Instant messaging services have become an essential part of our lives. Not only do we constantly use them to keep in touch with friends and family, but also to chat with work colleagues about business related topics. Nowadays it’s rare not to be part of a work WhatsApp group!
It’s a reality that we can’t ignore, and the idea of companies prohibiting the use of these platforms is unthinkable, but businesses can’t allow for confidential information relating to the organization to be spread around different chat services unsupervised. Professional secrecy, confidentiality agreements, and data protection laws are some of the reasons why this flow of information shouldn’t fall into the hands of third-parties and needs to be controlled.
The best solution for a business lands somewhere in the middle – combine the free and easy-to-use services that the employees use daily, with a secure corporate tool which allows for safe management of information from computers or mobile devices.
However, which of these application should we avoid, and why? An investigation carried out by the Electronic Frontier Foundation (EFF), a non-profit organization which defends, among other things, online user privacy, has the answer.
The study analyzes seven aspects that, according to the EFF, are the most important when it comes to ensuring the confidentiality of a conversation on an instant messaging app. You can see them, in the following order, in the images below:
- If the messages are encrypted by the sender from the sender to the server, and from the server to the recipient.
- If the service provider can read the messages.
- If the user can test to see if the person they are chatting with is really who they say they are.
- If old messages can be accessed in the event of someone hacking the service.
- If key parts of the application’s code (especially relating to the encryption) can be consulted. In this case, the EFF considers it to be better if the software is open source.
- If the cryptographic design of the service (i.e., how the encryption is implemented) is well documented so that it can be reviewed by independent experts.
- If the tool has been audited during the previous 12 months by the EFF.
Among the most popular instant messaging services, Skype comes out worst after the trials. If your company uses this application for video conferences between different headquarters or offices, it’s best that you look for a better option. It only complies with one of the security requirements demanded by the EFF (that the messages sent are encrypted).
Another popular tool for conference calls, Google Hangouts, also fares poorly according to the organization. It only passes two of their tests – the messages are encrypted (but not encrypted on the Internet’s giant server) and the app has been recently audited. However, it suffers from too many weak points to be considered a viable option for businesses.
Although Facebook chat is popular among workers, using it isn’t exactly ideal. According to the report by the EFF, it received the same result as Google Hangouts, passing only two of the tests.
The same happens with WhatsApp, the popular messaging service, and Snapchat, a platform favored by youngsters. Although the photos on the latter automatically delete themselves, the service’s security levels leave a lot to be desired.
Apple’s chat service, iMessage, fares better, only failing two of the tests – the user can’t check if the person they’re chatting to is really who they say they are, and the app’s code isn’t available to be reviewed. You need to take a leap of faith if you want to continue using this service.
The secret chat service provided by Telegram is the safest and most secure of all that we have included in this piece, as it complies with all of the tests set out by the EFF.
However, the normal conversations fail in three areas – the service provider can read messages, there’s no way to verify the identity of the person you are chatting with, and old messages are susceptible to attack if someone gets hold of the encryption codes.
So, that’s the state of play at the moment and if you decide to go with one of the tools mentioned above or your company doesn’t have its own internal alternative, you’re best off choosing one of the more secure ones – if you go with one of the weaker options, keep in mind its weaknesses.
As a general rule, try to avoid sending confidential information by instant messaging, as there are better ways of doing it.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
