Skip to main content
Privacy

Project Ghostbuster: Why WhatsApp should not be used in business

New allegations show why Meta apps like WhatsApp should not be used in professional circumstances.

Facebook's parent company, Meta, is facing new allegations of allegedly criminal behavior undermining users' privacy. According to a report by TechCrunch, the actions outlined in a new class-action lawsuit don't involve the direct exploitation of user data on Meta's platforms. Instead, they allege the weaponization of existing Meta apps and services to access confidential user data on other platform apps, such as Snapchat, Amazon, and YouTube. This sheds new light on the usage of Meta-developed software like WhatsApp and Facebook Messenger, especially in professional circumstances.

To gain additional analytics on quickly growing competitor Snapchat, Facebook CEO Mark Zuckerberg allegedly ordered employees of the company in 2016 to develop new ways to surpass Snapchats encryption on the metadata. In a project named “Project Ghostbuster” internally, the company apparently decided to use the VPN provider Onavo, acquired in 2013, to snoop up data of the apps, before they were encrypted and sent to the corresponding servers. This is according to documents published in relation with the new lawsuit (PDF). Onavo was shut down in 2019, after reports that Facebook used the app to monitor teenagers' online-behavior in exchange for money. The analytics obtained in this very questionable way were apparently used internally to inform product development against some of Metas’ competitors. 

Meta apps cannot be trusted on professional devices

The allegations and the class-action lawsuit shed new light on existing concerns about Metas’ business practices. While messages in both WhatsApp and the Facebook Messenger app are encrypted end-to-end, the apps use user’s metadata to make money by selling user data to advertisers. The new revelations additionally call into question the integrity of the apps itself. 

“The class-action lawsuit demonstrates that Meta doesn’t shy away from using their own apps and services to spy on their users, even on other platforms and services. Some of the apps used to be, in essence, a Trojan horse on users’ devices,” says Sascha Haase, SVP Product Management at Wire. “WhatsApp and Facebook Messenger may be safe enough to exchange some Memes – but they should never be used in professional contexts.”

Enterprise companies and governments are having to deal with manifold regulations regarding data protection and privacy. Having apps installed on company devices behaving in this way threatens compliance and can lead to dramatic fines and reputational damage and should thus be avoided.

While WhatsApp offers a “Business” version of its app, challenges remain for the compliant use of the app. For example, the WhatsApp Business app still needs access to the smartphone's address book in order to be used comfortably. The company delegates responsibility for the lawfulness of access to the address book to the user itself in their FAQ. Wire can be provisioned with a professional team management and access controls. It also allows for secure and GDPR compliant conversations with external users. There is no burden on individual users to ensure GDPR compliance.

Some enterprises, especially in the financial sector are facing even stricter rules. Huge banks in both the US and Europe have been fined hundreds of millions of dollars in fines for the use of unauthorized messaging apps in the company. With Compliance Recording, Wire provides an easy-to-use way to ensure compliance with financial regulations while maintaining the benefits and integrity of end-to-end encryption.

“Using WhatsApp in the business context might feel seamless and easy,” says Sascha Haase, SVP Product Management at Wire. “But doing so might expose you to huge liabilities and legal risks.”

Wire guarantees privacy

Wire takes users' privacy very seriously. We allow our customers to run fully independent on-premises instances of Wire, with full control over all metadata. Even in our cloud-based offering, Metadata collection is confined to the bare minimum needed to provide a smooth service and the timely delivery of all messages. End-to-end encryption is applied to every chat message, screen share and all audio and video calls at Wire. Because Wire publishes its source code on GitHub under an open-source license, everyone is free to verify our claims on this topic. 

Last year, we wrote in our blog: “We want to take this moment to reiterate to you that our pledge towards minimizing data collection lives on in the age of AI. We do not, and will never, compromise the confidentiality of your conversations.” This promise is still valid.

Similar posts

Subscribe to our newsletter