
WhatsApp told to stop sharing user data with Facebook by French authorities - artsandsci
https://www.reuters.com/article/us-whatsapp-privacy-france/french-privacy-watchdog-raps-whatsapp-over-facebook-data-sharing-idUSKBN1EC285
======
RestlessMind
EU is one of my best hopes when it comes to privacy and really wish they start
going after tech behemoths. I have given up on US authorities doing anything
to reign them in. And policies in other significant countries (eg. China)
would be even worse for user privacy.

~~~
gradys
I'm torn on this. On the one hand, I agree, the EU legislates privacy to a
degree that no other political entity does as far as I'm aware, but on the
other hand, they often do so with poorly designed policies. As an example, I'd
point to the cookie notices that appear on almost every major website, which
must have absorbed, globally, many careers worth of man-hours to implement
while offering virtually no real-world privacy benefits.

Maybe I'm over-indexing on one bad example? I'd love to hear more informed
opinions about this.

~~~
juanmirocks
I guess the grass is always greener on the other side. I'm European, and I
sure miss my perceived greater freedom and innovation of economical activities
in the US. Things like having UBER banned for example in France or Germany
completely throws me off. And in Germany you don't know yet what's living
without cash and only with a credit card.

And those damn cookie notices!! Because they show up in every page, everybody
accepts the policy without questioning, which completely defeats the purpose.
And worse for the user experience, most often the implementation of websites
for those notices is dummy, and show the notice upon refreshment, even after
having accepted the policy before.

~~~
pgeorgi
> And in Germany you don't know yet what's living without cash and only with a
> credit card.

That's because we had our own system established in 1984 (ELV, electronic
direct debit based on the EC cards mentioned elsewhere). From a German point
of view, a credit card is a downgrade.

\- The system covered all German banks (private banks, public banks =
Sparkassen, credit unions) because they got their act together and set up a
single standard.

\- It had lower fees than credit card transactions.

\- Pretty soon the card was included with bank account fees, while credit
cards cost extra.

\- It worked with a magnet stripe and automated electronic clearing in a time
when credit cards were merely a slight convenience over manually writing a
check which needed to be mailed around the country (you do know why credit
cards have name + card number embossed to this day, right? Check out credit
part imprinters).

All that made it more attractive to merchants, and credit card companies
weren't used to competing in a market that already had a big incumbent.

~~~
pierrebeaucamp
I don't think that matters at all. Many countries have their own debit card
system and for what it's worth, I think EC cards are great debit cards. They
can, however, not replace credit cards.

All the benefits from credit cards really come from the fact that you're
paying with credit: \- Travel a lot? They sure accept Visa. \- Want to pay
some street vendor? Square is only possible because they don't need to dial
your bank directly.

Also the fee per transaction might be cheaper on debit cards, but the cost to
acquire a debit card reader from your bank is still high. That's why virtually
all larger vendors do accept debit cards in Germany, only smaller businesses
are cash only (from my perspective).

~~~
supergarfield
The advantages you give aren't directly related to the cards being real credit
cards, though. Visa debit cards work fine all over the world, and with Stripe.
(In my experience it's very common in Europe for debit cards to be dual
network, domestic and Visa or MasterCard. I don't know about Germany, though.)

The real advantages of credit are spending money you don't have, and
points/cashback.

~~~
pjmlp
You can get them with debit cards as well, depending on your bank account
contract.

On some banks there are bank accounts with automatic credit, up to a certain
limit of expenses.

------
code_duck
I’ve noticed the data sharing between Instagram and Facebook, and purely as a
user, it has been an annoyance so far.

I had been cultivating the two as separate networks, to avoid the algorithm’s
tunnel vision and interact with a wider circle of people. I never linked my IG
and FB accounts together. I use both of them for my business as an artist, and
have thousands of people that I’ve never met on both. On instagram, they
started emphasizing the posts of people I had recently interacted with on
Facebook, and vice versa. Presumably, the algo does this because it deduced
I’m particularly interested in those people. It’s an incorrect guess and is
actually the opposite of what I’m trying to achieve by using the two apps.

When Instagram was purchased, I presumed that Facebook was going to slowly
turning into Facebook and ruin it. It’s a typical story – a new product comes
up that is successful or special for reasons that a large company can’t
understand, and since they didn’t understand it enough to create it, once they
own it, they can’t continue the recipe. Filtering the feed, ads, video, the
snapchat copy, messaging... Turning Instagram into an extension of the
Facebook network actually makes it a lot less useful. Once my parents are
posting on there, I’m done.

~~~
makecheck
A similar thing happened when Google+ tried to link accounts with YouTube,
etc.

When will companies figure out that a brand has value _by itself_ and _should
not_ be auto-merged with the rest of the universe?

It just makes me want to avoid doing pretty much anything, for fear of the
next purchase out of my control just mixing things together.

------
kuschku
» The CNIL said it had repeatedly asked WhatsApp to provide a sample of French
users’ data transferred to Facebook but the company had explained it could not
do so as it is located in the United States and “it considers that it is only
subject to the legislation of this country.” «

That's a very interesting quote from Facebook, and explains why the GDPR has a
special section explaining that it also applies to foreign companies that
process data of EU citizen.

In general, Facebook is trying to set a dangerous precedent here. A company
operating in our countries, taking our data, owning property in our countries,
having employees in our countries, owning critical infrastructure in our
countries (WhatsApp has basically replaced SMS and other messaging
infrastructure), yet refusing to acknowledge the laws of the countries they
operate in.

~~~
hartator
I am glad as an US company we don't have to comply to the dumb EU cookie laws.
Yeah, we know every websites in the world uses cookies. Don't need a modal
everywhere.

~~~
toomuchtodo
Bad news friend. You have to comply with GDPR if any of your users are in the
EU, even if they were originally not in the EU when they signed up. Your user
merely needs to be a EU resident.

[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Scope)

\---

The regulation applies if the data controller (an organization that collects
data from EU residents) or processor (an organization that processes data on
behalf of data controller e.g. cloud service providers) or the data subject
(person) is based in the EU. _Furthermore the regulation also applies to
organizations based outside the European Union if they collect or process
personal data of EU residents._ According to the European Commission "personal
data is any information relating to an individual, whether it relates to his
or her private, professional or public life. It can be anything from a name, a
home address, a photo, an email address, bank details, posts on social
networking websites, medical information, or a computer’s IP address."

\---

~~~
hartator
If you don't have an organization in EU, they can't sue you in the U.S.
because it's allowed here. It's like the U.S. trying to sue local Amsterdam
pot shop because they sell drugs to U.S. residents.

~~~
germanier
I have bad news for you: things like the Uniform Foreign Money Judgments
Recognition Act exist which makes it possible to enforce foreign verdicts.
Even if no such law applies, most US companies that do business with EU
customers have by definition some assets in the EU even if only briefly (or
else they couldn't charge them anything).

The US doesn't sue foreign pot shops because the sale happens abroad and they
have decided to not bother with that but they absolutely could enacted such a
law if they wanted. Who is there to stop them? The US actually does apply some
of its laws abroad. Here is an example that is similar to yours
[https://www.insightcrime.org/news/analysis/as-us-
prosecutes-...](https://www.insightcrime.org/news/analysis/as-us-prosecutes-
foreign-crimes-how-far-can-its-extraterritorial-jurisdiction-reach/)

Again, the problem is only enforceability. If they can't get hold of any
money, a verdict is useless.

~~~
MVorlm
That's the point. If I run a US-based company and have 0 assets in X country,
it doesn't matter. EU lawyers would also know this and also wouldn't bring it
to court. It's just a waste of everyone's time. I'm certainly not going to do
anything If I get a summons from a random country due to some random law.
Especially if it means nothing in the country I'm currently located in.

~~~
kuschku
It does matter if your bank will comply, and no bank will risk getting banned
from the EU market for a small customer like you.

Some day you’ll wake up, and notice all your corporate bank accounts are empty
and frozen.

------
mikeokner
I wonder what the legal argument is behind this ruling. If one newspaper
acquired another, couldn't the parent then market to the subsidiary's
subscribers even if they continued to operate separately? The parent now owns
everything anyway.

~~~
teekert
The argument is that WA always told us that they wouldn't share our data. This
was a reason people signed up, you can't just "Oops we did it anyway" on so
many people. At least not on People who have a government with their best
interest in mind.

~~~
djsumdog
Did WhatsApp charge anything? I thought for contracts you needed some kind of
actual dollar amount (even $1) for it to be binding? Is that very US-law
specific or am I way off here?

~~~
pdpi
For a contract to be binding, you need consideration[1] from both parties. A
contract where you give me something for nothing is not binding, we both need
to be giving each other _something_. That something need not be money: A
contract saying that you agree to give me your house if I give you my car
would qualify. Google and Facebook extract enough value from targeting ads
based on the personal information we agree to give them access to that access
to said information is enough to qualify as consideration. I'd argue that,
even if WhatsApp doesn't have a monetisation strategy that leverages said
information, it's credible enough that it would qualify as consideration.

1\.
[https://en.wikipedia.org/wiki/Consideration](https://en.wikipedia.org/wiki/Consideration)

~~~
andrewaylett
That still depends on the jurisdiction: Scotland, for example, does allow for
contracts without consideration:
[https://en.wikipedia.org/wiki/Scots_contract_law](https://en.wikipedia.org/wiki/Scots_contract_law)

~~~
Tomte
Same in Germany: you can contract to gift something.

Of course, German contract law is very strange and alien to every other legal
tradition (except Japan, I think, and that‘s only because they modeled their
civil law on ours).

------
gboudrias
> “The only way to refuse the data transfer for “business intelligence”
> purpose is to uninstall the application,” the CNIL said in a statement.

I mean, Facebook et al are a nightmare, but doesn't this statement apply to
almost every app?

Nevertheless, I'm sure Facebook is pretty annoyed right now, seeing as their
main business goal seems to be "hoard all the data".

~~~
soziawa
Well with WhatsApp being so popular in Europe it is almost impossible to
uninstall it.

~~~
teekert
I'm taking baby steps towards Signal. I think 10% now of my regular "apping"
is on Signal. There is still some on Telegram as well.

~~~
mancerayder
I love Signal but the reason why WhatsApp is so appealing is that there's a
desktop client.

I hate having to rely on my phone for texting people.

~~~
paimpozhil
Telegram is even better, has a nice desktop client which doesn't really depend
on the mobile .

Whatsapp's web client is just an UI to the mobile app meaning you also need to
have phone connected to internet always for it to work.

Telegram is much more responsive compared to the Whatsapp.

~~~
pmlnr
Telegram is brilliant: small, fast, efficient client for virtually anything,
including bitlbee. On the other side, it's probably hacked by most of the
agencies, but to be honest: meh. Someone will spy on me anyway; at least I
have an efficient, open source client, which isn't trying to spy on me every
possible way.

~~~
lucb1e
> it's probably hacked by most of the agencies

umm... citation needed?

------
gourou
> European data protection authorities can only impose small fines at the
> moment, but a new EU privacy law entering into force next year will increase
> fines to up to 4 percent of a company’s global turnover.

Would it be 4% of Whatsapp's or FB's revenue?

~~~
notimetorelax
This is company’s global turnover, not product’s. So, up to 4% of the turnover
in the entire company, since WhatsApp is wholly owned by FB, then it’s 4% of
FB turnover. FB revenue for 2016 is 27B * 4% ~= 1B.

------
debt
It's funny because the share price isn't reflecting these trends.

As privacy laws become more strict, which seems inevitable given what's
happening all across Europe, the data itself loses it's value. If the data
loses it's value, having more of it, won't translate to having more value.

Facebook/Google will just have more stuff they can't use, or more stuff
they'll need to try and stretch further than they did before.

------
lakechfoma
Does anyone know what they do share besides phone number? And what could they
share?

I know end to end message encryption is a thing, but can the app still supply
your messages or analysis of them to FB?

~~~
drdrey
They can presumably not share the content of the messages, but they could
share the metadata around them. Who you are connected to, how often you
contact them, what time of day, potentially some location information, how
long you spend in the app...

~~~
mbesto
This: [https://www.pbs.org/newshour/science/your-phone-metadata-
is-...](https://www.pbs.org/newshour/science/your-phone-metadata-is-more-
revealing-than-you-think)

Facebook, for example, can probably establish who my wife is, even if I don't
explicitly put her in my profile, and who effectively are my affinity groups
(friends/family/etc).

------
kahlonel
I wonder what kind of data WhatsApp could be sharing with FB, given the fact
that actual conversations are end-to-end encrypted. I imagine it could be
something like 1) When do you sleep/wake-up, 2) Enumerating people in your
social circle, 3) Guess what you're upto if you use the "Status" feature, and
similar things. Now FB knows a LOT more than that about you. If you are an
active FB user, it doesn't make sense to worry about what WhatsApp does to
you.

~~~
redial
Contacts. Now Facebook not only knows who you speak to online, but they also
have access to the people _and businesses_ you deal with in the 'real world'
too.

~~~
acqq
Exactly. To use WhatsApp you have to let them copy all the contacts from the
phone to their servers, and they do it all the time.

Pity that e.g. Apple doesn't implement some special configuration for the
privacy conscious users, which would allow me to: "give to the app1 only
contacts a, b, c" and "give to the app2 only contacts e, f, g." At the moment
all the apps that I use and which insist on access to the contacts get all the
contacts you ever stored on your mobile phone. The apps should also not get my
notes to the contacts, the birthdays of the contacts etc. Ideally Whatsapp
should get only phone numbers, and only these that I want to give.

In Android, Google should (it it hasn't) also implement this as a security
feature, the benefit for them is: limit the access of the user's contacts to
their competitors, by those users who'd use the feature (I don't use Android,
is there something like that?).

Anyway, by using WhatsApp, since lats year you give Facebook all the phone
contacts which they will store and match even if you didn't want to give these
to Facebook for Facebook.com or whatever.

"“Privacy is incredibly important to WhatsApp. It’s why we collect very little
data, and encrypt every message,” a spokeswoman for WhatsApp said."

When "a little" is all your contacts in the phone, it's more than a little for
Facebook.

------
kuceram
Recently, I spoke to a guy who was working in IT department of one telco
company and he told me that they did analysis on which platform (Facebook
Messenger, Viber, WhatsApp) is mostly used based on number of data which flew
through their infrastructure.

I think regulations of big players is what small businesses and end users can
profit of, definitely.

------
gourou
the CNIL brief: [https://www.cnil.fr/en/facebook-sanctioned-several-
breaches-...](https://www.cnil.fr/en/facebook-sanctioned-several-breaches-
french-data-protection-act)

~~~
shakna
That seems to be an earlier case of Facebook being caught doing the wrong
thing. This [0] seems to be the CNIL announcement.

[0] [https://www.cnil.fr/en/data-transfer-whatsapp-facebook-
cnil-...](https://www.cnil.fr/en/data-transfer-whatsapp-facebook-cnil-
publicly-serves-formal-notice-lack-legal-basis)

------
Vosporos
Yeah, finally :)

------
gimmeminusnow3
Finally some country even can say anything about facebook!!

Please, stop using this multinational human mind programming service. Check
interviews of former bosses, what they say about facebooks mind terror!

------
smprk
I believe a better policy is to have a completely transparent system between
apps/services, where a user can check what is being shared, and when.

------
crb002
No big deal. Just get an affirmative checkoff.

------
abritinthebay
The French system for protecting personal information should be a model for
the rest of the world imo.

(As an Englishman it pains me to say that)

A company can _never_ really “own” your data there. It merely can be lent it
for very specific purposes. Using it outside of those purposes is punishable
by law and that permission can be revoked.

It’s very pro-citizen.

~~~
coliveira
This should be the law everywhere. The US, on the other hand, believes it is
OK to provide ALL your personal information to big companies, see the debacle
of Equifax that exposed data from most Americans to hackers throughout the
world.

~~~
pitaj
Unpopular opinion: information should not be the property of anybody. You
don't own your data, you own what it is stored on.

Copyright, Patents, and other IP law is invalid application of property rights
and nobody should be able to say how anybody uses data they possess with the
exception of preemptive contractual agreements.

~~~
abritinthebay
It’s... an opinion. One that doesn’t make a ton of sense once you follow it
through everywhere, _practically_ speaking, but as an _ideological_ point...
sure, I get it.

~~~
pitaj
Can you give a few examples of it not making sense practically? I understand
the reasoning behind patents and copyright, but in practice they are abused
and at this point almost dead anyways.

------
jerianasmith
If French authorities have issued stringent guidelines about sharing of users
data, that's a welcome step. If WhatsApp didn't have the legal basis to share
data as claimed by CNIL, why were they doing it in the first place.

------
phjesusthatguy3
Can corporations have "friends"? They're people, right? Can corporations have
interpersonal relationships?

~~~
erikpukinskis
Yes, but your friends don’t get automatic sublicenses to all of your IP
licenses.

------
hkon
I am thinking the EU don't want any companies to know more about it's citizens
than they do themselves. Knowledge can after all be transferred to power.

