to track their order. To make sure they can respond quickly, these businesses may use Facebook as a technology provider to manage some of the responses on their behalf. We will clearly label chats to make you aware when that happens."
Sounds like if the businesses use Facebook tooling to manage their chats, then the Facebook servers operating the tooling will see the contents of the chat.
Obligatory disclaimer: I work at Facebook but not in WhatsApp and don't have any extra knowledge beyond what is on the linked page.
And that's probably also why they say that the change is to make it clear that they do get the data.
Of course, if you talk with someone, even if it's a person, you have no control over that other person. If you say something inappropriate in a group then everyone from that group can see it and share it. In the case of business they (probably) share all the chat data with their provider, which in most cases is Facebook (hence my analogy with the 3-persons group chat).
What the change seems to imply is that, even if the business doesn't use Facebook tooling, Facebook will always have access to that business chat. I may be wrong though.
> Facebook will always have access to that business chat.
yes, this is similar to any other business chat system. This would then allow Facebook to provide chat logs to businesses, something that would otherwise require a third party addon (and consequently a large eula before the chat starts)
As with any other chat system, it requires users to trust the people hosting it.
Personally I think its safer to talk about account details in whatsapp compared to the dodgy popups that are hacked into people's websites....
> yes, this is similar to any other business chat system. This would then allow Facebook to provide chat logs to businesses, something that would otherwise require a third party addon (and consequently a large eula before the chat starts)
Why would a third party addon be required? In an E2EE setting, the business would just have to maintain logs on their end.
I think the "may" in "may use Facebook as a technology provider to manage some of the responses on their behalf" suggests that it will only happen if they use Facebook tooling. But likewise I may be wrong.
I think many businesses will be happy with this change. Currently you have to run an instance of WhatsApp in a container that connects to the WA servers and provides the API that you then use. But Facebook doesn't let random businesses run them directly, so instead you have to use accredited third-party providers who manages the container and gives you their own API to work with. So ultimately you still have this third-party who has access to the message flow.
This sounds like it offers the possibility of cutting out that middle-man and will potentially provide an easier API and onboarding process.
Repeat the exercise by replacing "chat" with "email" and "Facebook" with "Gmail". There's been over a decade of reliance on Gmail among the businesses to routinely use it ferry very sensitive personal data around... and yet nobody cares. You point it out and they cringe at what a sorry-ass alarmist you are.
If it's only this that is shared, "whether you communicate with a business by phone, email, or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook. To make sure you’re informed, we clearly label conversations with businesses that are choosing to use hosting services from Facebook", then it makes sense.
"The privacy and security of your personal chats with family and friends will never change.
Neither WhatsApp nor Facebook can see the content you share with family and friends, which includes your personal messages and calls, the attachments you share, or the location you send. We do not keep logs of who everyone is messaging or calling, and WhatsApp does not share your contacts with Facebook."
Does this mean that Whatsapp will not share invasive data with Facebook? I think not.
Does it mean that they are able to run whatever profilers they like over the data and then share the output of that? I think so. They wouldn't be sharing the content per say, just the evaluation of the data. I would also suspect that shared profiling would have been going on from asap from the day they bought whatsapp.
My interpretation is that they can't do that (if what they say is true). They specifically say that they cannot see the content. This would seem to preclude profiling/summarising the data, because the profiler would have to see the data in the first place.
However, note the differing wording they use: 'WhatsApp cannot see your personal messages or hear your calls' vs 'WhatsApp does not keep logs of who everyone is messaging or calling'. So, are they saying that they do keep logs of who some people are messaging/calling? Maybe they don't log Zuckerberg's usage, but keep everyone else's, and that lets them get away with the weasel words?
Also, what about video calls? They don't mention those, presumably they aren't encrypted and transit through FB/WA servers, allowing them to be viewed/recorded if desired.
Fair enough - these statements are very open to interpretation.
The way I view them is to try to take an approach that a lawyer would. Could a lawyer try to argue that they process the data and generate an artifact that is passed to facebook, and that is fine because they are not passing the content? I think a lawyer could and would fancy their chances. And anyway, who's going to take them to court?
Do you recollect all the kerfuffle about the NSA collecting meta-data not the actual content? I think what I'm suggesting is akin to that already existent process.
> 'WhatsApp cannot see your personal messages or hear your calls' vs 'WhatsApp does not keep logs of who everyone is messaging or calling'.
This is definitely suspicious because it is so awkward. You would never say that sentence in that way. It could have easily been "WhatsApp does not keep logs of who you are messaging or calling" and that would have flowed much better.
> Also, what about video calls?
They have stated earlier that video calls are end-to-end encrypted in a similar way to voice and chat.
> Neither WhatsApp nor Facebook can see the content you share with family and friends, which includes your personal messages and calls, the attachments you share, or the location you send.
They cannot see _what_ you send. But obviously they could still see who you send messages to.
> We do not keep logs of who everyone is messaging or calling, and WhatsApp does not share your contacts with Facebook."
Which means that they cannot keep aggregate logs of call data, this is to align with the next bits of GDPR. However it doesn't preclude monitoring individuals, as that is a legal requirement.
the rough translation is: we cannot keep logs of who called whom, unless we are asked to by governments. The irony is, that if whatsapp were charging for usage, they would actually be able to store and use the aggregate call data.
I'm getting lost with the number of changes going on here. Can anyone point to what's changed from the policy they were pushing to users in Jan this year? How different is it from the policy that existed before August 2016?
The information from the EFF appears to contradict what WhatsApp says here.
When this story first broke, I spent a lot of time and effort getting the word out, getting people riled up about the evils of FB, and trying to get people to switch to Signal/Telegram/whatever, all with minimal success. As someone who understands the issues I felt it was my duty.
You know what? I've changed my mind. I still understand the issues but at some point you have to decide that life's too short for this. Yes, it still sucks, and FB are still evil and I don't trust them, but I calculated that the chances of me personally being harmed by this are low enough that I don't care. All it was doing was causing me extra anxiety.
I'm disappointed at the toothless GDPR which is apparently being used to fine small businesses who can't keep up with all the rules, meanwhile the gargantuan entities we European residents do need protection from can apparently do as they please.
Really, as a European resident, I expected more than "accept the terms or GTFO" - wasn't that the entire point of the GDPR?
Now think all the info you can get from another person in a group chat. The phone, the public name/picture, the description, all they say (in that group)... That's the info Facebook will get about you WHEN you chat with a business account, and ONLY from that business chat.
That's apparently the change (or at least what the privacy policy says, what they do in reality is, as with everything, a mystery).