What’s up with using WhatsApp?

WhatsApp is brilliant.?I use it more than texting now as it’s so versatile and maybe you do too.

Remember multimedia messaging (MMS), introduced in the mid 2000’s? It was the enhanced version of SMS (bog-standard texting) that allowed the sending of pictures and videos as well as basic text.?It was expensive but so are most new services at first and, no doubt, it would have followed the usual downward curve except it was blown out of the water by WhatsApp in 2009 which was free to use and just needed access to wifi or a standard cellular packet data service which, due to being used by a multitude of apps, soon dropped in price and is incredibly cost effective now as it’s included in mobile tariffs.?Not only that but, unlike linear SMS and MMS, you could create group chats where everyone in the group could see everything.

(Note: MMS is technically still around but about as relevant as LPG-powered cars or fax machines).

So what’s not to like about WhatsApp and other similar services??Not much if you are a consumer other than the recent hack (read on)

But what about businesses? ?There’s a great version called WhatsApp Business which allows traders and retailers to communicate with their customers via the app.?In addition, lots of employees use the standard app to communicate internally and it’s clear why they do as the group function is so easy to use and common to all smartphones and the web version works on any device with a browser without needing a sim card, as long as you have an account via a sim-connected phone.?It’s also very easy to effectively scan and distribute documents by photographing them and sending using the app.

However, WhatsApp has been in the news in the last few days for negative reasons as there has been a hack due to a flaw in its security.?That’s not the real issue here though as it was fixed quickly and similar could (and has) happen to other apps. Generally speaking, WhatsApp is pretty secure with its end to end encryption.?You may recall that governments and security services have complained that they can’t access messages sent by criminals and terrorists on WhatsApp so it is hard to break.

The real and ongoing problems are inherent in the way that WhatsApp is meant to work.?But before I get to that it’s worth remembering the current climate that businesses and organisations operate in.

This is my second stint at Vodafone and one of the biggest differences I have noticed since returning after almost 6 years is the attitude towards data security which is now an obsession.?Keeping our (and our customers’) data safe is a top priority. GDPR fines for loss of data can be up to 20 million Euros or 4% of turnover, whichever is highest. The damage to a commercial organisation’s reputation could be even more costly if it lead to a loss of trust.?Directors are responsible for how data is used, moved and stored within their organisation and carry the can for breaches.

Principle F of the GDPR deals with integrity and confidentiality and states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”?Other principles deal with related matters like purpose limitation, data minimisation, storage limitation as well as lawfulness, fairness and transparency.

Think about the following situations which arise in relation to these principles when staff from your business or Public Sector organisation use WhatsApp groups to communicate with each other.

1. What information are they passing on??Is it personal data relating to customers, vulnerable adults/children or patients??Does everyone in the group have the need to see it. If not there’s a data minimisation and purpose limitation risk here
2. Who’s in the group and is seeing the data and photos that are posted??Are there ex-employees that haven’t been removed or people added by accident from someone’s personal contacts rather than the corporate directory??If you don’t know then you risk being accused of not using organisational methods to protect against loss of data. Interestingly, the wording in principle F suggests there’s a negligence even if no data has ever been lost simply due to your organisation being vulnerable.
3. If an employee leaves the company and the “system” (if we can call it that) works in that they are removed from the group, they can still see the messages and data posted on the group up to that point unless the ex-employee chooses to delete the group from their phone.?Either way your organisation is not protecting its data as a leak is able to happen.
4. Posts on WhatsApp groups stay on those WhatsApp groups so how are you able to comply with the storage limitation requirement which means you should not keep personal data longer than you reasonably need to?
5. What if a phone is lost or stolen??If the finder or thief can access the phone then they will have access to the data stored in WhatsApp as this app has no security features at the user interface.?Here we have accidental loss challenges again
6. Most phones are capable of downloading photos received by WhatsApp onto the phone’s internal storage or an SD card and then backing them up to a personal cloud service.?All the previous dangers apply to this scenario too.

I’ve mainly used the groups scenario here but messages sent simply from one person to another basically have all the same issues.?Once the data is sent, the sender, and the organisation they work for, has no control over that data.

Also, whilst I’ve concentrated here on personal data that is covered by GDPR, using WhatsApp for sending confidential company information is open to the basic same risks even though GDPR itself may not apply.?Every business has data it doesn’t want to end up in the hands of competitors.

Clearly, there’s a massive (though not fully realised) issue arising from the use of free, non-administrated, messaging services but, at the same time, modern organisations rely on the fast flow of information whilst recognising the need for security and confidentiality.

If only there were alternatives - enterprise-grade mobile messaging applications - available that were as easy to use as WhatsApp and as controllable by IT as all the other approved corporate applications??Happily, there are such services available from communications companies like Vodafone.

Unlike WhatsApp though, these truly secure apps are not free of charge and do require company resource to support them.?This is why many organisations turn a blind eye to staff using free apps as they get (some of) the productivity gains and none of the cost.?But, hopefully, having read this article, you’ll recognise how short sighted and risky that view is. A data breach is far from free of charge in terms of potential reputational damage, ICO fines and loss of employment for directors responsible for data security.?On a positive note, as well though, actively sponsoring an official messaging service within the organisation will bring about productivity gains which alone should return any investment.

EDIT for October 2021. As WhatsApp is free of charge, there's no guarantee of service. If it goes down across the globe like it did on 4th October 2021, there's no come back. If you are using it for business or life critical operations and it's not working, where does that leave you and your staff? If buying a comms service, you would want to ensure it was secure and resilient before using it. Allowing or tolerating the use of a free and insecure service puts any organisation in a difficult position if it stops working. Enterprise-grade do not suffer from these vulnerabilities.

If you think your employees and colleagues might be using WhatsApp to move company data and you’d like to find out more about how secure messaging can safeguard your data and your business, and improve your communication flow, please get in touch and we’ll tell you more.