Collecting Encrypted Messages When Employees Stop Compromised Texting

Amid threats of interception and hacking of private data by foreign entities such as China, the FBI recently issued a seemingly dire warning to Americans: Stop Sending Text Messages. For a country that sends six billion text messages a day, it might seem a wee bit too late to close the barn doors.

What the FBI is really saying, however, is stop sending Unencrypted messages. For years, Apple and Android have offered their own proprietary messaging systems, iMessage (the “blue chat bubbles” texts) or RCS (rich communication services), that create encrypted messages if you’re sending to another user on the same operating system. Regular SMS/MMS messages sent between the systems were not encrypted. However, even now that Apple has adopted RCS, text messages are still only secure if you’re sending iPhone to iPhone or Android to Android – messaging from one to the other is not secure.

That’s why the rise of encrypted messaging apps, such as WhatsApp, WeChat or Signal, has proliferated outside of America. For example, the right to privacy is a fundamental European value, so Europeans naturally gravitate toward encrypted messaging to prevent invasion, having understood for years that unencrypted messaging isn’t safe. In fact, European’s are fighting proposed legislation that could potentially terminate end-to-end encryption.

However, without national cybersecurity regulations in the U.S., Americans haven’t been as diligent about using encrypted apps, preferring the ease of their operating system’s built-in messaging features. That soon may change, however, if more people begin to heed the FBI’s warning and switch to third-party messaging apps. In fact, we’re already seeing a rise in WhatsApp usage in the U.S.

Which soon begs the question – while the government and media might be focused on how consumers should or should not be sending text messages, what does this mean for the collection of this mobile data by corporations for compliance or investigation purposes?

Traditional collection solutions fail to capture encrypted messages

For years, corporations in highly regulated industries (e.g. finance, pharmaceutical, energy, government, insurance) have had strict compliance regulations that require them to regularly monitor, collect, and archive data from employee mobile devices.

To do this, they rely on MDM technologies combined with third-party solutions such as Smarsh or Global Relay to capture SMS and MMS messages from the carrier. Many corporations believe that using these solutions preserves a true and complete copy of all their communications for compliance and legal hold purposes. Unfortunately, there’s a lot more business communication data happening over encrypted messaging applications (e.g. WhatsApp, WeChat, or the blue bubble messages on iPhones) that these systems cannot access.

As the number of consumers who choose encrypted messaging increases (also increasing the use of forbidden off-channel communications), these traditional archival and collection solutions will no longer be effective. Employees are naturally going to gravitate toward encrypted applications based on continued warnings that SMS messages are vulnerable to being targeted by hackers. Companies that rely on simply scraping SMS messages to remain in compliance will need a new approach.

Preparing for Encrypted Collection Support

Corporations need to get in front of this oncoming trend toward encrypted messages now before it’s too late. They need to figure out how to triage this data-sourcing issue before putting themselves at risk of penalties and fines for non-compliance.

Corporations with strict compliance regulations that require gathering this data need a technological advantage. They should consider doing one or both of the following:

• Choose an encrypted messaging platform they want all employees to use for business matters. This prevents a free-for-all with companies losing control over what’s happening on their devices or with their data or IP.
• Find a mobile device collection solution that supports collection of encrypted messages from the third-party messaging ecosystem that are outside the purview of a traditional carrier-based solutions.

With foreign hacking schemes that are likely more sophisticated and larger than we even realize, Americans should take these concerns seriously and move to the use of fully encrypted communications. And as the use of such communications proliferates, the need for corporations to get a step ahead also increases. It’s crucial that businesses take the appropriate steps today to remain in compliance.

To find out more about solutions for encrypted mobile device collection, contact ModeOne today.