The media seems to have it out for secure messaging thanks to Uber vs. Waymo and other examples of misuse, but enterprise-grade secure messaging’s compliance, privacy, security and incident response benefits cannot be ignored.
As an explosive legal case between Uber and Google’s former self-driving car project, Waymo, began to make numerous media headlines in late 2017, an unsuspecting technology found itself in the crosshairs of the dispute. While one might suspect that it was autonomous vehicle technology or a top-secret robotics program at the center of debate, it was actually an ephemeral messaging services – specifically Wickr – that emerged as one of the most provocative arguments throughout the early days of litigation.
Upon the commencement of the trial in November 2017, Waymo presented its working theory, accusing current Uber executives – previous employees of Waymo – of using Wickr and other ephemeral messaging apps to communicate via disappearing text messages. The premise was that the messaging apps were used to secretly discuss trade secrets that were illegally taken from Waymo. Whether the theory presented by Google’s former self-driving counsel is accurate or not, it was all but impossible to prove. The transactional and contextual history of any messages communicated via the secure messaging apps utilized by Uber are essentially untraceable and therefore impossible to present in court.
An unintended consequence of the plaintiff’s argument, however, came from the negative media coverage that would pursue courtroom proceedings. Specifically, many media outlets began reporting on what they argued were major concerns about both the ethics and legality of ephemeral messaging apps in business environments. In fact, when this news came to light, many in the media even claimed that the outcome of the trial could set the legal precedent for business use of ephemeral messaging going forward. Such critical press undoubtedly led to the November mandate by Uber’s CEO to ban secure messaging apps entirely.
To the surprise of the entire tech universe, Uber and Waymo recently settled out of court for $245 M. Yet the damage to the reputation and perception of secure messaging apps remains tarnished and misconceptions about the legality of ephemeral messaging, all due to one company’s possible misuse of the technology, are circulating like never before.
As an example, an organization’s proactive incident response personnel could utilize their secure messaging platform to preemptively set up communications are extremely useful templates and pre-schedule a series when automating programs that call of texts to notify first responders and for routine communications that follow emergency management offices as in a series, such as status and field well as all field employees during a updates as well as anticipated outage declared emergency. Such real-time timelines. Replies to these automated communications can be routed to a specific mailbox or group for monitoring and response, or disallowed based on the type of communication and need, providing a central communication hub.
The Use Case for Secure, Ephemeral Messaging in the Workplace
The legality of secure messaging aside, it’s important to first understand why so many businesses have started using ephemeral communications in the first place. Worldwide, the frequency and sophistication of cyberattacks are on the rise and as a result, compliance and incident response are now integral to and CISOs defense-in-depth strategy. Specifically, secure and ephemeral messaging platforms provide the following benefits to the enterprise:
- Phishing Mitigation: Secure messaging provides a unique, yet proven solution to mitigate risk by taking communications outside of where they are most vulnerable- email and SMS text. Although email is the most commonly used tool for digital business communication today, CISOs have worked diligently to educate employees of the vulnerabilities that email entails. This knowledge has caused many workers to reduce their reliance on email altogether instead of choosing to utilize SMS texting for its ease-of-use and simplicity. In fact, 80 percent of workers report using SMS text as part of doing business; even it text messaging is not a sanctioned form of communication in the workplace, according to Seyfarth Shaw LLP. Unfortunately, however, SMS texts are not considered secure, do not meet regulation requirements for record retention and they are also at risk of SMS phishing (smishing) attacks. Secure messaging eliminates these threats inherent to SMS.
- Messaging Encryption: Secure messaging platforms use end-to-end encryption, meaning that only approved senders that have been granted access to an organizations’ platform can send messages, thereby eliminating the threat of outside senders entirely. Secure messaging also prevents man-in-the-middle attacks, which can occur when unencrypted SMS texts are sent on an open network.
- Sender Controls: Beyond encryption and exclusive to enterprise-grade secure messaging platforms, is that the sender maintains complete control of the conversation, the data and its use at all times. These advanced sender controls prevent unintentional sharing, data theft and propagation of information.
- Governance & Compliance: Unlike native SMS texting or email, secure messaging platforms do typically remove sensitive information from all devices based on a set interval inactivity, which is what occurred in the Uber case. However, secure messaging platforms can also ensure that all messages are captured and archived to the organization’ s repository of record for compliance purposes and processes, while removing texts from sender and recipient devices.
- Incident Response & Emergency Mass Communications: Prior to, during or in response to emergency situations, such as during natural disasters, manmade threats of cyberattacks, swift and secure communication to company stakeholders, employees, emergency response teams and often times even the public is paramount. In these moments, secure messaging allows for rapid, secure notifications and response communications to meet corporate operating procedures and compliance mandates, without worry of third party surveillance or leaks.
Secure Messaging is Legal, Despite What the Media Says
When secure messaging made headlines as part of the Uber/Waymo trial, many were quick to say that enterprises should be prohibited from using these private services for internal communications. Most of the arguments against secure messaging platforms proclaimed that executives shouldn’t be discussing items that couldn’t be presented publicly if needed at a later time, such as if ever called upon for litigation.
But according to a former U.S. Attorney in Virginia, there is nothing inherently unlawful about instructing employees to use disappearing applications, just as there is nothing wrong with communicating information over an unrecorded phone conversation. With that in mind, what needs to be considered when assessing the use of ephemeral messaging is actually the timing and the industry in which it is being used.
For organizations within highly regulated industries, ephemerality in and of itself can be extremely beneficial in maintaining compliance. For example, sending confidential healthcare information by disappearing text, which does not remain on smartphones after the issue(s) have been resolved helps keep the information confidential. Similarly, sharing sensitive financial information between wealth managers and their clients or diagnostic results between a plant administrator and a remote facility worker has tremendous value.
When the allegations against Uber’s executives use of ephemeral messaging was revealed, a major concern amongst media and onlookers was that these solutions were unlawful because they didn’t keep records of communications. In some ways, this concern is warranted, as most of the well-known and readily available consumer-grade messaging solutions on the market, as well as their more secure solutions for business users, do not meet record retention requirements.
However, what many may not be aware of is that there are select enterprise-grade secure communications platforms that have been built with security, privacy and compliance in mind from inception, allowing for encrypted copies of conversations to be archived securely to meet industry-specific record retention requirements, or in the case of anticipated litigation. For organizations that are required to keep a detailed history of communications, the ability to collect a single copy of record actually makes eDiscovery and compliance much easier by not requiring collection from multiple mobile points.
Despite the Uber/Waymo trial shining what could have been interpreted as an unpleasant light on the use of secure messaging in corporate environments, it did provide an opportunity to educate the public on the many use cases for secure messaging for business, and reinforce its legality. Although Uber permitted and encouraged the use of secure messaging for internal communications amongst staff, it failed to set an internal expectation of how the tool should be used, deploy a full time compliance archive point or how communications would be stored in the event of litigation. On the opposite end of the spectrum, many organizations remain unaware of the benefits and possibilities of secure communications tools or have been influenced by recent media coverage. These companies should not refuse to adopt secure messaging solutions altogether, as this will instead push business users to find their own unsanctioned solutions or even worse, use vulnerable SMS texts. Instead, organizations should embrace the right secure messaging platform, which when used correctly, can be a key component of their defense-in-depth strategy.
Meet Vaporstream: The Right Choice for Secure, Ephemeral Communications
To keep confidential communications secure, while also proactively protecting against increasing cyber risks and ensuring legal compliance, it is up to organizations to provide employees with the right platform that meets the needs of the industry in which it operates.
Vaporstream is a secure, ephemeral and compliant communications platform that work teams can use on their smartphones, tablets or desktops. The solution provides sender controlled, encrypted and leak-proof messaging that helps ensure that only the intended receiver sees the message contents. For compliance purposes, organizations can retain a copy of messages to a secure, client-specified repository for safe keeping and control. Employees can also send attachments, collaborate with ease and seamlessly communicate with colleagues, third-parties’ and other external contacts in a secure manner.
In an era of complex and aggressive security threats, complicated by rising demands for mobile agility and innovative client-engagement, Vaporstream’s secure communications platform empowers enterprises to have asynchronous, secure and private mobile communications to conduct business – no matter where they are. Vaporstream’s focus on security and privacy ensures that text messaging communications are kept confidential, secure and compliant, i.e. HIPAA, FINRA and others, while driving superior business outcomes.
Vaporstream also eliminates concerns about information exposure, device loss or theft due to ever-increasing use of mobile devices and mobile communications. Third-party certified by NowSecure™ for information security, our patented technology and robust feature set for security, collaboration, automation and compliance provides an encrypted text messaging platform for teams to communicate with confidence and collaborate at the speeds demanded by today’s business. Trusted by leading organizations across a variety of industries, Vaporstream helps ensure that critical communications flow seamlessly, securely and confidentially at the speed of business.
About the Author
Dr. Galina Datskovsky, CRM , FAI and serial entrepreneur is an internationally recognized privacy, compliance and security expert. Galina is the CEO of Vaporstream®, a leading provider of secure, ephemeral and compliant messaging.
Originally published in Cyber Defense Magazine by Dr. Galina Datskovsky, CEO of Vaporstream