Ask HN: How can I meaningfully object to WhatsApp processing of my information?

[_8ysf]

Following some EU requirements (GDPR), WhatsApp updated their TOS. They say that we can now "object to [their] use of [our] information": https://faq.whatsapp.com/781249240131848/.

When following the form, I receive an e-mail saying:

> Hi,

> Thanks for your message.

> In order for us to review your objection, please reply to this email with > the following information:

> - What information processing you are objecting to. Your right to object applies where we rely on legitimate interest to process your information.

> - How WhatsApp’s processing of this information impacts you (example: what rights and freedoms you believe are impacted by the processing and why)

> - Any additional information you believe will help us review your objection (optional)

> We may ask you for more information if your request is incomplete.

> Thanks, WhatsApp Privacy Operations

Of course, I did not manage to get further than that: whatever I say, they answer that "We've reviewed your request and found that it doesn't meet the requirements for an objection to the processing of your personal information under the applicable data protection regulation.". They claim that they need all the information they collect, but since Signal does not collect any of that, it seems like they don't really need it. They also mention "Business intelligence and Analytics", it feels like it should be relatively easy to prove that they don't actually need to do that in order to provide WhatsApp to me, right?

Here they give more details about the information they collect, and the concept of "legitimate interest": https://www.whatsapp.com/legal/privacy-policy-eea/revisions/20211122#privacy-policy-information-we-collect.

My question: what should I answer to that e-mail in order to force WhatsApp to collect as few metadata as possible coming from my activity?

[SenAnder]

I wonder what would happen if you tried asking for a list of which information it is possible to opt out of while still using WhatsApp. To force them to reveal what they can function without, or how much they are pretending to need, instead of keeping users in the dark. I suspect they don't offer such a list because they want to claim they need everything.

[_8ysf]

Good point, I asked them that.

[garbageoverflow]

Please also share this with us when they respond.

[_8ysf]

The answered:

> Thank you for your message. Please read this article to learn more about objecting to the processing of your personal information: https://faq.whatsapp.com/1285115568956956/?helpref=uf_share

The page says:

``` How can I submit an objection?

If you're living in the European Region or in the UK, you can submit an objection to such processing of your personal information with this form and select "How can I make an objection to the processing of my information." Please provide your email address and WhatsApp phone number so we can process your request.

You will then be asked for the following information by email:

- What information processing you are objecting to: the processing activities carried out by WhatsApp on the basis of legitimate interests are listed above

- How this processing impacts you; under the GDPR and the UK GDPR, you have a right to object on grounds relating to your particular situation. This is important for us to be able to review and assess your objection. This is why we ask you to explain how the processing affects you (such as what rights and freedoms you believe are impacted by the processing and why)

- Any additional information you believe will help us review your objection (optional)

We may ask you for more information if your request is incomplete. ```

So yeah, obviously they don't want to tell me what would be a valid request from my end.

[_8ysf]

If they do, yes. But somehow I doubt it...

[d1sxeyes]

I have to say, that privacy policy is pretty comprehensive, and the questions they are asking seem fair.

They don't need to prove that they NEED it, just that they have a legitimate interest in collecting it which outweighs your right to privacy and your objection to it.

Just because Signal does not collect it does not mean that WhatsApp don't have a legitimate interest in collecting it. In particular, a for-profit company has a fairly compelling argument that 'business intelligence and analytics' is a strong legitimate interest, especially if, as their privacy policy suggests, they only process personal data to produce summary statistics.

You're better off just finding out what data they collect, and then trying to work out what you object to specifically.

[SenAnder]

> a for-profit company has a fairly compelling argument that 'business intelligence and analytics' is a strong legitimate interest

If profit were sufficient justification, the regulation would be toothless.

[d1sxeyes]

That's a bit of an oversimplification of my point. Profit is not a blanket justification for everything. However, when considering the legitimate interests of a company, it's important to look at the services they are offering (and what pricing they have for those service), as well as their overall business model.

WhatsApp saying 'we need this information for business intelligence purposes so we can grow our core business' is an argument that they have a legitimate interest in processing that data, and should be considered during their balancing test.

Signal, on the other hand, would struggle to rely on this argument, as their core business is to provide a service for free, funded by donations.

[withinboredom]

Have there been any court cases proving it wasn't sufficient justification?

[mattmanser]

https://www.pinsentmasons.com/out-law/news/cjeu-define-scope...

Looks like that very question is with the EU courts at the moment.

But confusingly, yes, there are other court cases you can find online that have said that profit alone is not a legitimate interest.

[throwaway751]

I feel the key point is they are not stating what they use the information for, therefore you cannot object what they are using the information for.

If you can demonstrate by questioning that they are obstructing what information is used for, specifically, then that will fall foul of EU intention for objecting to use of information. Run it by https://mastodon.social/@neil@mastodon.neilzone.co.uk

[NayamAmarshe]

Well, one hardcore way is to just switch to another app and let your contacts know where to find you if they need you.

I switched to Telegram 2 years ago, haven't installed WhatsApp ever since and all my contacts got comfortable with Telegram that I don't miss out on anything important anymore.

[_8ysf]

I understand the idea (though I find Telegram worse than WhatsApp in that it's not even properly end-to-end encrypted).

But the idea here is really to see how far I can go about asking WhatsApp to not collect my data :-).

[NayamAmarshe]

You'd be right, if you had any proof of WhatsApp being E2EE in the traditional sense.

You're using obfuscated closed source binaries from the biggest behaviour manipulation corporation on the planet.

Telegram is none of that. The security is robust and the features and services are much better.

[_8ysf]

> You'd be right, if you had any proof of WhatsApp being E2EE in the traditional sense.

Fair point. Though last time I checked Telegram, nothing except the secret chats was end-to-end encrypted. So there I know that the features people like on Telegram are definitely not E2EE.

> The security is robust and the features and services are much better.

Features and services, I can accept that. Security... well again, only the secret chats are E2EE, and last time I checked, the secret chats didn't have more features than Signal.

[NayamAmarshe]

> Features and services, I can accept that. Security... well again, only the secret chats are E2EE, and last time I checked, the secret chats didn't have more features than Signal.

That doesn't mean they're in plain text. MTProto 2.0 is an audited and robust algorithm.

E2EE's cloud sync support is not very good, which is why Telegram doesn't use it because Cloud Sync is one of the best features of Telegram.

You can read more about the algorithm here: https://core.telegram.org/mtproto

[_8ysf]

> That doesn't mean they're in plain text. MTProto 2.0 is an audited and robust algorithm.

Nope, but it means that they are not E2EE. Meaning that the Telegram server (and whoever has access to it) has plaintext access to the messages.

[warrenm]

Don't use WhatsApp ... or deal with their crappy (ie nonexistent) privacy and data use rules

[_8ysf]

The whole point of my question is that I want to see how far I can leverage the GDPR with WhatsApp. I do use other apps, but that is not the question :-)

[paxys]

> My question: what should I answer to that e-mail in order to force WhatsApp to collect as few metadata as possible coming from my activity?

Simple answer – you aren't going to be able to. Do you think they are going to release a new version of the app just for you? Their current policy has undoubtedly been approved by legal teams in the EU and across the world and unless you can find better lawyers than theirs or sympathetic government officials to back your cause you aren't really moving the needle.

[netsharc]

> Do you think they are going to release a new version of the app just for you?

They would probably do this server-side, something like (if the metadata comes from/is related to the user with the phone number $FOO, flush it, don't store it)

[Msurrow]

Well, you are wrong if OP is based in the EU. Every member state has DPA - Data Protection Authorities that citizens can contact and/or report companies that are voilating. They have the authority to investigate and hand out fines(1), which in GDPR can be rather significant.

https://commission.europa.eu/law/law-topic/data-protection/r...

(1): Its incorrect to say they have the authority to hand out fines, but I dont know the word it, and its perhaps not the most important part of this.

[paxys]

Sure and what EU policies is WhatsApp violating?

[_8ysf]

If you read my link above, WhatsApp literally told me that I could object to some data collection as per the EU regulations.

WhatsApp showed me a popup telling me that!

[Msurrow]

Well, thats not the point. The comment above asserted that OP cannot “move the needle”. I’d say thats incorrect. If WhatsApp is voilating gdpr.

[paxys]

That is precisely the point. "Hey guys how can I take down Facebook?" Well you need proof of wrongdoing first, and don't have any. How is writing yet more emails in different words going to help?

[_8ysf]

I think you totally missed the point. Let me rephrase it: as per the EU legislation, I got a popup in WhatsApp that was saying that I have a right to object to their data collection. I followed those links and got the e-mail above.

They are essentially telling me: "You need to put the right words in your e-mail if you want us to take you seriously, but we are counting on the fact that you don't, and therefore we work around your right to object".

Hence my question here. If somebody found a way to send the right words to WhatsApp and shared them, I could send the exact same e-mail. Or differently, if we could find a "good e-mail" to send and WhatsApp still refused to acknowledge it, then EU-based users could complain to the EU and possibly get the law with them.

I think it can move the needle.

[Msurrow]

One of the roles of the DPA is to investigate and collect formal prof of wrongdoing. So no, you do not need proof og wrongdoing, you just need enough to get the DPA to investigate. For example, a fundamental priciple of gdpr is that of data minimization; a data controller must do whatever they can do minimize the data they collect and process. Another fundamental right is the right of access, meaning the right to get told all the data a data controller is collecting and processing about tje subject. Say WhatsApp list the data they collect, and say that list is very long. Then I dont think it would be difficult to argue [to the DPA] that WhatsApp is breaking the principle of minimization. Perhaps enough to start an investigation.

There are a bit more to it than that, lile ligitimate interests etc, but on the other hand gdpr has many more priciples and fundamental rights for companies to break

[jtode]

Don't use Whatsapp. Work on a replacement on Veilid.

https://veilid.com/

[LoganDark]

Nobody ever uses WhatsApp for the actual app. People use WhatsApp only because it's a walled garden that doesn't federate with any other servers so it's impossible to contact anyone through it without joining yourself.

[jacooper]

And hopefully the DSA will change that.

[LoganDark]

I don't think anything will ever change that. The problem isn't WhatsApp but the general problem of "each person is only reachable via certain contact methods" which can't ever be solved by anything.

[jacooper]

The DSA forces platforms to allow federation and to expose public API endpoints. So it solves this because it makes it possible for your to talk with someone on a different app.

[_8ysf]

The risk being that the experience will be miserable. I can totally imagine a world where you can talk between Signal and WhatsApp, but reactions don't work, sending files doesn't work properly, changing permissions in a group doesn't propagate, etc.

Unless you force everybody to use the exact same protocol, with the exact same features, and to never add or change a feature.

[_8ysf]

Well Signal Messenger is nice. I am using WhatsApp because of network effect: some people are on WhatsApp and not on something else (Signal is the most popular alternative where I am, Threema is third. Never heard of Veilid).

[LorenDB]

Or Matrix. With Matrix you can additionally bridge some chats from other platforms.

[_8ysf]

Sure, I just can't talk to my friends and family there :-).

[jasonjayr]

Fwiw, my family and friends are also not on matrix. Setting up an iMessage bridge (with a spare apple device) and a sms bridge has enabled me to use matrix with them.

It's nice being able to message from my phone and Linux desktop without any trouble

[jtode]

I'm so tired of this answer. You have phones, right? You know, you dial ten or so digits and then you flap your mouthholes at the grill and pretend you're human?

Nah, let's just use the platform owned by the war criminal because everyone is there with our tech-ignorant relatives as our excuse. I hope you all meet a Rohingya one day.

[low_common]

Hey buddy take a xanax or something, this is hackernews not your DefCon forum.

[jtode]

"If you don't like reality, numb it out like the rest of us man."

We do have to practice tolerance of certain things, but genocide is not one of em. I'm sorry it makes you uncomfortable to know that you're using the same platform that was used by state-supported mass murderers and the executives knew about it and took the money, but allowing others to tend to their own discomfort is the deepest of compliments.

[_8ysf]

Man you have no clue how many people I moved to Signal. I actually contributed to Signal years ago. So respectfully, f** you (if you're going on that tone).

There are just some people that still keep WhatsApp, meaning I need it.

[rakoo]

Install the app on their phone for them. It's that easy :)

[predictabl3]

Technical details 404, nothing about what distinguishes it from other chat platforms and hosts it's own community on discord. No.

[smcleod]

Select “technical details” > Error - Page not found.

[enginaar]

i don't know if it helps but i wondered what chatgpt would say:

Dear WhatsApp Privacy Operations,

Thank you for your prompt response. I am writing to formally object to the processing of my personal information by WhatsApp based on my rights under the General Data Protection Regulation (GDPR).

What information processing you are objecting to: I object to the processing of my personal data, including but not limited to my contact list, messages, location data, device information, and any other data that WhatsApp collects for purposes that are not essential to the provision of the service. Specifically, I am concerned about the processing of my data for targeted advertising, data sharing with third-party entities, and any other processing activities that are based on WhatsApp's legitimate interest rather than my explicit consent.

How WhatsApp’s processing of this information impacts you: The processing of my personal data by WhatsApp impacts my fundamental rights and freedoms, including my right to privacy. I am concerned about the potential misuse of my data, the risk of data breaches, and the sharing of my data with entities that I have not provided consent to. The aggregation and analysis of my data for profiling and targeted advertising purposes infringe upon my right to a private life and can lead to unwanted and intrusive advertisements. Furthermore, the sharing of my data with third-party entities without my explicit knowledge or consent compromises my trust in the platform and my ability to control how my personal information is used.

Any additional information you believe will help us review your objection (optional): I understand that WhatsApp may have business reasons for processing user data, but as a user, I believe that my right to privacy and control over my personal data should be paramount. I urge WhatsApp to consider the concerns of its users and to prioritize transparency and user control in its data processing activities. I hope that my objection will be taken into consideration, and I look forward to hearing from you regarding the steps WhatsApp will take to address my concerns.

Thank you for your attention to this matter.

Sincerely,

[Your Name] [Your WhatsApp Phone Number]

[withinboredom]

I LOL'd. This is why you don't let AI write anything. It's great for giving a gist or summarizing/categorizing things... but this. I ... wow.

> I object to the processing of my personal data, including but not limited to my contact list, messages, location data, device information, and any other data that WhatsApp collects for purposes that are not essential to the provision of the service

It's literally a messaging app! You literally need ALL of those things just to send messages. Else how do you send a message without processing (aka, routing) it? How do I share a live location without processing my location data?

> Specifically, I am concerned about the processing of my data for targeted advertising, data sharing with third-party entities, and any other processing activities that are based on WhatsApp's legitimate interest rather than my explicit consent.

OK, so what. Sending a message is literally sharing data with a third party. There's no way around it, there will always be AT LEAST 3 parties: the sender, whatsapp, and the recipient. Like come on. Are they supposed to ask you on every send: "do you consent with sharing your message with the recipient?" LOL

> I am concerned about the potential misuse of my data, the risk of data breaches, and the sharing of my data with entities that I have not provided consent to.

For some reason, I assume they're concerned with this too and go to great lengths to protect their infrastructure.

> The aggregation and analysis of my data for profiling and targeted advertising purposes infringe upon my right to a private life and can lead to unwanted and intrusive advertisements.

LOL. So counting the number of people who do X where the count is in the hundreds of thousands to a millions somehow endangers your right to privacy? I can't wait to hear about this one.

> the sharing of my data with third-party entities without my explicit knowledge or consent

Your habits of drunk dialing on Whatsapp (which is the only way I can really think of involving a third party without your consent, though I guess butt-dialing counts too) ... are not their problem.

> prioritize transparency and user control in its data processing activities.

Yeah, if they're sending messages without telling you, then I suppose you'd probably want to stop using that service.

This message was a good laugh, and all the more reason NOT to let AI do ANYTHING meaningful.