Overview

This within proposed right to privacy multi-jurisdictional class proceeding arises from the Defendants’, META PLATFORMS, INC. (“Meta”), WHATSAPP LLC (“WhatsApp”), and FACEBOOK CANADA LTD. (“Facebook”), unlawful access, storage, reading, and/or viewing of the Plaintiff’s and putative class members’ (collectively, the “users,” unless otherwise specified) private and encrypted communications transmitted through the WhatsApp Messenger platform (“WhatsApp Messenger”), including by their respective employees, and by permitting third parties, namely the Defendants, ACCENTURE PLC and ACCENTURE INC., (collectively, “Accenture”) to access, store, read and/or view such communications, all without the users’ knowledge and/or consent and contrary to WhatsApp’s express and/or implied representations that such communications are private and end-to-end encrypted.

In light of WhatsApp’s express and/or implied representations regarding privacy, users reasonably believed that their communications on WhatsApp Messenger were secure and would not be accessed, stored, read, and/or viewed by Meta, Facebook, their employees, or any third parties, including Accenture, other than intended recipients.

Notwithstanding users’ reasonable expectations of privacy, Meta, WhatsApp, and/or Facebook, without the users’ knowledge and/or consent, accessed, stored, read, and/or viewed users’ private communications transmitted through WhatsApp Messenger and permitted Accenture and other third parties to do the same, all of which was done for financial or commercial purposes.

Unbeknownst to users, Meta, WhatsApp, and/or Facebook, its employees, and third-party contractors, including Accenture, had broad access to the substance of such private communications, including, inter alia, the ability to review historical message content, notwithstanding representations that such content was encrypted and inaccessible. Meta, WhatsApp, and/or Facebook knew, or ought to have known, that these practices were inconsistent with WhatsApp’s privacy representations, and failed to disclose them to users.

Meta, WhatsApp, and/or Facebook’s unlawful access, storage, reading, and/or viewing of users’ private communications on WhatsApp Messenger, and sharing of such communications with Accenture, without their knowledge and/or consent, contravene applicable federal and provincial privacy statutes.

As a result of the Defendants’ unlawful and/or deceptive conduct, users have suffered harm, loss, and/or damages.

The action is brought by the Plaintiff on his own behalf and all other persons and legal entities resident in Canada who, between April 5, 2016 and up to the date of certification of this proceeding, sent or received communications via the WhatsApp messaging platform, or such other class definition or class period as the Court may ultimately decide on the application for certification (the “Class” or “Class Members”, unless otherwise specified).

Factual Allegations

i. Users send communications on WhatsApp Messenger

As averred to herein, WhatsApp operates WhatsApp Messenger, a mobile and desktop application on which users can send messages.

Users download WhatsApp Messenger from the Google Play Store, Apple App Store, or Microsoft Store to their mobile devices, or onto their computer desktop, and can create an account by accepting the WhatsApp’s Terms of Service and Privacy Policy and by providing a cell phone number and a profile name.

Once a user has created his or her profile, he or she is able to send written messages to other individuals on their mobile device as well as voice messages. Users may also make voice and/or video calls using the application.

Users may also transmit photographs and documents via messages on WhatsApp Messenger.

ii. WhatsApp’s Terms of Service promise users that their communications are private and end-to-end encrypted

In order to create a user profile and use WhatsApp Messenger, users are required to agree to WhatsApp’s Terms of Service and incorporated Privacy Policy.

By accepting WhatsApp’s Terms of Service and Privacy Policy, users enter into an express and/or implied contract with WhatsApp governing the parties’ respective rights, responsibilities, and obligations, including, inter alia, with respect to users’ private communications on WhatsApp Messenger.

In exchange, users confer a valuable benefit on WhatsApp, including by agreeing to use WhatsApp Messenger and permitting the collection of metadata, usage and log information, and device and connection information, including IP addresses. WhatsApp, in turn, agrees to comply with the promises set out in its Terms of Service and Privacy Policy.

The Terms of Service and Privacy Policy are made available to users upon downloading WhatsApp Messenger and are accessible on WhatsApp’s website.

WhatsApp’s Terms of Service begin with a section entitled “Privacy and Security Principles,” in which it represents that WhatsApp Messenger has been built with strong privacy and security principles in mind.

WhatsApp’s Privacy Policy represents that it does not retain users’ private communications in the ordinary course of providing its services, and that such communications are stored on users’ devices rather than on WhatsApp’s servers and are deleted from servers once delivered.

The Privacy Policy further represents that WhatsApp offers end-to-end encryption, such that users’ private communications are encrypted to protect against access or reading by WhatsApp, Meta, or third parties.

At no material time did WhatsApp and/or Meta disclose to users that WhatsApp, Meta, their employees, and/or third-party contractors, including Accenture, could access, store, read, review, or otherwise obtain the content of users’ private communications transmitted through WhatsApp Messenger.

Notwithstanding the foregoing representations, and contrary to WhatsApp’s express and/or implied assurances of privacy, Meta and WhatsApp, have, in fact, accessed, stored, read, viewed and/or disclosed the contents of users’ private communications on WhatsApp Messenger, including to Meta, their employees, Accenture contractors, and/or other third parties.

iii. Meta markets WhatsApp Messenger as a secure platform where users may send private messages

Since its inception in 2009, WhatsApp has marketed and represented WhatsApp Messenger as a secure platform through which users can send entirely private communications, free from third-party access and data exploitation. Following its acquisition of WhatsApp in 2014, Meta adopted and continued these representations.

At all material times to the cause of action herein, Meta and WhatsApp have consistently marketed WhatsApp Messenger as a private and secure messaging platform and have repeatedly assured users that no one, including Meta and WhatsApp themselves, can access or read users’ private communications sent on the platform.

At all material times to the cause of action herein, WhatsApp prominently represented on its website and related materials that communications on WhatsApp Messenger are private and secure, including, inter alia, by emphasizing the implementation and use of end-to-end encryption as a safeguard against access by WhatsApp, Meta, or third parties.

These representations were made in multiple prominent locations, including, inter alia, WhatsApp’s Privacy Policy, Frequently Asked Questions, Safety and Security materials, Help Centre, and dedicated pages explaining end-to-end encryption.

In addition, whenever a user initiates a new chat on WhatsApp Messenger, the platform displays a notice stating that messages are protected by end-to-end encryption and that only the intended recipients can read or listen to such communications.

WhatsApp further represents that end-to-end encryption applies to, inter alia, text and voice messages, audio and video calls, photos, videos, documents, location sharing, and status updates.

iv. Unbeknownst to users, the Defendants had access to users’ communications

End-to-end encryption is a means of securing digital communications whereby data is encrypted on a sender’s device and is only decrypted once it reaches the recipient’s device. The use of this method of transmission, in theory, means that while a sender’s encrypted communication may pass through a service provider’s servers on way to the intended recipient, the communication is unreadable to everyone but the intended recipient because only the sender and recipient have the necessary “key” to unlock the communication on their respective devices.

After Meta acquired WhatsApp in 2014, WhatsApp partnered with Open Whisper Systems, which was dissolved and rolled into Signal Technology Foundation (“Signal”), to integrate the Signal Protocol, which is an end-to-end encryption cryptographic protocol, into WhatsApp Messenger. The integration of the Signal Protocol onto WhatsApp Messenger was completed by April 5, 2016.

By representing that the Signal Protocol has been integrated into WhatsApp Messenger, WhatsApp represented that the contents of users’ private communications (although not other metadata associated with communications sent on WhatsApp Messenger, such as information about who sent the communication, when the communication was sent, and where the communication was sent from) are undiscoverable by non-recipients of such communications.

Contrary to these representations, the Defendants, including their employees and third-party contractors, had access to the contents of users’ private communications transmitted through WhatsApp.  

Signal offers its own messaging platform and uses open-source code, which means it makes its source code available to the public for inspection. This promotes transparency and allows security checks by any member of the public, including security analysts and researchers, who may review the source code and confirm that there is no backdoor to its end-to-end encryption.

Rather than following this transparent approach, Meta and/or WhatsApp hides its encryption source code in a black box. WhatsApp Messenger’s closed source code is not available to the public, so independent third parties are unable to confirm that the platform functions without a backdoor in the end-to-end encryption, which would permit non-recipients to access users’ private communications. Researchers who have attempted to reverse engineer WhatsApp’s source code with the limited information that is publicly available have been unable to confirm there is no backdoor in the end-to-end encryption but have identified that WhatsApp’s code deviates from Signals’ source code.

In particular, certain Meta and/or WhatsApp employees and approved third-party contractors were able to access and review users’ communications through internal tools and systems, including dashboard interfaces through which message content could be viewed.

This access extended to communications that had been flagged for review, including for fraud, policy enforcement, or other internal purposes, and permitted employees and contractors to review the substance of users’ communications.

At all material times to the cause of action herein, Accenture personnel were engaged by Meta and/or WhatsApp to perform content review and related services, which involved accessing and reviewing users’ private communications through internal systems.

Accenture personnel were assigned to investigate suspected fraud and related activity on Meta platforms, specifically Facebook Marketplace, an online marketplace, owned and operated by Meta. In the course of such work, Accenture contractors were provided access to user communications, including, inter alia, messages transmitted through WhatsApp Messenger, via internal systems and platforms maintained by Meta. Where communications were flagged for review, multiple messages, along with associated user identifiers and profile information, were made available to such personnel for review through internal interfaces.

Further, Accenture personnel and management regularly communicated with Meta and/or WhatsApp personnel regarding the results of such reviews, including through periodic reporting and meetings concerning user communications accessed and analyzed in the course of these investigations.

Such access was not disclosed to users and was inconsistent with WhatsApp’s representations that communications on WhatsApp Messenger were private and inaccessible to any party other than intended recipients.

Recent investigative reporting and whistleblower accounts have confirmed that Meta employees and third-party contractors, including those employed by Accenture, had broad access to the substance of users’ private communications, including the ability to review historical messages.

According to whistleblower accounts reported to United States government investigators, employees of Meta and WhatsApp and third-party contractors employed by Accenture are able to access the contents of users’ messages, contrary to the privacy representations made by the company.

These reports further indicate that such access was more extensive than disclosed by Meta and WhatsApp and directly contradicts WhatsApp’s representations regarding end-to-end encryption and users’ privacy.

As a result, users’ private communications were accessible to the Defendants and their agents in a manner that was inconsistent with, and contrary to, WhatsApp’s express and/or implied representations that WhatsApp Messenger is a secure platform where users may send private messages.

v. Users did not consent to sharing of their private communications without consent

At no material time to the cause of action herein, did the Defendants obtain users’ consent to the access, storage, reading, and/or viewing of the contents of private communications transmitted through WhatsApp Messenger by Meta, WhatsApp, their employees, and/or sharing of such communications with contractors and/or third parties, including Accenture.

On the contrary, WhatsApp’s Privacy Policy represents that it does not retain users’ private communications in the ordinary course of providing its services, and that such messages are stored on users’ devices rather than on WhatsApp’s servers.

The Privacy Policy further represents that once messages are delivered, they are deleted from WhatsApp’s servers.

At no material time to the cause of action herein, did WhatsApp disclose that it, Meta, and their employees, contractors, including Accenture, and/or other third parties could access, store, read, view or otherwise obtain the contents of users’ private communications. Instead, WhatsApp discloses only narrow and limited exceptions, such as where a user reports a message or conversation.

Similarly, WhatsApp states that where a user communicates with a business, the business may provide third-party service providers access to such communications to process them on the business’s behalf. This limited disclosure does not inform users that WhatsApp, Meta, their employees, or third-party contractors, including Accenture, may access users’ communications outside of such narrow circumstances.

WhatsApp further states that undelivered messages may be stored in encrypted form on its servers for a limited period while delivery is attempted, and that such messages are deleted after a specified period. This limited disclosure does not inform users that their private communications may be accessed, read, viewed or otherwise obtained by the Defendants or their agents.

WhatsApp also states that certain media may be temporarily stored in encrypted form to facilitate forwarding. This limited disclosure does not inform users that the contents of communications may be accessed, read, or viewed by the Defendants, their employees, or third parties.

Accordingly, WhatsApp and Meta knowingly and willfully permitted themselves, their respective employees, Accenture contractors and/or third parties to view the contents of users’ private communications on WhatsApp Messenger without their knowledge and/or consent.

vi. Users had a reasonable expectation that their communications are private and end-to-end encrypted

Users had a reasonable expectation of privacy in the communications they transmitted through WhatsApp, grounded in applicable privacy law, as well as WhatsApp’s express and/or implied contractual terms and representations. This expectation included that WhatsApp, Meta, their employees, contractors, including Accenture, and/or other third parties would not access,  store, read or view the contents of such communications.

Users did not have a reasonable opportunity to discover Defendants’ unlawful and unauthorized access, storage, reading or viewing of their private communications, as the Defendants failed to disclose such practices and did not obtain users’ consent.

The Defendants knew, or ought to have known, that users would reasonably expect their communications on WhatsApp Messenger to remain private, particularly in light of WhatsApp’s consistent marketing and representations that such communications are secure and inaccessible to anyone other than intended recipients. The Defendants exploited users private communications and data for monetary purposes.