WhatsApp in the Workplace: A Secure Platform for Business Communication?

We recently published a flowchart (pictured) which, while intended to be somewhat jokey in nature, makes the point that, while WhatsApp is a fantastic app for chatting with friends and family, we believe it falls rather short of being a secure business communication channel, and particularly so during an emergency.

Ulrich Kelber, Germany’s data privacy chief, recently told federal bodies not to use WhatsApp. The reason for this instruction was concern over the flow of metadata (ie descriptive data that identifies assets and information) from WhatsApp to other Facebook companies of which WhatsApp and Instagram are an integral part. Kelber commented: “Just by sending messages, metadata is delivered to WhatsApp every time.”

This should be a concern for all organisations because, while conversations on WhatsApp are encrypted, the data flow will likely mean WhatsApp’s parent company Facebook knows your identity, as well as who you are talking to at any given moment. This is valuable information which can be monetised through targeted Facebook and Instagram advertising.

For example, if lawyers at a firm specialising in high net worth individuals are using WhatsApp to communicate with their clients, this may unwittingly provide valuable metadata that can help advertisers on Facebook target wealthy audiences. Essentially, you have to ask yourself how else can WhatsApp make money? The answer is that it cannot do so unless it helps the Facebook money-making machine.

If a company demands its employees use WhatsApp, whether during a crisis or within the scope of normal operational activity, they’re in effect forcing them to share some of their activities with Facebook.

COVID-19 pandemic

Of course, much corporate use of WhatsApp does not arise from senior management mandates, but rather organically, and without much thought at all. This is particularly true in situations such as COVID-19, which forced many firms that were unprepared for entirely remote operations into exactly that situation. This scenario was what Kelber was warning against when reminding us all that data protection must not be neglected “even in these difficult times”.

Remember the fact that, on WhatsApp, there’s no corporate oversight. There are no controls over chat group administration and, importantly, there’s no way to access information unless individual users are forthcoming. In addition, users can delete chats and groups, meaning that if WhatsApp is used during a crisis, it’s of little use in the post-incident review.

This is merely the latest in a litany of security issues reported over the years by WhatsApp users, including as recently as February this year when it was discovered that search engines were indexing WhatsApp groups and making them accessible on their search results pages. This was quietly resolved on Google, but not on other search engines.

The content of the chat may not be accessible, but the phone numbers of members are, thereby creating a clear data protection issue, and particularly so for those companies that may not want their clients or suppliers to be in the public domain.

When making decisions about how your business will communicate internally and, indeed, with its customers and suppliers (and notably so during emergencies), these risks must absolutely be considered. Communication in a crisis is best transacted on a purpose-built platform rather than a social media chat application that has, at its heart, a very different purpose.

Jim Preen is Director of Crisis Management at YUDU Sentinel

References

https://www.dw.com/en/germanys-data-chief-tells-ministries-whatsapp-is-a-no-go/a-53474413#:~:text=Germany's%20data%20chief%20tells%20ministries,to%20establish%20enough%20safe%20services.