A yearlong investigation by government privacy watchdogs in Canada and the Netherlands identified major weaknesses in the way the WhatsApp cellphone messaging application handled the personal information of its users.
Many of the problems have since been fixed, but Dutch authorities have yet to decide whether they will attempt to prosecute WhatsApp under Dutch privacy law, the two organizations said in a joint statement on Monday.
WhatsApp allows users to exchange messages like conventional instant messaging software, but rather than use screen names the system identifies users by their phone number. When a user signs up, they upload their cellphone's address book to WhatsApp to discover who among their existing contacts is available via WhatsApp.
That method was one of the things that originally drew the attention of the Office of the Privacy Commissioner of Canada and The Dutch Data Protection Authority.
Their investigation found that after uploading the address book and using the data to match existing users, the WhatsApp servers failed to delete the phone numbers of non-users as required by Canadian and Dutch law.
The app was also initially found to be sending messages in an unencrypted form, which leaves them vulnerable to eavesdropping and interception, particularly when sent over an unsecure Wi-Fi network. WhatsApp added encryption to messages in September 2012.
Finally, the investigation found the app was generating passwords for message exchanges based on things like the phone's IMEI (international mobile equipment identity) or MAC (media access control) address. Both are relatively easy to discover, opening the possibility that a third party could send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened password generation, but users need to update their software to benefit from the change.
WhatsApp, which is based in Silicon Valley, could not immediately be reached for comment.
News of the investigation comes as the issue of mobile app privacy is increasingly coming into the spotlight.
"We want consumers to have confidence in the industry and that means a commitment to protect consumer privacy. Industry has to fill in the gaps or policy makers will do it, possibly in an overly prescriptive way," said Walshe.
(Jennifer Baker in Brussels contributed to this report.)
Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is firstname.lastname@example.org