Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

EU Regulators Raise Concerns over Yahoo and WhatsApp

European data protection regulators have written to both WhatsApp and Yahoo. With Yahoo concerns center around the breach and theft of 500 million user accounts, and sharing content with the US government. The WhatsApp concern is over sharing EU personal data with US Facebook. In both cases the issues will be discussed in November.

European data protection regulators have written to both WhatsApp and Yahoo. With Yahoo concerns center around the breach and theft of 500 million user accounts, and sharing content with the US government. The WhatsApp concern is over sharing EU personal data with US Facebook. In both cases the issues will be discussed in November.

In 2014 hackers stole details on ‘at least 500 million user accounts‘ from Yahoo. Yahoo claimed that it was the victim of a state-sponsored attack.

In October 2016 Reuters reported that Yahoo had previously “complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI.” Yahoo immediately denied that it had conducted mass email surveillance. The issue of the US government scanning European emails should not be considered lightly — it was fundamental to the European Court’s decision to strike down the original Safe Harbor agreement.

For both Yahoo issues the European Article 29 Working Party (the body comprising all EU national data protection regulators) has asked Yahoo for clarification. Concerning the breach the regulators have asked that all affected users be notified of any ‘adverse effects’, and that the company should “cooperate with all ‘upcoming national data protection authorities’ enquiries and/or investigations’.” (Reuters) Over any email scanning Yahoo is asked to explain the legal basis and compatibility with EU law.

The regulators’ concerns over WhatsApp focus on the recent privacy policy changes — the first that have happened since the company was bought by Facebook. A WhatsApp spokesperson said that it was working with the regulators, had done seen even before the changes, and that it is “committed to respecting applicable law.”

The relevant change is that WhatsApp now shares its customer data with the US-based Facebook parent, despite initially claiming that it would not do so. In September 2016, the German regulators acted alone and announced they had blocked Facebook from collecting WhatsApp subscriber data. WhatsApp said it would appeal the decision.

The upcoming November discussions by the Article 29 Working Party are likely to center around the ‘informed consent’ issue. In particular, does an opt-out option comply with regulations? WhatsApp includes an option for its users to opt out of sharing data with Facebook. However, this may not be sufficiently explicit to satisfy the regulators.

A WhatsApp screen display includes “Read our Terms and Privacy Policy and learn more about the choices you have. Please agree to the Terms and Privacy Policy to continue using WhatsApp. If you don’t wish to Agree, you’ll need to discontinue using WhatsApp. AGREE.” There is no explicit mention here that users can both opt out of sharing data with Facebook and still continue using WhatsApp — in fact, the implication is the opposite.

Advertisement. Scroll to continue reading.

If the user decides to delve deeper ‘to learn about the choices’, there is another screen explaining the option to ‘opt-out’ of sharing. This is accompanied by a pre-selected opt-in tick box. 

The November discussions are likely to consider whether this arrangement satisfies the principle of informed consent — and a possible outcome will be a strongly worded request, backed by the threat of sanctions from individual national regulators, for WhatsApp to be more explicit. An active opt-in option would solve the problem and keep WhatsApp unambiguously in conformance with EU data protection law.

Chris Pounder, director at information law specialists Amberhawk Associates, points out that the Article 29 Working Group (as a body) is currently only advisory within the EU. It is, however, the European Data Protection Board (EDPB) in waiting — waiting for GDPR to come into effect. “What they say is important,” he told SecurityWeek. He believes that this is an issue worth watching: “Could this impact on Privacy Shield?” he wonders.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.