Will Meta Do on WhatsApp What It Appears to Have Done on Facebook and Instagram?

The news broke last week that Meta will soon post ads on a dedicated segment of WhatsApp. This is a big change for a popular messaging app that has long shunned advertising.

Ads will not appear on WhatsApp’s chat feature with friends, instead appearing in a special “Updates” section. But in order for ads to be effective, Meta will still need to collect users’ location and language data to target ads to individual user’s accounts. Meta insists no information will be gleaned from messages or calls.

“The fact that Meta has promised that it’s adding ads to WhatsApp with privacy in mind does not make me trust this new feature,” Lena Cohen of the Electronic Frontier Foundation told Fast Company. “Ads that are targeted based on your personal data are a privacy nightmare, no matter what app they’re on.”

This story comes on the heels of another recent big story about Meta, one that should inform any evaluation of the company’s promises about WhatsApp. Meta has been making aggressive use of users’ data on its other two main platforms. Here’s what we know about that:

1) The Washington Post reports that Meta, desperate to build a “digital” version of real customers for advertising purposes, secretly positioned Facebook and Instagram to silently track Android users’ browser activity, then forwarded that information to its servers. If you think about all the private searches you might have performed on your smartphone browser, that is a sobering realization.

2) Meta’s apparent tactics touch on multiple areas of ethical and legal concern:

• If true, Meta bypassed Android’s privacy safeguards using some of the same tactics as malware. Android was designed to prevent apps from tracking what users were doing in browsers like Chrome, Firefox, etc. Apps are intentionally walled-off or “sandboxed” to keep them from snooping around. But Meta manipulated its popular “Pixel” JavaScript code to allow its apps to secretly track Android users’ web activity (on more than one million sites).

• “Sandboxing” – or the segregation of data in apps – has been common practice in browser security since the early 2000s, and Google’s Chrome helped lead the way. Sandboxing later became a core architectural principle once smartphones went mainstream – to help guard against the possibility of rogue apps accessing one’s personal data. Ars Technica calls sandboxing one of the web’s “fundamental security principles.”

• As long as users were logged into Facebook or Instagram, the apps were surreptitiously tracking and reporting all browser activity. Known privacy guardrails were deliberately bypassed, including incognito mode, clearing cookies, and the use of VPNs.

• To succeed, Meta is suspected of deliberately finding and then hiding work-arounds that exploited Android’s native weaknesses. Android is designed and maintained by Google, which was none too pleased when the story broke. Meta’s work-arounds abused Android’s capabilities to “blatantly violate our security and privacy principles,” the company told Sky News.

​

• Because Meta’s methods bypassed user consent, their actions are an apparent violation of the EU’s GDPR and perhaps some U.S. regulations. While not explicitly about sandboxing, the FTC Act clearly covers misleading or harmful data practices related to those protections.

For its part, Meta called the whole affair a “potential miscommunication,” but agreed to pause the “feature.”

Meta wasn’t the only offender. A Russian tech company called Yandex has apparently been doing the same since 2017, but flatly denies any wrongdoing. Anyone with Yandex apps on their phones (Android or otherwise), should immediately click “Uninstall.” And in terms of using a relatively more secure Android browser, consider Brave. Some reporting suggests that browser successfully protected its users from Meta and Yandex’s incursions.

We understand that consumers give away a bit of privacy in exchange for a free service that selects ads for them on an anonymized basis. As Meta expands its ad presence to WhatsApp, however, Congress and the public need a better understanding of what the company has already done with apps on Facebook and Instagram. PPSA will watch developments in this story closely.

DONATE & HELP US PROTECT YOUR PRIVACY RIGHTS