16 comments

[ 0.25 ms ] story [ 40.8 ms ] thread
Apparently, the phone numbers only get indexed if a website owner includes a "Click to Chat" widget on their website - effectively publishing the number anyway. The only difference is that "Click to chat" only displays a QR code which visitors scan. They are then redirected to the WhatsApp chat of the website owner, where the number is public anyway.

Maybe WhatsApp should make clear that the "Click to chat" widget allows anyone to see your phone number. But I don't really see any other mistake on their part.

It's definitely a mistake of WhatsApp to expose the number in clear text in the URL.

Private user data, personal identifiers or contact details should never be used as the primary key publicly. A meaningless surrogate key should be used.

If people then want to go thru and scan the QR code or whatever to contact them and gain access to the phone number, that's fine, but it absolutely shouldn't be exposed where Google is indexing it unless there was a specific intent and agreement -- on the part of both those users & WhatsApp -- that they wanted their phone number published & indexed on Google.

Because explicit permission comes first. Both morally, and for GDPR

I wasn’t aware of the click to chat function, so I checked it out. On the Whatsapp website it gives clear instructions on how to place the link on your website. It’s a hyperlink that couldn’t be more obvious that your Whatsapp number is in clear text (and will show if you hover over the link, even if it isn’t visible as such). So on the face of it you are publishing your own personal information to the web, it’s obvious it will be visible to search bots, and there is no GDPR issue assuming you are using your own number.

The article and Many comments refer to a QR code/widget. This does not appear to be provided by Whatsapp – there was nothing came up on the Whatsapp website and search results were all for third party services. The article also notes that you have to go to a third party for the QR code. I just quickly made a QR code for my Whatsapp and there was no alt text for the image or other metadata. So if there is a data processing issue then it is with the individual’s use of whichever service they pick.

But underlying both these things are two questions: first, unless the link is being embedded in a user comment on someone else’s website, then the individual using the link or widget is putting it on a website they control. As webmaster (or at least content contributor), they have to take responsibility for the code. As you mention GDPR, then that person is also legally responsible for what PI they publish there, so if they put someone else’s PI (knowingly or not) then they are the one that is potentially in breach.

This leads to another question, which is what proportion of people are using this in an individual capacity (i.e. it is their personal number) and how much is for business use? I suspect the majority is for business use, and in that case then why would you be hiding your contact number? The article talks about identity fraud, but if you’re a business then all the information cited should be public domain anyway, and discoverable. And similarly from a legal perspective, posting a contact link that is obscured could be contrary to the Disability Discrimination Act.

I wouldn’t generally defend WA or any part of the social media commercialisation of privacy, but as many others have said, I don’t believe this is a Whatsapp issue. If there are genuine cases where private information is being leaked, then it points to people either lacking competence or failing to take responsibility for their own actions.

In fact, Click to Chat links are not QR codes but URLs that are manually constructed from a phone number.

https://faq.whatsapp.com/general/chats/how-to-use-click-to-c...

Of course, you can generate a QR code from this URL using third-party tools, which I think is what's happening here.

Click to Chat's stated purpose is to allow you to chat to someone whose phone number you know, but you don't want to add them to your address book.

Clearly, some people are using it for a different purpose – to make it easier for other people to send them WhatsApp message.

Maybe WhatsApp should be clearer about the dangers of sharing a URL containing your phone number, but it seems like a useful feature when used for their intended purpose.

You can just check if someone has WhatsApp by going to wa.me/+(countrycode)(number)
From the article:

  “My phone number is public on the web. No need to implicate WhatsApp,” 
  one user told Threatpost, explaining that Click to Chat was convenient 
  and made it easy for his site visitors. “I did it to make it easy for 
  people to contact me. Surprisingly, I get very few spam calls,” he said.

  However, others were unaware their numbers were public.

  “No I didn’t mean to make my number public at all,” one user told 
  Threatpost. “I set up WhatsApp for my business so people should 
  text directly without getting my number.”
I think this illustrates the underlying problem nicely, which is imho that people misunderstand how the "Click to chat" button works.
As a tangential aside, please don't use code blocks to make "quotes", they're practically unusable on mobile devices. Code blocks don't get automatic wrapping and you have to scroll back and forth for each line.
I mean they could have used at least some kind of ID or hash instead of the actual number for the URL.
It doesn't matter much because once you are in whatsapp the primary key is the phone number.

It would be really nice if you could share a revocable identifier that could be used instead of a phone number, but I guess this would require a lot more code changes.

And a big benefit of a phone number is that if I want to contact the same person on Snapchat, or some other service, I can.

Per service identifiers just build walled gardens and in the end hurt users.

Phone numbers are the perfect identifier because the default is 1 per person, but you can easily get a few more if you want to be anonymous, split business from home, have two personalities, etc.

I'm not arguing that using phone numbers doesn't have benefits. I'm just saying that WhatsApp intrinsically shares your number so obfuscating the URL will provide little benefit.

At the end of the day if you want to allow people to contact you without sharing your number you would need something like that I proposed. And in that case you would explicitly be trying to isolate from your other contact methods so your "benefits" become drawbacks.

Well that’s fine to show the number within WhatsApp but using the number in a widget is just asking for crawlers to get it.