In this series, we discuss privacy topics that relate to common technology services, and privacy-enhancing options.
It's probably safe to describe WhatsApp use in Bermuda as "fairly popular."
One of the first questions I was asked when relocating was, "Do you have WhatsApp?" Many conversation end with, "WhatsApp me!" and when I say that I don't use the service, the idea causes a reaction mixed between surprise and outright confusion.
Why wouldn't I use WhatsApp? Well, a note to start: all privacy choices are personal. We each undertake our own balancing of what information we are comfortable sharing with what service we are getting. But I personally have not been comfortable with placing my trust in WhatsApp, since it was part of a Facebook family of companies that has a history of utilising contact information without notice to grow its network or sell advertisements, conducting psychological studies on unaware users, telling people that features like email verification were designed to protect security then using them for marketing, and violating users' privacy by sharing their data with third parties without their knowledge.
WhatsApp has stated in their previous privacy policies that users are able to limit their data sharing, but in an announcement earlier this month the company stated that it would require sharing information with Facebook, creating concerns that personal information may be used for marketing and advertisements in WhatsApp, that user's contacts would be connected with their Facebook contacts, or that businesses may be able to utilise behavioural data for ads.
In recent days, a number of people have reached out me with these concerns about the announced changes to WhatsApp's privacy policy, as well as questions about what they should do. Again, all privacy choices are personal, and we must each make a decision about privacy-protective options. Some people may not be concerned about advertisements or the possible increase of online profiling.
Whenever someone asks for a suggestion for an alternative messenger app, I suggest they take a look at Signal, a free app that was developed and is run as a non-profit. It is easy to set up using your phone number, and provides security features that may help you to feel confident that you and only you have access to your messages.
In fact, Signal has committed to disclosing any instance in which they share information with a third party, even law enforcement. In their "Big Brother" report, they state that even when legally required to disclose personal information, all they are able to provide is "the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service," because that is all the information that they have. Messages themselves are encrypted, so cannot be read except by recipients.
Some encrypted messenger services, like iMessage or Telegram, will provide an additional option to store centralised back-ups of your messages. Signal again chooses a more privacy-protective option by storing all of your messages on your phone. (Like other privacy-enhancing technologies, this could be an issue if you are prone to losing your device. You may lose your existing messages, too, and have to restart conversation threads.)
In the quickly-changing world of technology, even I hesitate to make something so bold as an endorsement. But as described in our office's policy of "Constructive Oversight," we don't see our place as simply waiting on organisations to make a mistake or violate privacy rights. We also want to reach out to and reward organisations who make good faith efforts to give users control over their privacy. With to my knowledge universal agreement, Signal is just such as example and should receive our recognition as such.
Perhaps the biggest issue you may find (as I have) is that in order for Signal or any other messenger service to be practical, the people with whom you want to exchange messages have to be using it, too! So take a look, and start up conversations with your friends and family about messenger privacy options. As always, we are here to support you and answer any other questions you may have.
Alexander McD White
Privacy Commissioner
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Press Background:
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."
About Signal: Signal is a mobile application created by the Signal Technology Foundation, which describes itself as a "nonprofit organization that supports Signal Messenger, and its mission of developing open source privacy technology that protects free expression and enables secure communication around the world." More information may be found at https://support.signal.org/