The truth about encryption apps and data security

TonyAnscombe
Senior Security Evangelist
AVG
Blogger
Share this content

From MPs to Donald Trump, political leaders and their staff are turning to a new generation of messaging apps to keep their plots secret from rivals, journalists and Russian hackers. These are free apps that allow you to send a message to another person or a whole group knowing that it has been encrypted from end to end (WhatsApp and Signal), or encrypted and then deleted (Confide). 

In the case of Confide, it might be possible for an employee to download it onto a desktop computer, at work for instance, if the administrator of the network hasn’t blocked the installation of apps. In other words, IT personnel or senior managers might not be aware if an employee was using an encrypted app.

If these apps are good enough for our political masters, shouldn’t small businesses and home workers use them to keep their messages, intellectual property, customer details and even sales data from falling into “enemy” hands?

Protecting your business data from prying eyes

End-to-end encryption has become the norm since Edward Snowden disclosed who is listening to whom. It is a method of communicating which means that only the users who are communicating with one another can read the messages that are sent – because the key that allows each message to be read is shared only by their devices.

This means that the owners of these apps couldn’t share your messages with the authorities even if they were required to by law enforcement – and in theory the encryption should be able to defeat any attempt by GCHQ or the NSA to read your conversation, although that isn’t something which can easily be verified.

Business benefits

These apps could even increase productivity by allowing home workers and HQ to message quickly and in confidence knowing the sensitive information they are sharing can’t be accessed by anyone else. If not gains in productivity, the extra assurance offered by knowing your data is only being seen by the right people, could be well worth paying for in a competitive business world.

But then again…

While the advantages of such apps as WhatsApp, Signal and Confide are clear, the downsides to their use in small businesses are many. They could lead to divisions, confusion and politicking in the workplace. Virtual groups can quickly become real-life groups despite the intentions of the people who are in them. Good old-fashioned non-verbal cues can give the game away to those not part of the in-crowd. Any subsequent sense of exclusion – even if justified – may be mistaken for discrimination.

Any discrepancy between what is said in messages and what is said face-to-face could also undermine collaboration, trust and transparency about important decisions in a business, particularly where sensitive issues such as gender and diversity are concerned. What’s more, the personal, the professional and the political can quickly blur into one – potentially creating an employment lawyer’s paradise.

In certain business sectors, such as finance, health or politics, the use of these apps could even be illegal, immoral or subject to freedom of information requests, that if granted, would compel public officials to reveal the content of the messages to the public.

What have you got to hide?

It is easy to see how using encryption could give the impression of guilt – or willful deception - even if they are being used legitimately and with the best of intentions. “Since Confide is explicitly designed to eliminate a paper trail, its use creates at least the appearance of misconduct, if not the reality,” says Allison Stanger, a cybersecurity fellow at the New America Foundation. “Those who wanted to lock up Hillary Clinton for the use of a private email server should be very concerned about this practice.”

They may not be as secure as you think – depending of course on who may be interested in your intellectual property, personal messages and business data. WhatsApp has already been discovered to have vulnerability, even if its significance – and whether it can even be called a vulnerability – is disputed. Whereas many apps that offer end-to-encryption open up their code for the community to check it out, Confide has yet to do this. And ultimately, if your phone has already been hacked then end-to-end encryption may not make any difference, since whoever has hacked it could be able to read your messages.

Perhaps more importantly, there is the human factor. All it takes is one disgruntled member of a group – employee or not - to leak the contents of your messages and you can be embarrassed, your career damaged and your company affected.

Listening in

The use of apps like WhatsApp, Signal or Confide to keep confidential data secret may quickly become moot for home workers. With the invasion of smart devices into the home, which can be used to order from Amazon, check on the baby sitter or even turn the heating up, there is also an opportunity for business data to leak out.

“You’re looking at upwards of a dozen connected devices that have either a camera, microphone or method of interaction, your doorbell, your internal security camera, your TV,” according to Colin Richardson, co-founder of home security group Cocoon.

The message for business

Using apps like WhatsApp, Signal or Confide that offer end-to-end encryption can be a quick, easy and effective way for small and medium businesses to keep their secrets secret. Unfortunately, it doesn’t mean that you can forget the basic tenet of cybersecurity: that nothing is secure as you think it is. In the case of these apps, if your phone has been hacked or lost then whoever has hacked or has it may be able to read the messages. You still need to be very careful what you write because you don’t know where it will end up. The use of these apps by White House staff and even Labour Party politicians became common knowledge very quickly.

Ultimately, before deciding whether to use these apps – or buy one of these smart devices – it is worth asking the basic questions: what is the intellectual property and confidential data that your business has, how much is it worth, who would want to steal it and how much effort are you really prepared to go to protect it

Knowing what you could lose and how it can be lost, stolen and intercepted is the key to protecting your business data, and runs alongside using encryption and other tools like antivirus: based on your answer, apps with encryption may or may not be the best solution, or only part of the solution.

About TonyAnscombe

Tony Anscombe - Senior Security Evangelist, AVG

I am the Senior Security Evangelist for AVG. My role is to bring products and solutions to our growing user population which allow them to enjoy their online experiences, while trusting AVG to provide them protection from malware and data loss. I am also instrumental in developing relationships with third party testers of antivirus products, which help Avast to continue its focus on delivering product quality and excellent security.

I am a speaker at global events including CTIA and RSA the Security Conference. I regularly contribute to industry forums and am an established media commentator on issues surrounding privacy, consumer trust, security, child internet safety, and online threats. I previously led the AVG Digital Diaries Research Series: the international study into how technology is changing childhood and beyond.

Replies

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.