It’s No Secret: What You Should Know About Secure Messaging
Currently gaining attention in the political world and elsewhere, encrypted messaging is starting to gain a bit of buzz. But if you’re looking into it for your association, you might find your employees are indifferent to such tools.
Shh … I have to tell you a secret.
It’s no secret that sometimes people want to have off-the-grid conversations if they’re talking about sensitive topics.
And that’s created something of a desire in some niche spaces to use secured messaging tools.
Last week, Axios reported on the budding popularity of an encrypted messaging platform called Confide, which has specifically become a hit among Republican political operatives. Similar in concept to Snapchat but targeting a more serious professional user base, the app can delete messages as soon as they’re read. It encrypts the messages as well, but that’s not its killer feature.
“Encryption is an important component of confidentiality but it’s not the only one. After a message is decrypted it becomes vulnerable,” the startup says on its website. “It can be archived, printed and even forwarded. But Confide messages self-destruct. After they are read once, they are gone. We delete them from our servers and wipe them from the device. No forwarding, no printing, no saving … no nothing.”
Certainly the idea has some appeal. The app, which has big name investors such as Google Ventures juicing its growth, apparently has gained some notice in the halls of power due to a series of recent media leaks.
That said, problems with this specific use case have shown themselves: BuzzFeed’s Sheera Frenkel reports that the app’s security muscle raises concerns in part because its encryption claims haven’t been tested, as they have been with competing apps like Signal. Additionally, the app’s email-discovery feature exposed that some White House staffers have at least tried it.
If it is being used by the White House, as some reports have suggested, that would be a problem, as Axios helpfully notes: “All official business is supposed to be conducted via White House e-mail so communications can be archived for the presidential record.”
Does Encrypted Chat Make Sense for You?
But pushing aside the the BlackBerry-style political uptake of this specific app (or whether it’ll quickly fall into disuse, like the pseudo-secure apps Secret or YikYak did), it’s worth discussing more broadly whether associations should consider the merits of an encrypted messaging strategy, be it over email or through an app of some kind.
A number of organizations—whether in associations or not—are taking the concerns seriously. The Thales 2016 Global Encryption Trends Study reports that in 2015, 37 percent of respondents had an encryption strategy that stretched across the enterprise—a jump of more than 20 percent from 2005. The uptake differed significantly based on country (Germany and the U.S. were the most likely to use encryption) and industry (financial services and healthcare led the way, though the public sector and retail each saw significant surges last year).
The most common type of encryption use, according to the report, was for databases, though online encryption was directly behind. And compliance concerns—common in finance and healthcare—were major drivers of encryption use.
Do Your Employees Care?
But one of the biggest challenges that comes with using encryption? Simply put, it’s your employees.
The Thales report notes that individual employees may throw caution to the wind when it comes to data encryption.
“According to 52 percent of respondents, employee error is the most significant threat to sensitive or confidential data,” the report states. “Thirty percent chose system or process malfunction and 28 percent chose hackers, as their most significant threat. The fact that the top two findings on threats relate to mistakes or errors, as opposed to targeted threats, is notable.”
And when it comes to messaging, most people don’t think in terms of encryption as it is.
In a study sponsored by USENIX: The Advanced Computing Systems Association, researchers from Carnegie Mellon University found [PDF] that U.S. users tended to see use by friends (46.1 percent) and lack of cost (27.2 percent) as more important reasons to use a specific instant-message tool than privacy and security (5.6 percent).
Less than 3 percent of U.S. users said they used a chat app because they were required to use such an app. Overall, apps like Facebook Messenger and Google Hangout, along with standardized platforms like SMS, were largest among U.S. users, though the Facebook-owned WhatsApp had a significant audience in countries outside of the U.S., particularly Germany.
Encryption, of course, doesn’t work if you can’t get folks to use it.
What Should You Consider?
If you do want to dive into the encrypted messaging game, here are a few strategic considerations to keep in mind:
Narrow the tech hurdle: The reason why something like Facebook Messenger might be used for work conversations is because it’s easy to use. If you want to ensure your employees are using a certain platform when discussing sensitive topics, make sure they’re properly trained on that platform—and that, if possible, the platform is easy to use. Complicated platforms are an easy way to get your employees to go elsewhere.
Have a clearly defined policy approach: Secure messaging around sensitive topics is a matter of serious concern internally, and it goes beyond technology. If compliance is an issue within your industry, codify that; if there are internal policy concerns to worry about, make sure your employees know about them.
Follow outside privacy recommendations: For years, the Electronic Frontier Foundation has offered the public information on the best tools for secure chat. It’s currently in the midst of updating its Secure Messaging Guide, but in its recent Year In Review, it pointed out concerns with security in some of the most mainstream messaging apps. In particular, it warns against the use of “mixed-mode messaging,” or private modes in less-secure apps. “Unfortunately, this ‘mixed mode’ design may do more harm than good by teaching users the wrong lessons about encryption,” the organization writes.
Where do you think secure messaging tools can fit within your organization? Share your take in the comments.