Free and secure does not equal to private: How to choose the right messenger?07 Sep 2020 | Enrique Pena
Most popular messaging apps are designed for personal use, not for corporate and even less for government use. Most commercial messaging apps have lengthy and detailed end-user license agreements (EULAs), that you agree to by installing and using. EULAs are a legal agreement in which you are specifically prohibited to use the app for anything else than personal use. This greatly reduces the app developer’s liability in case something bad would happen to your data when you use it for business purposes. Plus, by agreeing to the EULA, messenger developers gain consent to collect an extensive amount of user data generated way beyond just the messenger app itself.
Even the freely available, really secure messenger apps that feature strong encryption technologies can still be non-anonymous. They are understandably inherently designed to collect and share users’ personal information. The source of this problem lies in their monetisation model. If the app itself is free, it just means that developers have to monetise user data or users directly. The bigger the user base the service has, the more money it can generate and attract. The arms race for venture capital and acquisitions force developers to focus on growing their user base. It becomes only natural that corporations collect as much personal information to mine for a profit.
The problem is that like in many repeated and reported cases, corporations have shown they do not care much about securing what they have collected. Knowing all these priorities that developers have, choosing a truly secure and private messenger is not an easy task. If your organisation is looking for a new company-wide messaging app, there are lots of choices available. Here are a few practical tips that can help in forming that decision.
Almost all messengers require direct access to the user’s contact list, email address, photo album, location or phone number. If this data is collected, there is always the probability of a leak. Information can be transferred to remote servers that no user or organisation have control over and how it could be used. As a result, sensitive data can be accessed and mined by many other companies, which, in turn, may be repurposed, sold, or worse, hacked. To avoid such risks, advice number one is, your messenger should not be free. By paying even a small fee for the service allows developers to apply a more favourable business model to avoid the collection of any personal information. Not sharing data with an app is a more secure approach to messaging.
Another important aspect when choosing a messaging app is to be sure of what kind of metadata the service exposes and whether it is encrypted or not. Popular encrypted messenger apps have been criticised for their decision not to encrypt user-generated metadata. Metadata can be generated pretty much of anything the user does with the device and apps running on it. The date and time of app use, the IP address, geographical coordinates, the user’s name, frequency of messaging, the list of participants in a conversation and so on. By choosing a solution that encrypts metadata, or one that does not record any, makes conversations between two or more parties harder to track and hence more private..
Without getting into the complexities of the kinds of end-to-end encryption algorithms available, ensuring your messenger has one, by default, is key. Most of the conversation in businesses and organisations is carried over instant messaging platforms. Securing this interaction is a major priority to stay away from losing business secrets and intellectual property. While it is easy to encrypt messages, it is a whole different story when it comes to files, videos, images, and video and audio calls. To make sure all instant messaging, media files, audio/video calls and data transmitted over the servers are secure, holistic end-to-end encryption is what you need to look for. Make sure that whichever solution you are considering, data encryption takes place in transit, at rest – everywhere, all the time. This gets you closer to having all your mission-critical information and communications remain private, confidential and secure. End-to-end encrypted communications allow organisations and their staff to stay focused on their core business knowing its security and privacy are addressed, while mitigating, reducing, even eliminating risk, threats and loss – and providing a productive workspace.
A core question in end-to-end encrypted messaging is: how do I know a person is who they say they are? When choosing a messaging service, organisations will need to make sure that users who are granted access to the service are also authenticated and trusted to be who they really are. Accessing a digital service may not mean that the subject’s real-life identity is known. Encryption and privacy go out of the window if the wrong people can access the service or the device running it, gain access to chat groups and be exposed to all your business secrets. The question here is how to deliver the service the source of the identity that grants secure access for vetted people who are intended to use it.
Strong authentication consists of policies, standards, software, sometimes even hardware, that manage the creation, distribution, revocation and administration of access to the service. The heart of a secure and private messenger is a trusted entity or system that ensures the trustworthiness of its users; one that enables trusted digital identities for people. Strong authentication is a crucial means in verifying the identity of a user. It needs to be intrinsically stringent enough to ensure the security of the communications you are looking to protect.
An often overlooked, but increasingly important part of choosing a secure messenger is who owns the company providing the service and where is its jurisdiction. Knowing and understanding under which country’s laws your communications are protected can give you better control over what happens to your organisation’s data and whether others are allowed to get to it. Depending on which provider you choose, your communications data may be stored outside of its country of origin and can suddenly become subject to the laws of the country in which the data actually resides. The main concern with this is that your organisation can lose control of the privacy of its data. Foreign countries can enforce their laws and access or subpoena and dig into everything you have communicated while using the service. When choosing a messenger solution for your organisation, choose one that ensures that data privacy is not put at risk when shared across borders. It is a positive sign if a messaging service provider adheres to data sovereignty regulations. It means they have gone through a multitude of compliance obligations and are serious about investing in security, privacy and data integrity technology.
While end-to-end encryption is vital for privacy protection, secure messaging shoppers still need to understand the other avenues attackers or governments could take to obtain chat logs. Even when the service you are currently using works perfectly, factors like where messages are stored, who else has received them, and who else has access to the devices running the app play an important role in your security. Relying on popular free apps exposes you to more risk than you realise. Relying solely on these encrypted messaging tools without considering how they work, and without adding other, additional protections as discussed above, leaves some paths exposed.
At Digital14, we can help you assure the process you take in protecting your organisation’s communications takes a holistic security and privacy approach. Our digital workspace and secure communications solutions are guaranteed equipped with customised cryptography, strong authentication management, data privacy and sovereignty wherever you are. Contact us at Digital14 , and we can help you take steps to validate your secure communications assumptions and make enhancements to help ensure that trust can be maintained before it is broken.
Connect with us