Even as WhatsApp keeps touting its end-to-end encryption, questions about its data-privacy practices continue to linger. Following outrage surrounding its revelations that it shares user-data with Facebook, WhatsApp then claimed that it shares ‘very little data‘ with the social media giant. Alarmingly, however, the stuff that it does share, apparently relates to the recently-introduced UPI-based payments feature in India.
Now, a day after it tried to reassure its business users about the privacy of their data, WhatsApp is doing its best to pacify its massive user-base in India by issuing a supposed clarification about payments-related data sharing with Facebook. However, other than a vague statement about using ‘Facebook infrastructure’ to facilitate payments, there were no further details about the type of data that it actually shares. So now there are more questions than when we began.
“When you make a payment, WhatsApp creates the necessary connection between the sender and recipient of the payment, using Facebook infrastructure. We pass the transaction information to the bank partner, which is called a PSP (payment service provider), and to the NPCI (National Payment Corporation of India), so they can facilitate the movement of funds between the sender’s and receiver’s bank accounts”
What exactly is Facebook infrastructure has not been clarified. WhatsApp also claims that Facebook doesn’t use the payments info for commercial purposes, saying, “It (Facebook) simply helps pass the necessary payment information to the bank partner and the NPCI. In some cases, we may share limited data to help provide customer support to you or keep payments safe and secure”.
However, the fact that Facebook has any of that info at all is an alarming development for many privacy-conscious users. In fact, experts contacted by Business Standard also seem to believe that WhatsApp’s actions may be violating the guidelines set by the NPCI, which says, “PSP shall not share the data with any other third party unless mandated by applicable law or required to be produced before a regulatory/statutory authority”. However, whether a parent company can be categorized as a ‘third-party’ remains to be seen.
If WhatsApp had hoped that this statement would quell the criticism around its opaque data-sharing policy, then it’s been a massive failure. Not only do users not know any better, they are left wondering what ‘Facebook infrastructure’ is and whether it has any hooks to Facebook’s profile data for users. The ambiguous language will be question and it leaves us convinced that we will hear more about this controversy in the days to come.