- WhatsApp is conducting an “audit” of some of the third-party developers with access to its business tools.
- The company is reviewing which companies can access its programming interface used to help send messages from brands and businesses to users.
- While the review is ongoing, some developers and businesses are unable to join WhatsApp’s developer platform or add new clients, while others are unaffected.
- WhatsApp’s API requires developers and brands to go through a hand-picked group of intermediaries, a closed-off structure that has frustrated some developers.
Facebook-owned WhatsApp is reviewing many of the third-party developers that have access to its business tools in the wake of complaints that the company platform hinders independent development.
The messaging app is conducting an “audit” of some of the software partners that offer services to brands to allow them to interact with users on the app, Business Insider has learned.
That, in turn, has slowed onboarding of some new businesses on to WhatsApp — and exacerbated some developers’ frustrations about the model WhatsApp is using to build out its business platform.
With this new audit, WhatsApp is trying to keep a clear understanding of how its tools are being used — and by whom. It comes after repeated scandals involving developers misappropriating data from parent company Facebook in previous years.
WhatsApp has a relatively locked-down developer platform
In August 2018, the company launched an application programming interface, or API — these are the tools that allow businesses and developers to build services that can interact with a company’s platform; they’re how Microsoft Office can save files to Dropbox’s cloud storage, for example, or how Spotify shows users their Facebook friends inside the app.
The WhatsApp Business API enables big businesses to interact with ordinary WhatsApp users in certain ways, like offering chat support for an online store, or notifications about an airline’s flight a user is booked on.
But unlike many other APIs, most businesses and developers can’t plug directly into WhatsApp’s. Instead, it has a relatively closed-off-structure that has frustrated some developers.
So, here’s where it gets a bit more technical:
With Facebook’s Graph API, a brand can (once approved, and with the right technical know-how) plug straight in, if they choose not to work with an intermediary that has already built tools on top of the API. Similarly, any developer can apply to go through a vetting process to build tools on top of it to then offer to brands.
But on WhatsApp’s Business API, access is limited to a relatively small group of developers — a pool of 65 companies WhatsApp refers to as Business Solution Providers, or BSPs — that then act as intermediaries for everyone else.
That means that brands that want to message customers via the WhatsApp Business API have to contract with one of the BSPs. (There are around 100 brands thatdohave direct API access, a WhatsApp spokesperson said, but this is no longer available to new brands. Small businesses are also able to download the free-to-use WhatsApp Business app, but this doesn’t offer all the same functionality as the API does.)
Most of those BSPs offer interfaces and pre-built tools that brands can use to send messages of varying types to users — instead of direct access to an API that further software tools could be built on top of. As a result, developers who want to build their own products on top of the API, but haven’t been selected as a BSP, have to go through one of a small subset of the BSPs who offer such access, including Twilio, Zendesk Conversations, or Sinch.
It’s a model that has irked some third-party developers, who are forced to deal with third parties that inevitably charge additional fees, rather than just interacting with WhatsApp directly.
A WhatsApp spokesperson said its two-year-old API program is still relatively young, and that its BSPs’ experience helps them onboard brands more efficiently. He said WhatsApp might explore other options in future, but did not commit to any specific plans.
The messaging app is auditing some third-party developers
It’s these grumbling third-party developers — also referred to as Independent Software Vendors, or ISVs — that are the subjects of the new WhatsApp audit.
WhatsApp said the review is taking place so it has more information on hand about who is using the API, and in what ways, as the program continues to expand. ISVs are being “required to to submit to WhatsApp Compliance validation and to sign additional ISV terms with WhatsApp before onboarding resumes,” one BSP said.
It’s a process that, in theory, will allow WhatsApp to keep closer tabs on whats going on on its platform, and avoid repeating the mistakes that resulted from Facebook’s historically laissez-faire approach to APIs and data-sharing. A spokesperson said that there’s no indication that any of the developers have engaged in malicious behaviour using the WhatsApp Business API.
The review began in mid-July, and while it takes place, ISVs can’t onboard any new clients into the products they’ve built on the API, essentially pausing their business growth. And similarly, intermediary BSPs are unable to add any new third-party developers until the process is finished, meaning new developers are, for now, without any access to WhatsApp’s API.
In documentation, Twilio described the review process as an “audit,” though a WhatsApp spokesperson disputed that characterization. It is expected to last weeks, with Twilio saying it is pausing new ISV onboarding until October 2020.
BSPs are able to continue to add new user-facing brands without any issues.
There are currently thousands of user-facing brands utilizing the API via BSPs, said the spokesperson. They could not say how many ISVs currently have access.
Facebook has historically struggled with developers abusing user data
Parent company Facebook has repeatedly struggled with developers misusing its platform and programming interfaces in the past, and has tightened up its security restrictions in recent years.
Cambridge Analytica was able to misappropriate tens of millions of users’ sensitive data by simply buying it off a developer who had extracted it using Facebook’s tools. It’s a scandal that ultimately resulted in Facebook being hit with a record-breaking $5 billion fine by the US Federal Trade Commission (FTC).
And more recently, marketing firm Hyp3r was able to harvest millions of Instagram users’ data in 2019 by taking advantage of lax oversight and security flaws in the company’s systems, as Business Insider first reported in August 2019.
Are you a developer who uses Facebook’s platform?Contact Business Insider reporter Rob Price via encrypted messaging app Signal (+1 650-636-6268), encrypted email (email@example.com), standard email (firstname.lastname@example.org),Telegram/Wickr/WeChat (robaeprice), or Twitter DM (@robaeprice).We can keep sources anonymous. Use a non-work device to reach out. PR pitches by standard email only, please