Johannesburg, 10 Feb 2021
So far, 2021 has not been short of drama. Celebrating the new year under adjusted level three lockdown restrictions and curfew, through to eye-popping testimonies at the Zondo Commission. Then witnessing the storming of the US Capitol. Yet the one thing that had most people frothing at the mouth was WhatsApp’s announcement that its privacy policy was changing.
So as many know, WhatsApp communicated its updated privacy policy terms to users through an in-app pop-up message, which requested users to accept or reject the policy by 8 February 2021.
It mainly related to how WhatsApp would share information with Facebook, its parent company, especially if users had interacted with a WhatsApp Business account off the back of a Facebook ad campaign. WhatsApp for Business is a consumer-facing version of WhatsApp that enables businesses to communicate with their customers and where customers can quickly reach out to companies to communicate via text without making a call to a call centre.
A hue and cry ensued on social media from users, then privacy experts and governments started weighing in. The South African Information Regulator said it too would review WhatsApp’s new policy to better understand its consent mechanism.
Most people worried that WhatsApp was sharing the content of their messages with Facebook, although this was not part of the latest update to their policy.
While the policy update meant to provide transparency about how they collect and use this data, it had the opposite effect. It created a social media backlash that forced them to quickly release a clarifying statement and still later, back down and set a new target date of 15 May 2021 for the launch of their business tools.
Our legal and cyber security teams at Nexio have been studying these developments closely.
“The reaction online to the news shows that people are more aware of their rights in respect of personal information. Users are not only concerned about the security of their information, but also the privacy of information shared via WhatsApp,” says Zinta Strydom, Nexio’s Executive Head of Legal.
“It will be up to the Information Regulator to decide if the consent mechanism to WhatsApp’s terms constitutes appropriate consent and whether all other data privacy requirements are fulfilled.”
In the age of misinformation, paranoia ensues
In essence, WhatsApp could’ve handled this announcement better, providing more education beforehand to warm up users. Predictably, as soon as Facebook and data and privacy policy are together in the same sentence, people are paranoid.
Facebook (which also owns social media platform Instagram) continues to battle its dicey privacy reputation. Various hacks, as well as the Cambridge Analytica saga, justify why this paranoia is not without cause. Movies like The Social Dilemma expose how the data you provide through your interactions with the platform is the fuel that powers this behemoth's rocket.
Yet most people who use social and messaging platforms aren’t aware of the intricacies of data and privacy, and many blindly accepted and agreed to the new WhatsApp terms. Surprisingly, many people have never stopped to wonder why platforms like Facebook, Instagram and WhatsApp are free.
Remember that Facebook purchased WhatsApp for the eye-watering price of $19 billion, or $55 per user back in 2014 and in 2018, Facebook launched the WhatsApp for Business API, to begin monetising its significant user base.
The sharing of information by WhatsApp to Facebook has already been happening since August 2016 when WhatsApp changed its privacy policy.
Messaging apps provide benefits, yet many business risks too.
During the past year of lockdown, we’ve witnessed a ramp-up of many South African corporates using WhatsApp to communicate. While company-wide solutions, like Microsoft Teams, have rolled out during lockdown to connect all employees scattered remotely, the popular WhatsApp is still used widely by executives and teams alike.
Social media and various articles in media have, however, raised conversation levels (pardon the pun) around the use of various (free) messaging platforms and the data that is collected on them. That includes Signal, Telegram and Facebook Messenger – all having vastly different privacy policies and features and functionality.
While these apps have allowed people within businesses to communicate quickly and informally, across borders even, leading to increased productivity and decreased communication costs, business could benefit by evaluating the overall privacy issues surrounding these messaging apps.
“There are key cyber security issues with messaging apps like WhatsApp,” says Ignus de Villiers, Executive Head of Cybersecurity at Nexio. “They remain difficult to monitor and control, there are issues with oversharing, cyber bullying, predatory behaviour, airing workplace drama, POPI and GDPR non-compliance as well as end-to-end encryption not being guaranteed,” he says.
“Companies are unaware of how many groups have been set up on these apps and who belongs to these groups. Ex-employees might still have access to these groups as well as the files and photos shared on them,” he says.
What they don’t tell you about end-to-end encryption
There is a misconception that WhatsApp offers end-to-end encryption to protect against them or any third parties reading your messages. Although the end-to-end encryption assertion is factually true, there are loopholes worth noting.
“If you download a backup of WhatsApp or export a chat from WhatsApp, all those messages are immediately unencrypted on your local hard drive or on the cloud (depending on where you store these files). Also, anyone in any group you belong to can export the entire chat history of the group as a plain text file and publish it anywhere or send/store it anywhere unencrypted,” says De Villiers.
“None of these tools have enterprise security features, so it’s essential to address this issue with staff,” he says.
Using a company-wide solution like Microsoft Teams is key to being able to manage the number of groups set up to communicate within the team and across the organisation.
“It’s business-critical to use mandated software like Microsoft Teams and Outlook to maintain proper business records of conversations and keeping business records, client and business data inside the walls of the organisation,” says Strydom. “It’s essential when facing any legal challenge from clients or employees.”
While it’s impossible to prohibit the use of messaging apps on employees' personal handsets, it is recommended that strong company policies and operational procedures are in place to ensure that privileged business information is not shared on unsanctioned cloud environments and social networks, including messaging apps.
Social media governance and compliance is essential for cyber security
While the read rate on cyber security and social media policies is low, employees must understand the insecurity of using social networks for business communication.
Employees need flexibility and empowering solutions, but not at the cost to company privacy and security. Nexio provides cyber security and governance solutions that enable and enhance business strategy, not hinder it.
We don't believe in scare tactics, but we are realistic about cyber security. Is your business at risk using these messaging apps? If this is an area your business needs to tackle, it is wise to act now.
It may be time to check how businesses conduct conversations on these messaging apps and start regaining control and management of these conversations and this data for your organisation.
In terms of best practice, companies must remember that any tool not in their control should be utilised with caution, preferably governed by robust internal policy and guidelines, possibly with the help of outside legal and cyber security professionals.
The rule of thumb should be to look at what is being shared over messaging apps.
De Villiers advises: “If there is any business-related communication necessary then it should be conducted over a platform that the business owns and governs. It boils down to awareness and whether a company-wide policy is in place. Use of messaging apps is fine if it’s used to inform, but when it’s used to share privileged business level information, we caution against that.”
There’s nothing wrong with using messaging apps for instant communication, even within a business between colleagues or teams if it is to inform, update or instruct but without sharing business/personal privileged information.
During this time of heightened stress, nothing beats an unexpected, relevant or funny meme from a colleague when you least expect it or to defuse a tense situation. That’s when messaging apps really shine.
From a business perspective, the case is clear. It needs to be compliant, secure and best of breed for the enterprise.
Who is Nexio?
Nexio is a trusted IT partner for the digital future. We provide leading security and compliance solutions and advisory services to help your business proactively navigate, innovate and adapt to secure relevance in an ever-changing market.
Nexio brings a unique combination of technology expertise and professional service experience to make real-time security a reality for businesses.
Nexio provides a complete network security offering that properly considers risk, governance, compliance, people, processes, and technologies. Through our consulting and advisory services and internal awareness workshops, we gain a complete understanding of your business cyber risk profile, comprehensively identify the security and data compliance gaps to provide a comprehensive plan to address specific threats.
Share