Whatsapp and other messaging platforms
You have done it haven’t you?
We all have. Sent a screenshot of an internal email, sent our customers details on or forwarded the sales report on our Whats app group or Telegram group with our co-workers. Its fast and effective. But should we really be doing that?
The simple answer is NO, we shouldn’t be.
There are a myriad of new messaging platforms, each with their own privacy features, but generally they do not offer the level of security required by the increasing requirements of local (and some international) data protection legislation to which we may have to comply. Think POPI, GDPR.
Let’s take one of the most popular messaging apps around- Whats App.
Put simply, Whats App doesn’t even allow you to. Whats App, in fact, expressly prohibits any “non-personal use” of its services, unless specifically authorized by it. Now, Whats App has the new Whats App for business feature, which, as its core, is designed to faciliatate customer engagement. But unless you are signed up for that, Whats App remains strictly for personal use.
Even on the business platform, Whats app does not offer sufficient end to end encryption of its messages. Any Whats App chat may be easily exported and any back up of a chat will be unencrypted.
Once these messages exist they cannot be deleted by one user. If a user leaves a group , their access often remains. Ex -employee for instance may still have access that cannot be revoked.
While POPI does not speak to exactly what ecryption is required. It does state the best and most appropriate organizational, technical and security safeguards must be put in place and maintained.
Amplifying these requirements is the development of section 99 of POPIA, which allows for an employer to be held liable for the actions of it’s employees. This could be especially dangerous if there can negligence attributed to the employer in having personal information, which qualifies for protection, out in the ether with ex-employees whose access cant be revoked.
Other failing points are that Whats App can terminate your account at any time and without providing any back up. Any duty to maintain records therefore becomes impossible to fufill.
This should raise a red flag in relation to other messaging apps who offer secrecy and deletion of messages too. Whilst it may seem safe, to have no records available to be stolen, you may fall foul of data retention requirements which also form part of the data protection legislation. POPI requires data be kept for the minimum amount of time but it also interplays with other legislation which requires accurate records be retained for legislated periods of time.
Data protection legislation goes a long way to stating that third parties touching the data must be extremely limited and have, at the least, defined purposes, processing limitations. As we are all aware by now, the big tech companies have eaten up many smaller players. Facebook owns Whats App and any information you are sending though Whats App is interfaced through Facebook, Messenger and Instagram.
Lines begin to become blurred. This is definitely not what you want in your quest to compliance. We therefore urge you not to utilize messaging apps like these for business communications. Ideally, you should have a business communications , acceptable use and privacy policy- which should make it clear to all your staff what the acceptable method of sharing information is.