WhatsApp has been encouraged to develop guidelines and ensure the implementation of procedures in regard to the retention and destruction of personal information.
The messenger service was investigated under the Personal Information Protection and Electronic Documents Act (PIPEDA) following a complaint about it from the Office of the Privacy Commissioner of Canada, who had reasonable grounds to believe that it was collecting, using, disclosing and retaining personal information in a manner contrary to certain provisions of schedule one of the act.
The subsequent report on the Canadian privacy commissioner's findings found that while in-network numbers are stored in clear text on WhatsApp's servers, numbers of non-users are stored in a hashed format in a 64-bit value to render out-of-network (old or expired users) numbers as anonymous. It may also, with a user's permission, get access to the address book on a phone that is transferred securely to WhatsApp's servers using SSL/TLS encryption.
The report said: “Principle 4.3.3 states that an organisation shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.”
The privacy commissioner recommended that all out-of-network users details be removed once consent was no longer granted. WhatsApp said that the anonomysing was sufficient, leading the commissioner to respond that "concerns relating to the retention of non-user numbers [are] well-founded".
The report deemed that WhatsApp's account confirmation messages were being sent using ordinary web traffic ports, allegedly without encryption or safeguards, leaving users potentially vulnerable in May 2011 – and it subsequently corrected this.
WhatsApp said that its policy is to delete or destroy all personal information belonging to a user, including any applicable payment information, 30 days after termination of the service. The commissioner was satisfied with this and with WhatApp's commitment to "further developing its retention policy for personal information and to making this policy publicly available".
Chester Wisniewski, senior security advisor at Sophos Canada, said: “At the beginning of the investigation, the company was not properly encrypting any of the communications of its users. Its initial attempt at encryption relied upon using IMEIs and Mac addresses as encryption keys.
“The investigation determined this was inadequate and easy to defeat. WhatsApp has begun the transition to 160-bit randomly generated keys in its iOS app and will follow through on other platforms.”
The UK's Information Commissioner's Office said that it was aware of the findings, and said that it will take them into consideration as part of its work in this area.
A spokesperson said: “Any developer in the UK must ensure that the apps they release comply with the requirements of the Data Protection Act. This includes being open and upfront with people about how their data will be used and making sure that the information collected is adequate and not excessive.
“We are currently looking at how we can support app developers to ensure that they are compliant with the Act during the early stages of an applications development. It is in a company's best interests to make sure that they are looking after people's data correctly, otherwise they will risk breaching the Data Protection Act 1998 and lose the trust of the people their products are marketed at.”