People are incorrectly equating 'security' with 'privacy'. They are not the same thing.

For example:

  • Your home is clearly a private place, but it is not that secure, nor secret.
  • If you are in the toilet at work, then that is private but not secure.
  • Blockchain is secure precisely because it is public, not private.
  • Secrecy is something else again and typically involves self-destructing information.

Popular messaging apps, most obviously WhatsApp, but also the 'more private / independent / not-owned-by-evil-Facebook' Telegram and Signal are secure. Among other things they use end-to-end encryption so third parties cannot see the contents of messages.

But are they really 'private'? And, if not, are they appropriate for professional use?

Consumer messaging apps = proliferation by design, not privacy by design

Everyday messaging apps are driven to get more users. Success is about the number of users and the levels of interaction. The focus is volume not value; quantity trumps quality. Ease of use/adoption is everything.

This does not encourage "privacy by design" - a regulatory requirement under Article 25 of GDPR.

This encourages "proliferation by design".

For example, you can give these apps access to your contacts, which will likely include professional contacts, including customers, and this data is then uploaded to the messaging app. Have those professional contacts of yours given their explicit consent for this to happen? Clearly not.

Furthermore, you can add anyone to a WhatsApp/Telegram/Signal group if you have their mobile phone number and they have the app. Have they given explicit consent to be added? Clearly not.

It gets worse...

  • In some of these apps you cannot delete your content (e.g. in WhatsApp you cannot delete your message after an hour).

  • Images are stored on your device and you cannot control what those images are (could be reputationally compromising).

  • You do not know who the group host is, and it may be that anyone can add anyone else to the group.

All these features do make for a friction-free user experience, and encourage fast proliferation, but at what cost to privacy?

These apps are not compliant with privacy regulation which may not matter in a consumer context but is very risky for professional purposes. Businesses are understandably keen to avoid a 20 million Euro fine under GDPR.

What is privacy if not security?

'Privacy' has some hard definitions in terms of regulation like GDPR. But otherwise it is a much more personal and subjective concept that is heavily influenced by an individual's own beliefs, culture, geography, jurisdiction etc.

Privacy is also about trust, dignity, respect.

Privacy can be encouraged by the right context, environment and behaviours of those around you. For example, smaller groups naturally tend to self-correct poor behaviour and protect the privacy and cohesiveness of the group. Larger groups need more hierarchy, process and policing. Dunbar's number gives the evidence for this.

Security can be enhanced with technology. But the real weakness is with people and process. WhatsApp may be secure but we know that politicians using WhatsApp have their communications leaked all the time.

Any member of a messaging group, even in the most secure apps with secrecy features like self-destructing messages, can screenshot (or photograph if screenshotting is disabled) anyone else's content and publish it openly.

In the end, trust is more important than end-to-end encryption if you want true privacy.

In any case, it is looking likely that the UK and US governments may introduce new laws that would force messaging apps like WhatsApp to give them "backdoor access" anyway. This would allow law enforcement officials to unlock encrypted communications.

According to the Telegraph "The 'Five Eyes' nations, an intelligence alliance comprising the UK, US, Canada, Australia and New Zealand, issued the warning in a joint statement following a meeting of immigration and security ministers last week."

What happens when it goes wrong

Below shows a real example, that has been anonymised for obvious reasons, of a professional WhatsApp group that was moved to Signal by a member of the WhatsApp group who had been given admin rights.

1
2

Clearly this is a severe misjudgement on the part of an individual. And there is nothing that is not technically secure about it. But equally clearly it is a violation of privacy because of the tools, process and environment that the message apps themselves allow.

If you are running a reputable professional organisation then you would not want to see something like this happen to your staff, stakeholders or customers.

Conclusion

Everyday consumer messaging apps are great because they are free, easy to use, and many people already have them installed. Indeed Guild research shows that almost 40% of WhatsApp users also use it for work purposes.

This is despite the fact that corporate use of WhatsApp is strictly prohibited, as stated in its terms and conditions,: "You will not use (or assist others in using) our Services in ways that: involve any non-personal use of our Services unless otherwise authorized by us."

At any rate, for professional use, while these apps are strong enough on security, they are not nearly private enough to be fit for purpose.