As users of Twitter and other social media platforms have started making memes of Facebook founder and CEO Mark Zuckerberg facing the US Senate, Facebook-owned WhatsApp, accused of sending payment based info of users to third parties including Facebook, has now clarified that the company is not sharing its payment based info with Facebook.
This might settle down the latest payments data controversy pertaining to Facebook-WhatsApp, however, during the recent US Senate hearing, Mark Zuckerberg sparked another controversy, as he revealed, “For security reasons, Facebook also collects data of people who have not signed up for Facebook.”
WhatsApp Does Not Store Or Share UPI PIN Or Other Payments Info With Facebook: WhatsApp
Clarifying that “Facebook does not use WhatsApp’s payment information for commercial purposes”, WhatsApp in an FAQ stated, “When you make a payment, WhatsApp creates the necessary connection between the sender and recipient of the payment, using Facebook infrastructure. We pass the transaction information to the bank partner, which is called a PSP (payment service provider), and to the NPCI (National Payment Corporation of India), so they can facilitate the movement of funds between the sender’s and receiver’s bank accounts.”
Further, iterating the fact that Whatsapp is safe for payments, the clarification also said that, “ In some cases, we may share limited data to help provide customer support to you or keep payments safe and secure.”
Previously, Paytm had accused WhatsApp of evading the NPCI guidelines such as skipping the 2-layer authentication. The high dudgeon was further fuelled by WhatsApp’s terms and conditions which stated that it also shared users UPI PIN and payment amount.
The policy statement read, “To provide Payments to you, we share information with third-party services including PSPs, such as your mobile phone number, registration information, device identifiers, VPAs (virtual payments addresses), the sender’s UPI PIN and payment amount.”
However, in its FAQ, WhatsApp has averred that when a user makes a payment, WhatsApp sends the encrypted UPI PIN to its bank partners, which are called payment service providers. However, WhatsApp cannot see and does not store the UPI PIN, which is encrypted by a software provided by the National Payment Corporation of India. Nor does WhatsApp store other sensitive payment information such as user’s one-time password (OTP), account number or full debit card details.
VC and Managing Partner of Prime Venture Partners, Sanjay Swamy in his blog opined, “While these could theoretically be combined to imagine the worst – I wanted to point out a few key features of the UPI platform that make this impossible by design. For instance, neither WhatsApp nor any other UPI Payment appease users’ UPI PIN. As such, there is no question of their sharing your UPI PIN with anybody.”
“The UPI architecture has a common library that is issued by NPCI to all application developers through a sponsor bank. All sensitive data (the last six digits of an ATM card, PIN and the UPI PIN) are only entered inside this library. All UPI apps have to go through extensive testing and certification – not to mention legal contracts – before they can go live. Also no payments application platform, for instance, WhatsApp, Paytm, iMOBILE, BHIM, Hike or anything, in the future has access to the any of the data entered inside the NPCI library,” explained Swamy.
There is still no clarity over when WhatsApp, which is running its UPI-based payments solution in beta mode and hence limited to only 1 Mn users, would make it available to all the Indian users. On its platform, it says, “We’re beta testing the payments feature for a limited number of users in India. At this time, we don’t have any updates for making the feature more widely available.”
Unlike Facebook, WhatsApp does not run ads and is a peer-to-peer encrypted platform; hence, the latter is taken in high regards in comparison to its parent organisation Facebook.
Meanwhile, the RBI and the Indian Central Bank has made it mandatory for payments firms to store all the payments related data in India only. On Supreme Court’s direction, the government had also promised to introduce a data protection and privacy act.
Facebook Collects Non-Users’ Data Too: Mark Zuckerberg
While the concerns over the security of WhatsApp’s payment based data appear to be settling down, Facebook’s scenario is different – too deep to settle down.
During the US Senate hearing, although Facebook’s founder, chairman and CEO started with “Facebook is an idealistic and optimistic company”, he soon proceeded with issuing an apology, “We didn’t take a broad enough view of our responsibility, and that was a big mistake. And it was my mistake. And I’m sorry. I started Facebook, I run it and I’m responsible for what happens here.”
However, Zuckerberg while responding to US Representative Ben Luján sparked another controversy as he revealed, “For security reasons, Facebook also collects data of people who have not signed up for Facebook.”
While Luján responded, “We’ve got to fix that,” this immediately rocked the users the world over, as legal experts averred, “Facebook has got no right to collect those users’ data who haven’t signed and agreed to share information with Facebook.”
In a response to Reuters, Facebook, however, clarified that “This kind of data collection is fundamental to how the Internet works.”
Earlier, Chairman of the US Committee Charles Grassley who presided at the hearing of Zuckerberg’s case suspected a breach trust might occur at other platforms too. Grassley stated, “Significant data collection is also occurring at Google, Twitter, Apple and Amazon. And even — an ever-expanding portfolio of products and services offered by these companies grant endless opportunities to collect an increasing amount of information on their customers.”
On the Facebook data breach issue, the German court has already ruled that Facebook has violated the country’s data protection law by insisting users provide their real names and their location, etc. The EU’s new GDPR will make it tough for Facebook to extract non-users’ info even for the sake of “security purposes”.
Citing some “major elections in India, Brazil, Mexico, Pakistan, Hungary coming up”, Zuckerberg asserted before the US Senate that “we’re going to take a number of measures, from building and deploying new AI tools that take down fake news, to growing our security team to more than 20,000 people, so that we verify every advertiser who’s doing political and issue ads, to make sure that such interference that the Russians were able to gave in 2016 is going to be much harder for anyone to pull off in the future.”
Marking this as “too little” for a platform which has 2 Bn users, another Senator Thune stated, “The recent revelation that malicious actors were able to utilise Facebook’s default privacy settings to match email addresses and phone numbers found on the so-called Dark Web to public Facebook profiles potentially affecting all Facebook users only adds fuel to the fire.
What binds these incidents is that they don’t appear to be caused by the kind of negligence that allows typical data breaches to happen. Instead, they both appear to be the result of people exploiting the very tools that you created to manipulate users’ information.”
Accusing Facebook which is simply a social media platform for all the data wars, breach and trust will be shifting the goal post. There are a number of companies and other platforms and apps which are intentionally involved in data transfers without even taking their users’ consent for the same. Right from Indian PM NaMo App to Congress’ android, data until recently were purportedly being transferred to third parties such as US-based CleverTap.
In a chat with Inc42, French Security Advisor Batiste Robert alias Elliot Alderson who exposed this on Twitter stated that NaMo App sharing data with the third party without users’ consent was clearly a violation of Google Play’s terms and conditions. Citing an example he said, “UC Browser was removed from the play store for a few months as it violated Google Play’s terms and conditions.”
In the age of dart net where the data of millions of users are available for sale, Wikileaks and Panama leaks, can someone even think of keeping their data private and secure?