A yearlong investigation by government privacy watchdogs in Canada and the Netherlands identified major weaknesses in the way the WhatsApp cellphone messaging application handled the personal information of its users.
Many of the problems have since been fixed, but Dutch authorities have yet to decide whether they will attempt to prosecute WhatsApp under Dutch privacy law, the two organizations said in a joint statement on Monday.
WhatsApp allows users to exchange messages like conventional instant messaging software, but rather than use screen names the system identifies users by their phone number. When a user signs up, they upload their cellphone's address book to WhatsApp to discover who among their existing contacts is available via WhatsApp.
That method was one of the things that originally drew the attention of the Office of the Privacy Commissioner of Canada and The Dutch Data Protection Authority.
Their investigation found that after uploading the address book and using the data to match existing users, the WhatsApp servers failed to delete the phone numbers of non-users as required by Canadian and Dutch law.
The app was also initially found to be sending messages in an unencrypted form, which leaves them vulnerable to eavesdropping and interception, particularly when sent over an unsecure Wi-Fi network. WhatsApp added encryption to messages in September 2012.
Finally, the investigation found the app was generating passwords for message exchanges based on things like the phone's IMEI (international mobile equipment identity) or MAC (media access control) address. Both are relatively easy to discover, opening the possibility that a third party could send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened password generation, but users need to update their software to benefit from the change.
WhatsApp, which is based in Silicon Valley, could not immediately be reached for comment.
News of the investigation comes as the issue of mobile app privacy is increasingly coming into the spotlight.
In December, the State Attorney General of California launched a prosecution of Delta Airlines for failing to comply with California's privacy laws. California's online privacy law requires commercial operators of websites and online services, including apps, which collect personally identifiable information conspicuously to post a privacy policy. The state attorney general has begun looking at apps that either don't include such a policy or don't make it obvious to users.
But even if a privacy policy is put in front of consumers, many often click the "read and understood" button without looking at it, said Pat Walshe, privacy director at the GSM Association, an organization representing network operators. His organization has published guidelines for privacy by design for mobile phone applications.
"We want consumers to have confidence in the industry and that means a commitment to protect consumer privacy. Industry has to fill in the gaps or policy makers will do it, possibly in an overly prescriptive way," said Walshe.
(Jennifer Baker in Brussels contributed to this report.)
Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address ismartyn_williams@idg.com