I recently watched a webinar by Jason Baron called "Vanishing Acts: The Challenge of Dealing with Ephemeral and Self-Destructing Messaging Apps in the Workplace." Jason's a really smart guy and has written about ephemeral messaging in business before. While I agree with him generally, I think information professionals, and especially those in government or highly regulated sectors, really need to think about the risks involved with the use of these apps.
What's an Ephemeral Messaging App?
When employees engage in sensitive conversations that need to be protected, many traditional workplace collaboration methods come up short.
Email can be encrypted, but once it's decrypted, it can be forwarded, new people added to the reply, and so forth. Instant messaging, text messaging, and other communications have similar issues.
That's where Ephemeral Messaging Apps come in. As the name suggests, messages sent using these apps are very ephemeral and generally self-delete automatically, either upon being read or after some (very short) period of time.
Most of these apps delete the messages from all devices automatically, but some apps allow for configurability of the delete process, for example, increasing the time to 7 days instead of immediately.
Some other interesting functionalities found in these apps include encryption or security options. Confide, for example, displays only a portion of the message at a time, so it's more difficult (but NOT impossible!) to get screenshots. Vaporstream has a feature to save messages for regulatory compliance purposes, in a separate repository.
Many of the apps don't store messages on servers at all, so the app providers don't even have a way to access them after the fact.
Examples include Snapchat, Wickr, Signal, WhatsApp, Confide, Vaporstream, and many others.
What Are the Risks of Using Ephemeral Messaging Apps for Business?
Many of the articles available online stress that there are legitimate business uses for these apps – for example, having confidential personnel-related discussions or discussing trade secrets or litigation strategies. The problem is that any benefit that can be gained from their use is outweighed by the significant consequences that can occur from their inappropriate use. These include:
- Legal Risks of Ephemeral Messaging: One of the foundational concepts in litigation, at least in many jurisdictions, is that information that is relevant to a specific legal matter has to be preserved while that matter unfolds. While the details vary by jurisdiction, it's a common principle that the first response to a subpoena cannot be to fire up the shredders and their digital equivalents. Ephemeral messages, then, raise two issues.
- First, organizations that use these tools to discuss matters that end up in litigation will be hard-pressed to support their position because the discussions and outcomes will no longer be available in their original form.
- And second, sometimes parties involved in litigation will *start* using these sorts of apps in order to communicate about the case, including conversations that are not privileged and that are relevant to the matter at hand.
- Failure to Comply with Open Records and Freedom of Information-Type Laws: The entire purpose behind these types of laws is to hold government accountable to their constituents. Government use of these types of apps is particularly likely to result in the loss of information subject to open records laws and can substantially reduce the transparency and accountability of government officials.
- Regulatory Compliance: Many highly regulated industries require that certain types of communications be retained for a period of time to demonstrate compliance with applicable regulations. In the U.S., for example, broker-dealers have to retain certain communications with clients for up to seven years.
- Visible is Visible: Finally, while many of these apps go to significant lengths to ensure their messages can't be screenshotted, saved, downloaded, forwarded, etc., they are still not 100% foolproof. Anything that can be accessed by the human eye can be recorded using that nifty hand-held HD video camera we all have – though it might require a second one – or be read over someone's shoulder, whether accidentally or by design. That's not a huge security risk, but it is one that is simply insurmountable.
While these are not necessarily risks in the formal sense, they are additional operational concerns that organizations should take into account when considering using these types of apps.
- YAA – Yet Another App: This is especially the case where ephemeral messaging apps have started organically – some may be using Signal, others Snapchat, etc. In either case, governance is still important.
- Traceability – Part 1: The point of communicating, in the workplace at least, is to get done the work of the organization. This means that decisions, strategies, approvals, etc. need to be traceable to those involved in the discussion – what was decided, what was promised, who promised what to whom – so they can be acted upon. Some organizations might have the organizational maturity to immediately capture those decisions and transactions into a more manageable form, such as a Word document or PDF, but there is significant room for error in the process. After all, you can't go back to the now-deleted message to confirm what was agreed to...
- Traceability – Part 2: In addition, many of these apps use usernames, nicknames, user IDs, etc. instead of real names. This is good for keeping private conversations private, but It becomes a significant issue when it comes time to determine who is communicating what with whom.
Take Control of Your Ephemeral Messaging Apps
So how should organizations address ephemeral messaging apps? Here are three recommendations to consider.
- Training: Prohibition is always difficult. The better approach is to train employees, so they understand the potential issues outlined above. In particular, the organization's communications or internet policy should note when these apps are allowed, and when a different app is more appropriate.
- Implement an Enterprise Solution: This means selecting a solution to standardize on that offers key capabilities like configurability of storage and destruction, safeguarding applicable messages in a centralized repository, having end-to-end encryption, etc.
- Implement Governance – Using the Governance Team: Any use of this type of capability should be standardized and centralized to the extent possible, at least as regards governance requirements. That means that decisions to use them need to be made not just by the business but also need to involve legal, records, risk, compliance, IT, HR, or wherever those functions reside in the organization.
In conclusion, ephemeral messaging apps are really good for things that truly are ephemeral - i.e., where to go to lunch today – and that would otherwise clog up email inboxes. But for anything business-related where there is a decision or transaction made, these tools are at best challenging, and at worst, can significantly increase organizational liability.