WhatsApp may provide cyber ministry with user information if they request

Law enforcement agents in Zimbabwe maybe able to access your subscriber data from cross-platform instant messaging service Whatsapp if they submit a legal request to the company Khuluma Afrika has learnt.
Law enforcement agents in Zimbabwe maybe able to access your subscriber data from cross-platform instant messaging service Whatsapp if they submit a legal request to the company Khuluma Afrika has learnt.

Law enforcement agents in Zimbabwe maybe able to access your subscriber data from cross-platform instant messaging service Whatsapp if they submit a legal request to the company Khuluma Afrika has learnt.

Following the launch of a Cyber Security, Threat Detection and Mitigation Ministry in the country, Khuluma Afrika wrote to Whatsapp seeking clarity on whether the company would comply with official government requests for user information and data.

In a series of questions, we asked that, should the answer be yes, what processes would precede such actions?

Furthermore, we queried if the government would be allowed ‘man in the middle’ access to user messages – a practise where law enforcement agencies read users’ incoming and outgoing messages by literally standing in the middle of the sender and the recipient.

In response to our questions sent via email, the company directed us to sections of their privacy policy, terms of service, and legal information. They specifically quoted the Law and Protection section of the company’s privacy policy which in part reads

We may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to: (a) respond pursuant to applicable law or regulations, to legal process, or to government requests;…”

Another part of the quoted section reads

(c) detect, investigate, prevent, and address fraud and other illegal activity, security, or technical issues;”

This raised potential challenges for Zimbabwean users.

Zimbabwe’s laws designed to curtail free speech

In Zimbabwe, it is considered illegal to insult the President. Section 33 (2) of The Criminal Law (Codification and Reform) Act reads

(2) Any person who publicly, unlawfully and intentionally— (a) makes any statement about or concerning the President or an acting President with the knowledge or realising that there is a real risk or possibility that the statement is false and that it may— (i) engender feelings of hostility towards; or (ii) cause hatred, contempt or ridicule of; the President or an acting President, whether in person or in respect of the President’s office; or (b) makes any abusive, indecent or obscene statement about or concerning the President or an acting President, whether in respect of the President personally or the President’s office; shall be guilty of undermining the authority of or insulting the President and liable to a fine not exceeding level six or imprisonment for a period not exceeding one year or both.

A user in Zimbabwe who makes a statement deemed to be insulting to the President could thus be engaging in illegal activities.

For example, in 2015, Nduna Matshazi, a councillor for the opposition Movement for Democratic Change, was arrested for sending a ‘demeaning’ message about President Mugabe in a WhatsApp Group.

Other laws in Zimbabwe make it a crime to send certain messages. In August this year, another MDC-T Councillor, Charles Moyo (36), of Ward 9 in Bulawayo appeared before Western Commonage magistrate Mr Lungile Ncube charged with sending a message that is grossly offensive, indecent or of an obscene nature through a cellphone.

Zimbabwe has several other laws which are repressive and curtail free speech. The Access to Information and Protection of Privacy Act, the Interception of Communications Act, are among an array of other repressive statutes, while several other sections of the Criminal Reform and Codification Act, make freedom after speech uncertain.

In all instances in the past when people have been prosecuted for messages transmitted via WhatsApp the government has not required assistance from WhatsApp, since receivers freely shared the content with police.

What information WhatsApp may provide to law enforcement

The Law Enforcement and Authorities section of WhatsApp’s privacy policy reads

On US Legal Process Requirements

“We disclose account records solely in accordance with our terms of service and applicable law, including the federal Stored Communications Act (“SCA”), 18 U.S.C. Sections 2701-2712. Under US law:

  • A valid subpoena issued in connection with an official criminal investigation is required to compel the disclosure of basic subscriber records (defined in 18 U.S.C. Section 2703(c)(2)), which may include (if available): name, service start date, last seen date, IP address, and email address.
  • A court order issued under 18 U.S.C. Section 2703(d) is required to compel the disclosure of certain records or other information pertaining to the account, not including contents of communications, which may include numbers blocking or blocked by the user, in addition to the basic subscriber records identified above…”

According this section the company may only divulge a user’s name, date of first use, date of last use, IP address (which can be used by law enforcement to get a specific location about the user, Internet Service Provider and device used), as well as the user’s email address.

The company adds that they require a court order to reveal more detailed data about the user’s interaction with other users, like which numbers blocked the particular user, which numbers he/she blocked.

With regards to countries outside the United States, the company states that

“We disclose account records solely in accordance with our terms of service and applicable law. A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of the contents of an account.”

The company specifies that it will share user data according to applicable law.

Whilst the company does not reiterate that they will not share the contents of messages, they do state under the data retention section that,

“…We do not retain data for law enforcement purposes unless we receive a valid preservation request before a user has deleted that content from our service.

WhatsApp does not store messages once they are delivered or transaction logs of such delivered messages, and undelivered messages are deleted from our servers after 30 days. We also offer end-to-end encryption for our services, which is on by default. End-to-end encryption means that messages are encrypted to protect against us and third parties from reading them…”

The security page of the company is adamant that WhatsApp does not have access and capability to intercept a user’s messages, neither can they share them with third parties.

“…WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp…”

The company’s Privacy policy adds that

“We do not retain your messages in the ordinary course of providing our Services to you. Once your messages (including your chats, photos, videos, voice messages, files, and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device…”

Follow up questions were sent to the company seeking clarity on what they deemed other illegal activities, and whether some of Zimbabwe’s laws which clearly violate fundamental human rights like freedom of expression would be considered ‘applicable law’ and whether the company would honour requests based on this.

At the time of writing the company had not responded to the follow up questions.

 

What do legal experts say?

We shared the response we received with legal expert, and lecturer at Kent University (UK) Alex Magaisa. 

He had this to say.

“The disclaimer is designed to show that they have access to and can share a user’s data with public authorities. This means the protection by encryption is not a blanket cover as WhatsApp can share this data.”

“The only question is whether they would cooperate with a regime like the Zimbabwean government which is known for its disregard of human rights.”

 

Magaisa says the statements reflect the potential dilemma WhatsApp faces in balancing between national security and privacy.

“They are obviously trying to balance two interests: one the privacy interest and two their duties to public authorities in their jurisdiction of operation. Their compliance is dependent on what they have which is why the access issue is pertinent. It seems they are saying they have limited access to content which therefore limits the amount of data they can share with public authorities.” Magaisa said.

“Consider the Apple case where that knife wielding terrorist killed people and law enforcement authorities wanted Apple to help access data in the phone. That’s indicative on what may or may not be done.” he added.

In the United States cellphone manufacturer Apple has received eleven different requests from federal courts asking it “to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones” while others “involve phones with more extensive encryption, which Apple cannot break” and presumably seek to order Apple to “design new software to let the US government bypass device security protocols and unlock the phones”.

Apple objected to all these requests. Several other tech giants, among them Google, Yahoo and significantly WhatsApp’s parent company Facebook all supported Apple’s stance, despite worded privacy policy and statements appearing to indicate the companies would reveal information.

Take for example part of statement released by Apple after the FBI dropped a case against it.

“We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.”

While the company re-affirms its commitment to assisting law enforcement, it also attempts to award users security and privacy.

But that was in the USA and in a matter which involved Apple, and not WhatsApp. In Zimbabwe, it has been the outright reverse, and Facebook, has shared user data (including from WhatsApp with authorities before.

In Zimbabwe, in 2015, Econet Wireless and Steward Bank raided the newsroom of The Source news agency in a bid to establish the source of news articles that related to the two companies. Incredibly they did so backed by a court order.

Given that WhatsApp indicates that they require a court order to share more intimate user data, the Econet case becomes extremely significant as it gives the clearest indication of how Zimbabwe’s courts would act in a situation where law enforcement agents required a court order to approach WhatsApp.

It is a point echoed by Magaisa.

“That could be indicative of how courts in Zimbabwe might deal with similar cases where courts are involved” he said.

It is difficult to say for sure what WhatsApp would do in specific instances, if it were approached with a specific request based on repressive laws like the insult laws.

The company itself in its initial response avoided giving us an outright answer, choosing instead to send us to its privacy policy, and terms. Effectively leaving this as a grey area.

However reports released by Facebook paint a better picture for us, and predictively answer the question.

 

How WhatsApp / Facebook handled requests for user data in the past?

In the United Kingdom, between July 2016 and December 2016, Facebook handed over user data 90 percent of the time when a legal request was made.

Interestingly, despite mass protests organised on social media in 2016, and the government’s threats ‘to deal with social media criticism’ and its decision to set-up a whole ministry to deal with government criticism online, Zimbabwe did not make a single request for user data from Facebook, WhatsApp or Instagram during the same period.

In its report Facebook noted the disruption to its services during the nationwide shutdown in July 2016 which saw the government blocking WhatsApp.

However, if the government were to make such a request, it appears it might succeed in getting the information it requires. In the same period (July – December 2016) user data was shared in 50% of the cases in which Zimbabwe’s neighbour South Africa requested it. 2 out of 3 legal requests made by Nigeria were successful.

Although African countries did not make a large number of requests, one aspect of the reports released by the social network giant probably warrants concern.

In the UK, in addition to the 90% of legal requests for user data Facebook complied with, the social network also complied with 80% of non-legal ’emergency’ requests for user data.

If this is a precedent, then it illustrates how the government could access user data with relative ease.

There is no way to request that your data not be shared with law enforcement, even if they have no legal warrant to access it, and if reports released by Facebook’s are anything to go by, they will likely comply with law enforcement, most of the time.

The only silver lining however is perhaps, as explained earlier, that WhatsApp has end-to-end encryption, so officials from cyber security ministry will not be able to get or see the exact contents of your messages.

But they will be able to access your user data. For a government that has declared war on dissenting voices online, that may just be all they need to persecute by prosecution.