Despite businesses' conspiracy of silence on their use of WhatsApp, more and more organisations are now banning their employees from using it for work-related communications. Here are 7 reasons why.
1. The expert view: Just don't do it.
In a recent Wall Street Journal article the consensus among experts was clear. If there is truly private, personal, legal, non-work-related communication over WhatsApp that happens in the workplace then that might be a personal right that individuals should have.
However... if any of the communication is business-related then WhatsApp, or other consumer messaging apps, cannot and must not be used:
Dr. Ajunwa, Assistant Professor of Labor and Employment Law at Cornell University’s Industrial and Labor Relations School:
"Employers should have an official policy banning employees from using ephemeral messaging apps for specifically business-related communications. Employers don’t have the purview to control personal communications, but they can set rules for business communications. Allowing employees to use disappearing-message apps for business communications opens the employer to unnecessary liability."
Mr. Polonetsky, Chief Executive of the Future of Privacy Forum:
"Organizations should make it clear to employees that they should not use private-communications channels for work-related purposes. [...] Third-party apps that operate completely outside the employer’s governance make it impossible to protect sensitive company data."
2. WhatsApp themselves prohibit business use.
Presumably to cover themselves against precisely the risks businesses are exposed to with work-related communications, it is against WhatsApp's terms of service to use it for professional purposes:
"You will not use (or assist others in using) our Services in ways that:
(f) involve any non-personal use of our Services unless otherwise authorized by us."
3. WhatsApp is not compliant with privacy regulation like GDPR.
That is the view of this lawyer among others. The fact that any employee can add anyone else, including customers and suppliers, to a WhatsApp group without their consent should be a cause for concern. If an employee gives access to their phone contacts for WhatsApp, and those contacts include other employees or customers, then they are uploading that data to Facebook without the consent of those contacts.
WhatsApp protect themselves by passing the responsibility for this 'consent' to individual users:
"You provide us, all in accordance with applicable laws, the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts."
But if these users are your employees then you may become liable if they do not seek consent from all the contacts in their address book (which clearly they don't).
4. You cannot rely on WhatsApp's "end to end encryption" for security of information.
Even discounting suggestions that Facebook might be circumventing encryption on WhatsApp via 'wiretapping', you cannot rely on the end to end encryption of the messages to prevent your content being compromised. This is because there are at least two places where your message content exists unencrypted:
- Backups of WhatsApp are not encrypted. So if you, or anyone you are in conversations with, backs up their WhatsApp then that content is not encrypted.
- Exports of chats are not encrypted. Anyone in any group you belong to can export the entire chat history of the group as a plain text file and publish it anywhere or send/store it anywhere unencrypted.
You must therefore assume that any sensitive business information in WhatsApp can easily be exposed at any time despite the end to end encryption within the messaging app itself.
5. WhatsApp does not maintain proper business records of conversations.
Businesses have a legal duty to maintain adequate controls over legitimate business records including employee conversations if work-related. There are additional requirements around sensitive data e.g. patient records, financial records or other sensitive information.
WhatsApp does not provide these controls or records. In fact, quite the opposite. Facebook has committed WhatsApp to encryption and is moving towards ephemeral messaging which gives greater levels of secrecy and anonymity.
6. You have no idea what WhatsApp groups exist in your organisation or who has access.
There is no central directory, or admin dashboard, to tell you what WhatsApp groups exist in your business. Even if you had a list of the groups you cannot be sure who is on them given 'profiles' are typically just a mobile phone number.
It is likely that you have former employers, past contractors, former customers etc. who have ongoing access to business information that they should not. Even if you do find that out... see next point.
7. You cannot revoke access to business information once it is on WhatsApp.
As data is stored on individuals' phones, rather than centrally, you cannot revoke access to it. For example, if employees leave then they will still have access to company information, including potentially sensitive data, and there is nothing you can do about it. You can remove them for a group if you have the right permissions but all the messages they received/sent whilst in the group will remain on their phone.
WhatsApp acknowledge this risk in their terms of service: "Please remember that when you delete your account, it does not affect the information other users have relating to you, such as their copy of the messages you sent them."
8. Your WhatsApp account can be terminated at any time
"WhatsApp reserves the right to modify, suspend or terminate service for any reason without prior notice, at our sole discretion." And if that's a problem for you? "If you believe your account's termination or suspension was in error, please contact us at [email protected]"
So before you invest too much time, resource, or business value in WhatsApp as a channel you might want to consider the impact if it suddenly gets taken away for no reason you are aware of and you have no right to recourse. This article gives a real life example:
Whilst individual professionals might be excused for not understanding the risks of using WhatsApp, or other consumer messaging apps, for work, it is becoming increasingly hard for businesses to ignore the risks.
As Facebook integrates WhatsApp with Instagram, Messenger and Facebook, and brings ads to WhatsApp, the need for businesses to use a messaging app like Guild, which is dedicated to professional use, becomes even clearer.