Privacy commissioner Jennifer Stoddart says the mobile chat app WhatsApp violated Canadian privacy law and needs to be updated to comply with all her concerns.
Her office teamed up with the Dutch Data Protection Authority to investigate how users' personal information was potentially being mishandled by the California-based mobile app developer.
WhatsApp, a multi-platform application that offers instant chatting similar to Research in Motion's popular BlackBerry Messenger, was found to be violating Canadian and Dutch privacy laws for its policies dealing with the retention, safeguarding, and disclosure of personal data.
Investigators found messages were being transmitted unencrypted, which left them vulnerable to being intercepted by hackers, particularly on public WiFi hotspots.
The company did begin encrypting messages in September in response to the privacy agencies.
But Ms. Stoddart says WhatsApp still has work to do to resolve all its identified issues.
She was unhappy that users were not getting adequate disclosure about how their status messages could be seen by people not on their contact list. The company says it will address the complaint in a new release expected in the fall.
The investigation also found WhatsApp was retaining phone numbers indefinitely, contrary to Dutch and Canadian privacy law.
When a user begins using WhatsApp, they are prompted to submit the contents of their address book to the app maker to help connect with their friends and family.
Only users with the latest version of the iPhone iOS6 operating system have the option to manually add users to their contact list rather than sending their entire address book to the company.
Although the company claimed to anonymize the phone numbers it collects and stores, the privacy agencies were not satisfied that the phone numbers of non-users weren't being deleted.