"Highly Invasive": Internet Freedom Foundation Moves Supreme Court Against WhatsApp's Updated Privacy Policy

Akshita Saxena

30 Jan 2021 11:38 AM GMT

  • Highly Invasive: Internet Freedom Foundation Moves Supreme Court Against WhatsApps Updated Privacy Policy

    The Internet Freedom Foundation has moved the Supreme Court seeking an interim stay on Whatsapp's updated privacy policy and guidelines to safeguard the personal data and privacy of over 400 million Indian WhatsApp users.The intervention application is filed in special leave petition filed by Karmanya Singh Sareen and Shreya Sethi in 2017, challenging the 2016 privacy policy of the company....

    The Internet Freedom Foundation has moved the Supreme Court seeking an interim stay on Whatsapp's updated privacy policy and guidelines to safeguard the personal data and privacy of over 400 million Indian WhatsApp users.

    The intervention application is filed in special leave petition filed by Karmanya Singh Sareen and Shreya Sethi in 2017, challenging the 2016 privacy policy of the company. The matter is being heard by a Constitution Bench of the Supreme Court.

    In the instant application filed though Advocate TVS Raghavendra Sreyas, IFF has stated that the 2021 Policy of Whatsapp is highly invasive and has been unilaterally forced upon Indian internet users.

    It has therefore urged the Court to grant an ad-interim order, restraining the sharing of any personal data of users by Whatsapp with Facebook for marketing or other purposes.

    WhatsApp can't be treated like any other private messaging app

    At the outset, the Applicant has stated that WhatsApp cannot be treated like any other private messaging service provider and allowed to engage in predatorial conduct because the Competition Commission of India has prima facie found that it holds a dominant position in the relevant market of Over the Top (OTT) messaging services for smartphones in India.

    The application states,

    "The indispensable nature of WhatsApp's services is also evident from the reliance placed upon it by government and public authorities," for instance service of summons through Whatsapp and sharing of links to virtual Courts via WhatsApp.

    Updated Policy Highly Invasive

    The Applicant has submitted that the 2021 Policy provides more details about the usage and log information, device and connection information, and location information collected by WhatsApp, and reveals the highly invasive and granular nature of metadata collected by WhatsApp.

    Further, it shares data with Facebook for the following purposes: (i) Personalizing features and content; (ii) Completing purchases and transactions; (iii) Providing integrations to connect a user's WhatsApp experiences with other Facebook Company Products.

    Furthermore, it is submitted that in a significant departure from the guaranteed end-to-end encryption that protected the content of a user's conversations, the 2021 Policy states that Facebook may have access to messages which users share with businesses on WhatsApp.

    Need to protect Metadata

    Under the updated privacy policy, Whatsapp maintains that conversations on its platform are end-to-end encrypted and the company will only use metadata.

    The Petitioner has however contended that Metadata means data which provides information about other data, and in the context of private messaging platforms like WhatsApp, metadata can reveal just as much sensitive information about an individual's life as the actual content of a message.

    The Petitioner proceeds to illustrate how metadata can be manipulated:

    1) Merely knowing that an individual is part of a group titled 'LGBT Delhi' can allow WhatsApp and Facebook companies to draw inferences about a person's sexual orientation, even if the messages shared between members of the group remain end-to-end encrypted.

    2) Even relatively innocuous seeming categories of metadata, such as the battery level of a user's device (added in the 2021 Policy), can be weaponized in the right context. For example, if ride hailing services such as Uber or Ola gained access to information about battery levels of their customers, they can theoretically charge higher rates to customers whose battery is running low and who are desperate to find a cab as soon as possible.

    In this backdrop, the Petitioner has relied upon the nine-Judge Bench decision in KS Puttaswamy v. Union of India & Ors., (2017) 10 SCC 1, where the Court recognized the dangers of aggregation, when small bits of information about an individual are pieced together to reveal a fuller picture of their personality.

    Reference is also made to the 'International Principles on the Application of Human Rights to Communication Surveillance,' which are a statement of international best practices that were launched at the sidelines of the UN Human Rights Council in Geneva in September 2013. As per this document, metadata may reveal even more about an individual than the content of communications itself, and thus, deserves equivalent protection.

    In light of this, the Petitioner has submitted that WhatsApp's data collection and sharing practices, enshrined in its privacy policies, are violative of an individual's fundamental right to privacy and are unconstitutional.

    "Data Collection Should Be Constitutionally Valid" - Justice Srikrishna Speaks On WhatsApp's New Policy, Aarogya Setu Etc. With Seema Chishti

    Violation of the Privacy Principles and the Proposed Law

    The Petitioner has submitted that the 2021 Privacy Policy is violative of the privacy principles that have been recognised by the Group of Experts constituted by the Planning Commission of India under the Chairmanship of Justice (Retd.) A.P. Shah in 2012.

    Some examples in this context, as illustrated in the application are as follows:

    1) Notice

    WhatsApp is required to inform its users about the entities with whom it may share personal data and any changes in its privacy policy, in order to get informed consent. However, the WhatsApp privacy policies are only in English, and as such, specific and informed consent is impossible for the nearly 90% of the population that does not speak English and will not be able to understand what they have consented to.

    2) Choice and consent

    The 2021 Policy does not permit users to opt-out of the sharing of their personal data with Facebook companies for marketing purposes. This is a violation of Clause 11 of the PDP Bill.

    3) Purpose limitation

    Personal data must be processed for a clear, specific and lawful purpose and only such data should be collected that is limited to, or incidental to the stated purpose [Clauses 4 and 5, PDP Bill]. However, the purpose for data collection specified in the impugned policies is vague and ambiguous, and is in effect, open ended, permitting detailed targeting and advertising of users.

    Dangers of Targeted Advertising

    The 2021 Policy allows sharing of information collected by Whastapp with Facebook Companies, which the latter will ultimately use in its online advertising business model.

    The Petitioner has submitted that sharing of large quantities of metadata between WhatsApp and Facebook companies will allow ad-tech vendors to triangulate the identity of an individual across WhatsApp, Facebook and Instagram.

    "By linking the identity of a user across multiple platforms, ad tech vendors can build a 360 degree comprehensive profile about a user's demographic characteristics and interests, which can then be used to serve them targeted ads," the Petitioner apprehends.

    For instance, it submitted that Facebook may enable law publishers to target its ads towards senior male lawyers, above the age of 45 years, within 4 km radius of the Supreme Court of India. The acquisition and analysis of user data helps improve such targeting for advertising purposes, thereby making the transfer and usage of user related data from WhatsApp to Facebook companies particularly relevant.

    The Petitioner emphasized that the dangers of such targeted advertising became evident recently when Facebook started showing advertisements for body armour, gun holsters and other military equipment to users with extremist views who were reading articles about the Capitol Building attack in Washington DC.

    No opt-out option

    The Applicant has submitted that the 2021 Policy has been unilaterally forced upon Indian internet users, the vast majority of whom primarily rely on WhatsApp's services to communicate with their friends, family, and colleagues.

    "The 2021 Policy was presented as a fait accompli and users who did not click "Agree" to grant consent to the revised terms by 08.02.2021 would have lost their ability to use WhatsApp's platform," the application states.

    "It's A Private App, If You Don't Want To, Don't Use It": Delhi High Court on Plea Against WhatsApp's Updated Privacy Policy

    It adds that though implementation of the updated Policy has been postponed, WhatsApp has not given any indication that it intends to revise its terms.

    It is alleged that by not providing the Indian users with an opt-out option, Whatsapp is depriving them of having any modicum of control over their personal information being shared with Facebook Companies.

    The Applicant has therefore urged the Court that Whatsapp be directed provide its users with an opt-out option while using its services, to allow users to opt-out of sharing their data with Facebook for marketing and advertising purposes.

    Improved privacy protections for European users of WhatsApp

    The Applicant has stated that Whatsapp is discriminating between its Indian users and its users based in Europe.

    It is worth noting that in the European Region where a proper legislative framework for data protection exists in the form of the GDPR, WhatsApp has included more privacy-friendly policies and has clearly stated that it will not share any data with its parent company, Facebook, for advertising purposes, the Applicant submitted.

    Differential Policy Of WhatsApp For Indian And EU Users Major Cause Of Concern: Centre To Delhi High Court

    For instance, the updated Whatsapp privacy policy for EU provides that any information shared by WhatsApp with Facebook Companies' cannot be used by the latter for its own purposes.

    Thus, the Applicant has urged the Court to direct Whatsapp to provide the same standard of privacy protections to its Indian users as it is providing to users in the European Region.

    Need for Interim Guidelines

    The Applicant has emphasized that the dangers of the unilateral changes in WhatsApp's policy are amplified in the absence of a data protection law in India and thus, there is an emergent need for the Court to issue interim guidelines for data protection, until a robust statutory enactment is brought by the legislature.

    It is submitted that the need for a data protection law in India was recognized by the Supreme Court over three years ago in Puttaswamy case (supra).

    It is stated that even whereas the Supreme Court expressed concerns over the delay in enacting a legislative framework for protection of the right to privacy in consideration of the rise of commercial exploitation of personal data using big data analytics, more than three years have passed and there is still no law to protect users in India.

    In these circumstances, it is urged, there is a need for intervention by the Supreme Court by laying down guidelines as regards data collection, protection and sharing of personal data by WhatsApp and Facebook, so as to protect the privacy of Indian users.

    Background

    The main petition in the instant case was initially filed challenging the August 2016 privacy policy of Whatsapp, when WhatsApp began sharing the data of its users with Facebook for marketing and advertising purposes.

    The matter was last heard by a Constitution Bench of the Supreme Court September 9, 2017 and the case was thereafter adjourned based upon Central Government's decision to appoint a Committee of Experts, chaired by Justice (Retd.) BN Srikrishna, to deliberate on a data protection framework for India and the possibility of a data protection legislation being enacted soon.

    Other challenges to the 2021 Policy

    A writ petition has been filed in the Supreme Court by Confederation of All India Traders seeking issuance direction to Union Government to take all necessary steps / actions to safeguard and secure the privacy of citizens and national security by ensuring that mobile application providers such as whatsapp and other internet based messaging services do not compromise, share and/or exploit the information and data including messages, audio, video and other information of users in any manner whatsoever.

    Meanwhile, the Delhi High Court remarked that WhatsApp is a 'private app' and that the users voluntarily use the app even though they have the option to not use it. A Single Judge said that it will issue notice on the petition challenging the updated privacy policy only after it understands the concern of the petitioner against the application and its contentious updated privacy policy.

    Next Story