Cover Story: WhatsApp debacle exposes local privacy problems

This article first appeared in Digital Edge, The Edge Malaysia Weekly, on February 1, 2021 - February 07, 2021.
Cover Story: WhatsApp debacle exposes local privacy problems
-A +A

Sharing is caring, but can it be taken too far? 

Recent events after messaging giant WhatsApp announced deeper integrations with parent company Facebook have brought the issue of user data privacy into the spotlight. For Malaysian users, they have also exposed a number of potentially serious flaws in the Personal Data Protection Act 2010 (PDPA). 

The crux of the problem is this: while the PDPA has reasonable protections in place, it lacks, among others, specific provisions that define effective consent before personal user data is collected by a business and potentially shared with other parties. 

With no minimum standard for consent, industry in Malaysia (and big tech more generally) has taken an almost laissez-faire approach to obtaining consent from local users, effectively writing their own set of standards, to plug the gap in the PDPA. This in turn, has enabled businesses to bombard users with unsolicited marketing communication, in addition to sharing personal data with third parties. 

Meanwhile, WhatsApp, which boasts more than two billion users globally, sent notifications early last month to inform users that they either would have to consent to having their personal data shared with its parent company, Facebook, or delete their accounts. 

According to local cybersecurity and penetration testing firm Firmus Sdn Bhd, the proposed updates to WhatsApp’s privacy policy would have covered the following overarching issues: 

•    How WhatsApp processes the data it collects;

•    How businesses can use Facebook-hosted services to store and manage their WhatsApp chats; and

•    How WhatsApp will soon partner with Facebook to offer deeper integrations across all of the latter’s products. 

The preliminary explainer that Firmus shared with Digital Edge notes that WhatsApp would collect data pertaining to, among others, a user’s phone model, operating system, language and time zone, IP address, status updates, profile pictures and WhatsApp group details. 

Actual messages, however, are encrypted end-to-end, and according to WhatsApp, this applies to both private messages between individuals as well as those between individuals and a WhatsApp business account. 

However, it should be noted that Payments on WhatsApp, a service that is currently available in some countries, is not end-to-end encrypted, as financial institutions would not be able to process transactions without first receiving information related to these payments. 

Given Facebook’s own troublesome track record on safeguarding user data, there was considerable online backlash when the announcement was first made. It became so severe that WhatsApp delayed the Feb 8 rollout of its updated privacy policy to mid-May. 

“I think the issue here is the manner in which WhatsApp obtains consent to use the personal data they collect,” says Firmus chief technology officer Maneesh Chandra. 

According to him, WhatsApp initially sought to obtain consent by effectively blocking users from accessing the app, which may have accounted for the initial backlash. Previously, users were able to opt out of sharing their personal data with Facebook with no consequences. 

While new details from WhatsApp are not yet forthcoming, Firmus reminds business owners that they too have a responsibility to secure the data that passes through their WhatsApp business accounts. According to the explainer, local businesses are required to obtain consent for sending, storing, reading, managing and processing user data. 

Customers should also be apprised of how the businesses process information obtained via WhatsApp, in particular, the extent to which this information is shared with other third parties or with social media platforms such as Facebook. 

Bigger concerns abound

WhatsApp’s privacy problems notwithstanding, Malaysians up to this point may be forgiven for thinking that their data privacy is safeguarded by the PDPA. This is true on paper.

For all practical purposes, the PDPA provides a basic level of data protection that in its present form is too easily overcome. 

“The wording of the PDPA is not too dissimilar from data privacy laws in other countries and in that regard, our law is all right. However, one of the notable gaps in the PDPA is that it does not define what constitutes consent on the part of users,” says Adlin Abdul Majid, partner and technology practice lead at law firm Lee Hishammuddin Allen & Gledhill. 

“This has effectively led to industries in Malaysia running riot with their own convenient definitions of the term,” she adds. 

In attempting to comply with the PDPA, industries have over the years taken to developing their own so-called “codes of practice”. Within these codes are industry-specific elaborations on certain principles of the PDPA, consent included. Banks have an industry code, and so too do the insurance, telecommunications and utilities industries. 

But in all these codes of practice, user consent is defined in ways that are beneficial to industry, rather than as a means to protect users against unsolicited contact or questionable data sharing practices, says Adlin.

She cites “opt out” and “deemed” consent mechanisms as troublesome and detrimental to users’ ability to give effective and informed consent. WhatsApp’s privacy policy also operates on an opt-out basis. 

Opt-out mechanisms require users to actively withdraw consent that is otherwise already implied. If a user does not decline, then consent is presumed to have been provided. Deemed consent, meanwhile, simply assumes consent on the part of the user. 

“In order to comply with the spirit of the PDPA, I think more traditional opt-in consent mechanisms are the way to go. But industries’ codes of practice have, to varying degrees, allowed opt-out and even deemed consent mechanisms,” says Adlin.

She cites the example of the Malaysian banking industry. While consent provisions in the data protection framework require a business to get fresh consent from a user if it intends to market a new service to that user, there is an exception to this rule for services provided to a user within a group-of-companies structure. 

“If I, as a private individual, happen to have a simple banking product with a particular bank, that bank will be able to send my personal information over to its insurance subsidiary, if it has one, for direct marketing purposes,” she points out. 

This has the effect of allowing entire industries to create a multitude of legally binding standards and definitions for consent, all of which users in Malaysia have little choice but to agree to. 

These codes of practice enjoy legal standing in Malaysia because they have been registered with the Malaysian Personal Data Protection Department, an agency tasked with the administration of the law, says Adlin.

So, does WhatsApp’s own privacy policy comply with the provisions of the PDPA? There isn’t an easy answer. 

Strictly speaking, the PDPA requires that a business’ privacy notice be provided in both Bahasa Melayu and English. On that basis, she notes, WhatsApp is not in compliance with the law because its privacy policy is only in English. 

On the other hand, so long as Malaysia-based users agree to WhatsApp’s privacy policy and opt-out method of consent-taking, it could be considered effective consent. “Given the PDPA’s lack of definition for consent, WhatsApp would not, strictly speaking, be in breach by sharing user information with Facebook, assuming a user has given some form of consent to WhatsApp.” 

Ultimately, she adds, WhatsApp’s privacy policy has not been challenged in Malaysia, and it appears no one is willing to do so for now.

Problems with MySejahtera 

Another major concern is that the PDPA in its present form exempts the federal and state governments from compliance. This is especially concerning in the current climate, with the Covid-19 pandemic forcing people to use the MySejahtera contact-tracing app. 

“In the early months of the pandemic last year, we were required to log very personal details into physical books and ledgers as a means to conduct contact tracing should the need arise. This brought with it the very serious risk of abuse,” says Adlin. 

“The government recognised this and rolled out the MySejahtera app, which allowed users to provide personal details while bypassing the quite risky physical requirement of providing things like names and phone numbers in a book.”

With all this data now going directly to the government, and taking into account the fact that the PDPA does not even apply to government actors as well as non-commercial settings, there is a sense that the personal data is not being protected at this critical level, she adds. 

“When I look through the MySejahtera app, I’m struck by a few issues. Because of the PDPA exemption, there is no accountability by the government, nor any visibility on their specific intentions with this rich source of data. 

“Second, having gone through the app, I note there are really no terms, conditions or privacy policies as far as I can tell. And third, and perhaps most alarming, the MySejahtera app makes references to e-wallets. But when I click on the relevant link, I am redirected to a blank page. I can’t be certain, but my guess is there are plans in the pipeline for MySejahtera to eventually be linked to e-wallets, and to perhaps become some kind of payment platform. 

“But if this turns out to be the case, then MySejahtera would quite clearly cross into commercial transaction territory, which means it would now need to comply with the PDPA. But how would this work with the government being exempt from the PDPA to begin with?”

Her concerns are shared by Anisha Nadkarni, tech policy research fellow at the Social and Economic Research Institute Malaysia (SERI). “What I find to be really scary is we just don’t know the full extent of the use cases that are going to come out of this trove of data that is now in the government’s hands. I’m reminded of the Singaporean government’s own contact-tracing app, whereby the authorities assured the public that it would only use the data for contact tracing purposes,” she says.

“But in early January, the Singapore government backpedalled and said it was going to use data from the contact-tracing app for criminal investigations. If that’s being done in Singapore, how would we know it wouldn’t happen in Malaysia?” 

At present, the global gold standard for user data protection appears to be the EU’s Global Data Protection Regulation (GDPR). All the experts who spoke to Digital Edge say there are at least a few provisions in the GDPR that should be folded into our own data privacy framework. 

“I think that for now, the GDPR is a good template to look at when considering how to modernise our own data protection laws. There are very specific requirements in the GDPR that define the parameters of consent for users based in the EU,” says Anisha. 

“For example, merely swiping or scrolling through a page cannot in any way be tantamount to effective consent. That’s the sort of very clear and obvious rules that we need to work into our own PDPA.” 

Also, she adds, access to services and functionality cannot be made conditional on the user accepting things like embedded tracking cookies in their web browsers. 

In addition to better consent provisions, Adlin wants the government exemption to be removed from the PDPA altogether. “As government services are increasingly being delivered online and through apps, there should be greater urgency around requiring that the government complies with the PDPA.”

The PDPA should also incorporate a strong reporting requirement that would mandate that some form of notice be provided to individuals when a company suffers a large enough data breach. 

While the GDPR has such a reporting mandate, none yet exist in the context of the PDPA. And while there are similar reporting requirements in other laws in Malaysia, these tend to be industry-specific, for example, Bank Negara Malaysia’s own data breach reporting mandates that it imposes on all banks in the country. 

“I think on the whole, the GDPR has definitely caused the PDPA Department here in Malaysia to recognise some very real issues with the country’s data protection framework. I’m hopeful that the law will be substantially strengthened to become more in line with international standards,” says Adlin.