What went unnoticed in the November 2018 story about the disgraceful burning of a Grenfell Tower effigy on a bonfire in South East London is that this event was almost certainly never intended to be made public. One of the people involved filmed the event on their smartphone and then posted it to what was very likely meant to be a private WhatsApp group.
Someone in the private group then forwarded the video onto at least one other person outside of the group and any control over distribution was lost from that point onwards. The video went viral and the fury of the country descended upon them. No sympathy from me on this point. The massive outpouring of public anger that led to their subsequent arrest by the police, was the least that they deserved.
Lack of administrator control
My point in raising this issue is that it highlights one of the dangers of using free tools like WhatsApp for critical communications purposes, which is that WhatsApp groups lack administrator control over what happens to the information that is shared via the application. Any media attachments, such as videos, are downloaded as default to all user devices and can easily be shared outside of the platform. This is a seriously risky business if
you are sending anything that you would regard as confidential.
WhatsApp makes a big deal of its end-to-end encryption, saying that not even they can see what messages you are sending. But this security function is completely bypassed if someone is forwarding on your messages outside of your control. In fact, WhatsApp has now acknowledged the dangers of misinformation being spread via their tool and in January 2019 they introduced a message forwarding limit of five times (down from the previous 20). This restriction was prompted by a series of mob attacks and killings in India, set off by the spread of false information about child kidnappings, and fake stories and conspiracy theories about candidates in the Brazilian presidential elections in October 2018. Both of which were facilitated largely via WhatsApp.
Loss or theft of devices
You also need to consider what could happen to your data if any of your group users lose their device or has it stolen. Neither you nor they can remotely disable their WhatsApp account away from the device on which it is held. Only WhatsApp can do that themselves upon receipt of a request. Even if the SIM is disabled, the WhatsApp account can still be accessed using wi-fi. This means that you are reliant on every user within your group acting promptly to notify WhatsApp. If they act at all, most people will simply disable the SIM, which leaves all of the messages, media attachments and contact data from the group account accessible on the compromised device.
Whilst I am on the subject, there are other problems with using WhatsApp for critical mass communications. Although they have now increased the maximum limit on group numbers from 100 to 256, this is still clearly not enough for all most enterprises when you consider the need to contact not just employees, but suppliers and customers as well. The only way around this is to create multiple groups, which quickly becomes both impractical and inefficient.
Summing this all up, WhatsApp lacks enterprise administration, with no administrator portal to ensure easy roll-out, transparent monitoring, company-wide communication policies, user management, user support, comprehensive access control and compliant archiving.
As a tool for talking to your friends, or even your work colleagues about low-level non- critical issues, WhatsApp is a great free tool. We all use it! But if you are thinking about translating that personal use into critical business communications, please think again. It has not been designed as an enterprise application with enterprise-class security and administration.
To provide these functions is expensive and does not fit into the freemium business model. There are critical communications platforms on the market that do provide enterprise-class security, administration and multi-channel communication that can guarantee the critical message gets through and do not expose the business to unacceptable data security risks. Please use them.
Shalen Sehgal, MD Crises Control