WhatsApp for Business – Looks great, it’s free, so why not…?

This article looks at “WhatsApp for Business” and provides additional considerations.

WhatsApp Messenger is a freeware and cross-platform messaging and Voice over IP (VoIP) service which is owned by the social media giant Facebook. The application allows the user to send text messages, make voice calls, video calls, share images and other media, which includes documents and user location. The application runs from a mobile device, although it is also accessible from desktop computers. Originally, users could only communicate with other users individually or in groups of individual users, but in September 2017 WhatsApp announced a forthcoming business platform, which will enable companies to provide customer service to large numbers of users. Whatsapp is a truly useful tool and the purpose of this article is not to discourage use of the application in any way; moreover, this article is designed to provide the reader with things to consider when deciding if Whatsapp is in line with the information owner’s policy, or individual’s privacy.

Does WhatsApp work for everybody?

WhatsApp is an extremely popular mobile messaging service with over one billion daily users. Users range from young adults to large corporate groups spanning the globe. The service is constantly evolving and major changes have included the introduction of encryption. In collaboration with Open Whisper Systems (Signal), WhatsApp have implemented end to end encryption as the default setting between users.  Understandably, this received a lot of press in the media from all sides.  An attorney for the FBI raised concerns that the move is damaging for Law Enforcement; Privacy advocates have hailed the move as a big step forward and some technology columnists have questioned the fundamental security, raising the point that Facebook does not have the best reputation on matters of privacy. It is key to understand that whatever you send over WhatsApp is your information and ultimately, some protection has got to be better than no protection at all.

Who owns your information?

WhatsApp and the services it provides can undoubtedly be viewed as a great platform for communicating pan-enterprise. This presents concerns for the individual user though, as this information becomes the property of the enterprise and is not owned by the individual. The enterprise therefore, is responsible for the provision of a security solution that: secures, assures, authenticates, preserves, and provides legal intercept. There is however, very little evidence to suggest that Whatsapp can provide legal intercept, making it extremely difficult for any enterprise to monitor an individual’s data.

It is worth noting at this point that when users sign-up to WhatsApp, the are aware of their terms:

“you grant WhatsApp and its subsidiaries and affiliates a worldwide, non-exclusive, sub-licensable, and transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, and publicly perform or display Company Content that you upload, submit, store, send, or receive on or through our Business Services, solely for the purposes of providing, operating, developing, promoting, updating, and improving our Business Services, and researching and developing new services, features, or uses” (WhatsApp Business Terms of Service, dated: 15th May 2018).

Terms and Conditions are general and special arrangements that form part of an agreement or contract. It could therefore be argued, that WhatsApp owns the information you send using its application and may be required to surrender this information to any investigating legal authority.

Legal intercept.

Often carried out by the police and sponsored government departments, legal intercept is a necessity, both in the interests of national security and to monitor any traffic being transmitted across your own enterprise network. One of the highest threats and attack vectors to any IT system is from the internal staff who make regular use of this system.From a regulatory perspective, in order for any interception or extraction of communications to be done lawfully, it would need to be undertaken within the framework of the United Kingdom’s Investigatory Powers Act, which came into force in November of 2016. During the course of the Investigatory Powers Act’s passage through Parliament, the government has had to tussle with balancing its national security concerns with individual rights of privacy, preserved in Article 8 of the European Convention on Human rights. Whether the government has managed to achieve the impossible remains to be seen now the Act has come into force. The European Court of Human Rights accepts that targeted secret surveillance can be found to be in compliance with Article 8 but only where strictly necessary for the safeguarding of democratic institutions assessed on a case-by-case basis. Danny O’Brien, the international director at the Electronic Frontier Foundation said,

“WhatsApp could turn off encryption for a set of numbers requested by UK officials. They could also put out an “update” for certain numbers that, once downloaded, gave officials access to otherwise encrypted messages”.

In consideration of Whatsapp’s promise, to provide users with end-to-end encryption, you have to ask whether you really do have control over the final destination of your messages and who can legally review your information?

WhatsApp on work devices.

Using WhatsApp on work devices (BYOD or corporate) provides an encrypted route for traffic off the corporate system that the business cannot interrogate; therefore, it’s an ideal solution for someone stealing/harvesting information or a disgruntled employee. The same can be said for third party VPNs and similar software if you allow staff to install it on their own devices. There are however, clear legal guidelines which detail an employee’s right to privacy under the European Convention on Human Rights and the Human Rights Act 1998. In addition to the human rights acts, the monitoring of an employee’s email, internet and phone usage, must also comply with the employer’s obligations under the Data Protection Act 1998 (DPA). To avoid the potential issue of an insider attack and the expense of becoming embroiled in human rights disputes, business’ often ban the use of these types of secured communications on work supplied devices.

The crypto domain.

IM protocols are centralized such that users of each application can only communicate among one another, i.e. they are all part of one large crypto domain. As a result, a user cannot choose the most trustworthy provider, but needs to fully trust the one provider that develops both, protocol and application. Any server-based application, which Whatsapp can be categorised as, has its own vulnerabilities. Cryptography experts recently declared that,

“If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption” (Matthew Green, cryptography professor at Johns Hopkins University).

Data harvesting.

Harvesting data involves collection and storage with the expectation of future reward. Data can be harvested in different ways, ranging from simple copy-and-pasting, screen shots on a device, to more complicated programming. The chosen method is often constrained by the site being harvested. Once your data has been harvested, companies often analyse this data and use it for their own benefits. You have to ask yourself if this is possible with Whatsapp’s promise of end-to-end encryption: is this user-friendly service really free?

Why did the CEO of WhatsApp recently quit?

Jan Koum, former CEO of WhatsApp, left the company for contested reasons following an argument about the future of encryption and privacy on the service. WhatsApp has been dedicated to privacy since it was founded, making use of technology that makes snooping impossible. The technology used by WhatsApp has regularly come into conflict with Facebook’s huge appetite for personal data, and that is believed to be the most likely cause for Jan Koum’s departure. Facebook’s business model is based largely on data and advertising, whereas the WhatsApp founder’s focus has always been on security and privacy.The difference between Facebook and WhatsApp is best shown in their respective chat apps:

In WhatsApp, messages are end-to-end encrypted, meaning that only the sender and the recipient can read a message and the company could not snoop even if it wanted to; on the other hand,

Facebook messages are regularly scoured through by automated systems, which the site says is done to stop certain kinds of abuse.

It’s intuitive and easy to use – so why not?

WhatsApp may be free, intuitive and user friendly, but there is a price to pay: your information. With any free app you don’t really know who has access to your information, and you certainly don’t know who will have access to your data in the future. End-to-end encryption sounds like the perfect solution for securing your voice and data communications, but how much trust are you prepared to put into a free, open-source application?

Organisations are often acquired and then subsumed into larger corporations, and it’s at this point that you have to question who is ultimately responsible for your personal data? There is a high value associated with personal data in the 21st century and it has undoubtedly become a lucrative asset to be traded.

Read more about Secure Mobility Options