 |
| Image from Pixabay |
“WhatsApp and Telegram, should I do something with those?”
a colleague asked. My answer was as clear as a brook in the Alps: "Do not
use for business."
Why do I have such a strong opinion about that? Because
I've researched it, based on the question: from a security and privacy
perspective, which instant messaging apps
are best for business use, and which ones should you ignore? Security is
essentially about whether the app uses solid encryption so that no one can read
along – not even the messaging provider itself. Privacy is about the trust you
can have in the way the provider handles user and traffic data. The latter is
about who has contact with whom and when.
It is also interesting to look at the revenue model. An
old saying goes: if something is free, you are the product. In other words: you
pay by providing your details, such as name, e-mail address and date of birth,
which the provider can, for example, sell to advertising companies.
The content of your messages is safe with WhatsApp. They
are reliably encrypted and the keys are only on the user's device; WhatsApp
itself cannot read it and they can’t honour requests of investigation and
intelligence services. But WhatsApp does fall short when it comes to privacy.
The app comes to you from Meta, the advertising company of which Facebook is also
a part. It is well known that Meta makes its money by using your data cleverly
(that's why I call it an advertising company). If you don't like the idea – as
an individual or as an organization – then you should not use WhatsApp.
Telegram is worse. That app is of Russian origin,
although the company no longer lives there. They always move if the ICT
regulations in the country of residence do not suit them. They are currently
based in Dubai, although the company is legally based in the US and UK. The
revenue model is vague: the founder says he has invested his own savings, and
money has subsequently been raised from various investors. A more important
point of criticism relates to security: it is turned off by default, and when
you turn it on, you use a cryptographic protocol developed by Telegram itself,
which most information security officers turn up their noses at, because it can’t
be community tested. In addition, Telegram holds the key that encrypts
messages, and the company can read messages or allow others to read them. Group
chats can't be encrypted at all.
Are you shocked? Fortunately, there are also chat apps
available that can withstand scrutiny fairly well. Within Dutch central
government, we can use Webex, which we also use for online meetings. This app
from the American company Cisco is hosted for us in Amsterdam, which is
convenient for privacy. The privacy and security aspects have been extensively
researched and approved.
If you look at publicly available chat apps, there are
two that stand out positively: Threema and Signal. The Swiss company Threema
prides itself on the possibility to remain anonymous and to comply with the
GDPR, and message encryption is also very good. All this comes with a price
tag: from a small one-time fee for consumers to a monthly fee per device for
business licenses. This makes Signal interesting: it is free and yet not
commercial, because the app is financed by donations. Leading cryptographers
and privacy advocates prefer Signal, which gives me confidence that both security
and privacy are top notch.
A while ago I noticed a team manager turn white when I
asked him if his team uses Telegram (I'd heard something like that). He was
genuinely shocked when he realized that this wasn't such a good choice. His
team quickly switched to Signal after that. Many other teams have already made
the switch. Who follows?
And in the big bad world…
- your iPhone will soon have extreme capabilities to protect you against highly targeted attacks.
- Ukrainian police arrested a gang posing as the EU. [DUTCH]
- ransomware and state actors are the most important digital threats for the Netherlands. [DUTCH]
- Police records of a billion Chinese are on the street because an official accidentally entered his password in a blog and a criminal noticed it.
- criminals conduct online job interviews using deepfake technology.
- the municipality of Buren has released the report on the malware attack on the municipality for publication. [DUTCH]
- Maastricht University is making an additional three hundred thousand euros thanks to the high-profile ransomware attack from 2019. [DUTCH]
- Mikko Hypponen talks about the cyber war in Ukraine.
- the Dutch House of Representatives wants the cabinet to continue to support end-to-end encryption. [DUTCH]
- the Dutch cabinet will increase the cyber resilience of SMEs. [DUTCH]
- Customs in the Netherlands deletes the citizen service number from the EORI number. [DUTCH]
- NIST chose four quantum-resistant cryptographic algorithms.
.jpg)
No comments:
Post a Comment