A new privacy policy change from WhatsApp has restarted the debate around secure message apps, security and privacy. The discussion is an opportune moment for individuals and businesses to consider the suitability and use of messaging platforms.
On 4 January 2021, WhatsApp announced a change to its privacy policy, sparking a global debate about the security and privacy of the Facebook-owned messaging services.
News outlets covered the story, with some encouraging users to stop using the service in favour of other encrypted messaging platforms such as the not-for-profit app Signal. Since the announcement, the popularity of Signal and another messaging app, Telegram, has soared. Most of the concerns stem from fears that WhatsApp shares user information with its parent company, Facebook. Because of its popularity, WhatsApp has also been subjected to various attacks and scams.
In most organisations the risks of using WhatsApp are unchanged – it is more likely that an organisation’s employees rely on WhatsApp for business communications but the business is unaware, or that communications are going unrecorded. These are more pressing issues than the sharing of information with Facebook.
New WhatsApp privacy policy does not change privacy and security of messages or calls
WhatsApp personal and group messages, videos and voice chats are all end-to-end encrypted, meaning that they are encrypted when the data is transmitted and unreadable by anyone, or any computer program without they secret key needed to do so. This means that only the person you send the message to can read it. WhatsApp cannot read your private messages to other users or WhatsApp groups. This has not changed with the new privacy policy, nor has the kind of encryption algorithm that is used. WhatsApp actually uses Signal’s encryption protocol, which is considered the gold standard of messaging encryption.
The changes to the privacy policy affect business users of WhatsApp, not personal users
WhatsApp denies that the changes impact user security, reaffirming their security stance. The firm published new guidance which reassured users that they do not keep logs of messages or calls, do not share contact or location data with Facebook, and that messages and groups remain private.
The updated privacy notice is, however, seeking permission for data to be transferred in a way which might not be anticipated by individuals, nor welcomed by corporates.
WhatsApp asserts that the new privacy policy changes were aimed at clarifying terms and conditions around optional people-to-business use of WhatsApp and did not change WhatsApp’s data sharing practices with Facebook.
Business users of WhatsApp are provided an option to use secure hosting services from Facebook to manage interactions with customers. In these instances where customers are communicating with businesses using WhatsApp, businesses can see what customers are saying and will use this information for marketing purposes. WhatsApp emphasised that these kinds of interactions will be clearly labelled. WhatsApp also integrates with some services on Facebook, such as Facebook “Shops”. Facebook can provide businesses an option for customers to communicate with them via WhatsApp. In these instances, information about customers is also shared with Facebook to personalise marketing.
How does WhatsApp compare to other messaging apps?
The media frenzy around the issue has reignited the debate around the security and privacy of the various different encrypted messaging apps available to users. Each of these apps have different security and data-collecting and sharing practices.
For example, WhatsApp collects more data, which it ties to users’ identities, than rival apps Signal and Telegram. This in itself does not affect the security of the systems, but has led to concerns about the purposes and use of the data.
Signal is also “open source”, meaning that its code base is more open to scrutiny than WhatsApp’s and therefore vulnerabilities are likely to be found more quickly. Perhaps the biggest concern for many is that WhatsApp is owned by Facebook, which has been caught up in data-sharing and privacy scandals in the past. This is a question of users’ trust rather than any evidence that WhatsApp is less secure.
Which messaging app should we use?
Lockdown has seen many individuals communicating in the way in which they find easiest – this applies equally in a personal and a business context. Consequently, the lines between business and personal use may have blurred. WhatsApp – especially given its ease of interface and ability to set up group chats – has increasingly become the communication channel of choice, and until now, little thought may have been given to whether it is appropriate to link a WhatsApp account to a work phone account.
For the individual, good cyber and data hygiene requires ultimately the right behaviour of individuals and an awareness of how their data assets are being used and the potential exposure; for the corporate body, good cyber and data hygiene requires deployment of an appropriately secure environment and the processing of data in accordance with the established data protection principles.
Data assets should at all times be treated with care and particular attention should be given to the security of those assets and who has access to them.
The revised notice should provide cause for individuals and businesses to consider whether the new rights to the flow and control data afforded to Facebook are welcome and/or align with wider business objectives.
The choice of messaging app for businesses or individuals is not a straightforward one-size-fits all answer. All apps and software have the potential for vulnerabilities and abuse which make them potential security risks and there is no such thing as perfect security. Users should take a risk-based approach to the use of apps in their personal and business roles. There is also the balance between convenience and security to consider. WhatsApp is used by over two billion people and is therefore an easy way to communicate with many other people. Using less well-known apps has the potential to confuse users or worse still, make them use less secure methods to communicate sensitive information.
Business users can also consider “closed” and commercial secure messaging apps, which are private and can be managed by businesses in contrast to “open” platforms such as WhatsApp, Signal and Telegram. The key benefit of managed, closed apps is that operators can apply and enforce user verification and usage policies, so businesses can help ensure that the platforms are only used for necessary business purposes, for example.
As many businesses make use of WhatsApp, we have provided some practical guidance and considerations to managing security below.
Managing WhatsApp
WhatsApp is not the only messaging application in use across organisations
Messaging applications is an area where it is difficult to prevent necessity standing in the way of good policy. Overseas travel, projects outside of the office and/or non-standard circumstances drive the use of WhatsApp or other applications, as they are a free and easy method of immediate communication and collaboration. Any mandated replacement needs to also meet these requirements.
Messaging Policy
We recommend that organisations have a formal messaging policy in place that sets out the types of information that should not be sent via these channels.
Regulatory Requirements and Filing
A major risk of messaging platforms is that they are often outside of the formal record keeping process for electronic content. This can result in incomplete record keeping and a breach of regulatory obligations.
It is also worth considering that usage of WhatsApp for business purposes, even on personal devices, may bring the contents of messages into disclosure during legal proceedings.
Reliance on WhatsApp
The main risk of WhatsApp usage is an over reliance on it in business processes. Is there a WhatsApp group to organise when staff will work? One to keep the team informed of news and updates? These use cases exist in most organisations and form part of ‘shadow’ processes, providing the communications that keep organisations moving without being formally recognised.
A move to another application over WhatsApp will not end this reliance. We recommend that organisations review where messaging is critical to business process and staff engagement. It is also important to provide a managed alternative or backup mechanism of communication, such as telephone contact details which are maintained centrally, not just in the latest WhatsApp group.
To receive the latest updates from MDR Cyber, subscribe to our communications.