Many organisations rely on secure messaging for protection from cyber attacks and other threats online.
Secure messaging has been in the news lately for all of the wrong reasons, thanks in large part to Waymo, an autonomous car development company spun out of Google. Late in 2017, Waymo shined a spotlight on the secure messaging industry when it publicly accused former employees, now working for Uber, of inappropriately using Wickr and other ephemeral messaging apps due to their support for disappearing text messages.
The plaintiff’s argument was that messaging apps were used to secretly discuss trade secrets that were illegally taken from Waymo. Whether the theory presented by Google’s former self-driving counsel was accurate or not would be impossible to prove. The transactional and contextual history of any messages communicated via the secure messaging apps utilized by Uber are essentially untraceable, and therefore impossible to present in court.
The bad press didn’t stop there. In late February, Senate Democrats publicly accused House Republicans of leaking Senator Mark Warner’s (D-VA) private text messages that were sent using an undisclosed secure messaging app. Fox News eventually aired the confidential messages, which drew bi-partisan backlash. That same month, the cloud-based messaging service Telegram announced a $2 billion initial coin offering (ICO) to develop a secure messaging platform using blockchain. The Russia-based company is highly controversial, as it is widely recognized for being the communications medium utilized by ISIS and other terrorist groups. Needless to say, the ICO was met with both widespread media criticism and skepticism.
Uber and Waymo have since settled out of court, and the US Senate leak and Telegram ICO have largely faded from the news cycle. However, the misconceptions about the use and legality of ephemeral messaging are certainly stirring.
Why Businesses Rely on Secure Messaging
The legality of secure messaging aside, it’s important to first understand why so many businesses, especially those in healthcare, energy, government and financial services, have started using ephemeral communications in the first place. Here are some of the most common use cases:
Phishing Mitigation: Secure messaging provides a unique, yet proven solution to mitigate risk by taking communications outside of where they are most vulnerable – email and SMS text. Although email is the most commonly used tool for business communication today, it is highly vulnerable to cyberattack. This knowledge, along with the need for rapid response, has caused many workers to reduce their reliance on email altogether, instead choosing to utilize SMS texting for its additional ease-of-use and simplicity. SMS texts however are not secure and are at risk of SMS phishing (smishing) attacks. Secure messaging eliminates the threats inherent to email and SMS while still providing the efficiency gains required to conduct business.
Messaging Encryption: Secure messaging platforms use end-to-end encryption, meaning that only approved senders that have been granted access to an organization’s platform can send messages. This eliminates the threat of an outside sender entirely. Secure messaging also prevents man-in-the-middle attacks, which can occur when unencrypted SMS texts are sent on an open network.
Sender Controls: Beyond encryption and exclusive to enterprise-grade secure messaging platforms, the organization/sender maintains complete control of the conversation, the data and its use at all times. These advanced controls prevent unintentional sharing, data theft and propagation of information.
Governance & Compliance: Unlike native SMS texting or email, secure messaging platforms remove sensitive information from the sender and recipient devices based on a set interval of inactivity, which is what occurred in the Uber case. However, enterprise-grade secure messaging platforms also ensure that all messages are archived to the organization’s chosen repository of record for compliance and legal purposes.
Incident Response & Emergency Mass Communications: During natural disasters, manmade threats or cyberattacks, swift and secure communication to company stakeholders, employees, emergency response teams and often times even the public is paramount. In these moments, secure messaging allows for rapid, secure notifications and response communications to meet corporate operating procedures and compliance mandates, without worry of third party surveillance or leaks.
Secure Messaging is a Legal and Ethical Communications Medium
When secure messaging made headlines as part of the Uber/Waymo trial, many were quick to suggest that enterprises should be prohibited from using these private services for internal communications. Most of the arguments against secure messaging platforms proclaimed that executives shouldn’t be discussing information that couldn’t be presented publicly if needed at a later time, or asked for in an eDiscovery order.
According to a former U.S. Attorney in Virginia, there is nothing inherently unlawful about instructing employees to use disappearing applications, just as there is nothing wrong with communicating information over an unrecorded phone conversation. With that in mind, what needs to be considered when assessing the use of ephemeral messaging is actually the timing and the industry in which it is being used.
For organizations within highly regulated industries, ephemerality in and of itself can be extremely beneficial in maintaining compliance. For example, sending confidential healthcare information by disappearing text, which does not remain on smartphones after the issue(s) have been resolved, helps keep the information confidential. Similarly, sharing sensitive financial information between wealth managers and their clients or diagnostic results between a plant administrator and a remote facility worker has tremendous value.
When the allegations against Uber’s use of ephemeral messaging were revealed, a major point of contention was that these solutions were unlawful because they didn’t keep records of communications. In some ways, this concern is warranted, as many of the well-known and readily available consumer-grade messaging apps on the market, as well as their more secure solutions for business users, do not meet compliance requirements. However, there are business grade secure communications platforms that have been built with security, privacy and compliance in mind, that allow for encrypted copies of conversations to be archived securely to meet industry-specific compliance and legal requirements. For organizations that are required to keep a detailed history of communications, the ability to collect a single copy of record actually makes eDiscovery and compliance easier by not requiring collection from multiple mobile points.
Despite the recent criticism of secure messaging solutions, the international spotlight provides an opportunity to show the purpose behind enterprise grade solutions for confidential, secure and compliant communications. Today many companies are adopting secure messaging for a variety of reasons ranging from compliance to incident response to phishing mitigation and messaging encryption. For those that proceed with a secure messaging platform, it’s imperative that leadership set an internal expectation and policies on how the tool should be used and deploy an archive point for legal and regulatory compliance. If not, they risk having their own Uber-like scenario on their hands.