Popular messenger service WhatsApp has been under investigation by Canadian and Dutch privacy commissioners following compliants breached privacy laws.
The subsequent report on the Canadian privacy commissioner's findings found that while in-network numbers are stored in clear text on WhatsApp's servers, numbers of non-users are stored in a hashed format in a 64-bit value to render out-of-network (old or expired users) numbers as anonymous.
It may also, with a user's permission, get access to the address book on a phone that is transferred securely to WhatsApp's servers using SSL/TLS encryption.
The report said: “Principle 4.3.3 states that an organisation shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.”
The privacy commissioner recommended that all out-of-network users details be removed once consent was no longer granted. WhatsApp said that the anonomysing was sufficient, leading the commissioner to respond that "concerns relating to the retention of non-user numbers [are] well-founded".
The report deemed that WhatsApp's account confirmation messages were being sent using ordinary web traffic ports, allegedly without encryption or safeguards, leaving users potentially vulnerable in May 2011 – and it subsequently corrected this.
WhatsApp said that its policy is to delete or destroy all personal information belonging to a user, including any applicable payment information, 30 days after termination of the service. The commissioner was satisfied with this and with WhatApp's commitment to "further developing its retention policy for personal information and to making this policy publicly available".
Chester Wisniewski, senior security advisor at Sophos Canada, said: “At the beginning of the investigation, the company was not properly encrypting any of the communications of its users. Its initial attempt at encryption relied upon using IMEIs and Mac addresses as encryption keys.
“The investigation determined this was inadequate and easy to defeat. WhatsApp has begun the transition to 160-bit randomly generated keys in its iOS app and will follow through on other platforms.”
The UK's Information Commissioner's Office has been contacted in regard to the likelihood of a UK investigation.