The popular mobile messaging app WhatsApp breaches Canadian and Dutch privacy laws by forcing many of its users to grant access to their entire address book in order to use it, Canada's privacy watchdog has found in a joint investigation with Dutch authorities.
"The address book contains phone numbers of both users and non-users," noted Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, in a statement released Monday with a report on the investigation.
"This lack of choice contravenes (Dutch and Canadian) privacy law."
While the app, made by California-based developer WhatsApp Inc., now allows Apple iPhone users running iOS 6 to add contacts manually instead of uploading their address book, BlackBerry, Android, Windows and Nokia users still don't have that option.
That means the problem remains largely unresolved following the investigation and the release of the report.
The report says WhatsApp has committed to fixing the problem on other platforms, but would not say when.
WhatsApp allows users worldwide to use their phones to text message friends over the internet without incurring SMS text messaging charges. It is currently the third-most popular paid app in the iTunes store, where it sells for 99 cents, and surpassed 100 million downloads on Google Play in November. The Android and BlackBerry versions are free, although users are charged 99 cents per year for a subscription after the first year.
The Office of the Privacy Commissioner began investigating WhatsApp in January 2012, saying it had "reasonable grounds" to believe the company was "collecting, using, disclosing and retaining personal information" in a manner that contravened Canada's Personal Information Protection and Electronic Documents Act.
The report noted that the app is widely used by Canadians and that WhatsApp actively promotes and distributes its service to Canadians.
In addition to the address book issues, the investigation found a number of other privacy violations that have since been resolved, the Privacy Commissioner's Office reported:
Messages between users were unencrypted at the start of the investigation, "leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks." In response to the investigation, WhatsApp introduced encryption in September 2012.
WhatsApp generated passwords for message exchanges using information about the mobile devices involved that "can be relatively easily exposed," creating the risk that a third-party could send and receive messages on a user's behalf without them knowing. Password security was upgraded in the newest version of the app.
The Office of the Privacy Commissioner of Canada partnered with the Dutch privacy watchdog, billing this as the first time two national data protection authorities have conducted such a joint investigation.
"Our office is very proud to mark an important world-first along with our Dutch counterparts, especially in light of today’s increasingly online, mobile and borderless world,” said Jennifer Stoddart, the privacy commissioner of Canada, in a statement.
“Our investigation has led to WhatsApp making and committing to make further changes in order to better protect users’ personal information.”