The texts are long gone. That is becoming a more common reality in workplaces.
More companies are starting to approve the use of ephemeral messaging apps like Wickr, Telegram and Vaporstream for internal communications. The tools are used for security. They can keep sensitive conversations from falling into the wrong hands by automatically deleting messages without saving a copy.
But the apps are also stirring up legal, regulatory and company culture issues.
For example, in its trade secrets fight between with Uber, Waymo claims that Uber executives used Wickr and Telegram to discuss issues central to the litigation. Uber acknowledged it used the apps, but did not elaborate on what they were used for.
Wickr lets users set messages to be deleted immediately, or after a period of time. The messages are encrypted and not stored on Wickr’s servers, so there’s no way to retrieve them once they’re gone.
In addition to its free app, Wickr offers professional versions that give companies more control over policy enforcement and message retention.
“I think it’s very clear that there’s nothing explicitly unlawful about using private communication or encrypted applications,” said Wickr CEO Joel Wallenstrom.
There are legitimate reasons why a company would want a communication tool that doesn’t leave a trace. Employees may want to discuss their own trade secrets or sensitive deals. Email is an easy mark for cyber-criminals. It’s the most common target at companies, and is often compromised through simple phishing attacks.
“In email, you need to have every conversation … in the exact same manner as you would knowing it would be on the cover of the New York Times tomorrow,” said Wallenstrom.
There’s been a shift in how long companies keep emails. Policies to retain emails for 30 days are becoming standard, according to Wallenstrom. It’s a major change that has been happening over the past few years, starting with the Sony hack in 2014 and accelerating after the 2016 election.
The next logical step could be companies adding a system that doesn’t keep messages at all.
“It should only be used in organizations that are deeply concerned about the content of their internal communications being taken public, which I hope is everybody,” said Justin Zeefe, executive director at Nisos Group, a cybersecurity firm in Virgina.
Nisos Group uses Wickr to communicate internally and with clients. Wickr has largely replaced email as the primary way to communicate inside the company. It also uses the app to talk to clients whose email or other systems have been compromised.
“There’s an extraordinary amount of comfort knowing that even in a breach, our communications cannot be accessed by anybody who doesn’t need to know,” said Zeefe.
Because Nisos Group is a small consultancy, it doesn’t have many regulatory requirements, according to Zeefe. Deleting conversations can be much trickier for other businesses.
Various federal and state laws require companies to keep messages and records for a set period of time. Many rules are industry specific. Finance companies have to save emails for anywhere from three to seven years. Health companies need to comply with HIPAA, the federal law that protects patient confidentiality. Many states require all companies keep certain employment related records for a year. Government officials have their own complicated transparency requirements.
“If you’re using these kinds of applications in your workplace, you may run afoul of the law,” said Stephen Wu, a Silicon Valley lawyer who specializes in information security, privacy and information governance. “There’s so many of these record retention requirements that to use these apps on a wide scale on a business, you’d be risking that you’d be out of compliance.”
Enterprise versions of ephemeral messaging tools give companies a way to enforce any rules that apply to them. For example, Vaporstream, a secure and ephemeral messaging product for companies, focuses on compliance tools that let companies apply existing retention policies.
Messaging companies and experts say companies should speak to their lawyers about record retention requirements before approving any new messaging tool.
If ephemeral messaging is going to shake off the stigma and go corporate, companies will have to be careful to make sure it’s not abused. For some startups, that means a culture change.
“It’s the responsibility of the employer to lay out the culture,” says Galina Datskovsky, CEO of Vaporstream. “At least some effort needs to be made to let them know what’s acceptable. When anything goes, it’s a problem.”
(Article originally published in CNN on December 11, 2017 by Heather Kelly)