Regulators in Canada and the Netherlands said that a joint investigation had found messaging app WhatsApp had privacy issues, acknowledging that the company behind it had made and committed to changes to better protect user information.

A probe by the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority noted that apart from owners of iOS6 devices, WhatsApp users do not have a choice of using the app without granting access to their phone address book.

Because the address book contains data of both WhatsApp users and other subscribers, this is in breach of Canadian and Dutch privacy laws.

“Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp,” said Jacob Kohnstamm, chairman of the Dutch Data Protection Authority.

While WhatsApp has taken steps to improve its position, it was noted that there are “outstanding issues” which have not been fully addressed.

This includes the fact that WhatsApp retains the numbers of non-users, albeit in a hashed form, when searching an address book to populate its own contact list – Canadian and Dutch privacy law states that this data can only be held “for so long as it is required for the fulfilment of an identification purpose”.

It also said that at the time of the investigation, messages sent using WhatsApp’s messenger service were unencrypted, although “in September 2012, in partial response to our investigation, WhatsApp introduced encryption to its mobile messaging service”.

It was also noted that WhatsApp was generating passwords for message exchanges using device info that can “be relatively easily exposed”. WhatsApp has subsequently strengthened its authentication process, using a randomly generated key rather than ones based on a device MAC or IMEI number.