Liabilities of Consumer Privacy Apps
Consumer privacy apps are often the default fall back choice when your enterprise communications can’t be used. They’re attractive because the end to end encryption and ephemeral “auto-burn” features give the sense of being more secure.
But, these apps were never intended to be used by organizations with compliance requirements. Because they lack the controls necessary for policy, regulatory, and statutory reasons, they actually create liabilities instead.
Read on to find a deep dive of how and when Consumer Privacy Apps will leave you high and dry.
Security is more than E2EE.
Security for an organization is about required controls. End-to-end encryption — when used to create privacy — prevents legitimate access to employee communications. And, architecting for privacy also forces you to forgo other parts of your security requirements like user management, policy enforcement, and remote remediation capabilities. E2EE, within privacy apps, actually creates more risk for organizations — you lose visibility and control of employee communications entirely.
Regulators aren't giving out mulligans anymore.
The DOJ, SEC, CFTC, and multiple other regulators have made their positions clear: business records retention requirements are real and failure to meet them comes with very real consequences.
Consumer privacy apps were designed to preclude audit trails, end-to-end encrypted or not. Which is why a majority of federal and state governments as well as regulated industries are beginning to prohibit their use.
And, the challenges don't end there.
End-to-end encrypted messengers like Signal, Telegram, iMessage, and WhatsApp were designed for personal use, not your enterprise.
Signal, Telegram, iMessage, WhatsApp, and other applications like them contribute to the proliferation of shadow-IT or ungoverned application use within enterprises.
While this poses a challenge for those needing to demonstrate compliance with internal policies or applicable law, it also means organizational knowledge capital exists beyond your reach.
Signal, Telegram, iMessage, and WhatsApp are like the wild wild west. Anyone can communicate with anyone, and organizations cannot define or limit who can speak with whom.
Are you sure that’s Sally from your CSIRT and not a reporter that Bob just looped in?
Scenario #1: Your employee loses their personal phone. How do you wipe your mission critical chats clean?
Scenario #2: A key executive is moving to a competitor. How can you be sure they’re removed from every chat with your people?
Scenario #3: Jessica isn’t comfortable sharing her number. How do you add her to chats without exposing her number?
Scenario #4: Legal needs to review your team’s messages. Ready to turn over your phone? Your CEO’s phone?