Cybersecurity concerns rise over WhatsApp new privacy policy

Businesses use such platforms as unapproved means of communication.

With messaging app WhatsApp set to change its privacy policy, concerns grow over data privacy and security of businesses in Asia-Pacific, especially with employees using unsanctioned social media platforms as an unapproved means of conducting business conversations.

WhatsApp has shared certain data with its owner Facebook since 2016, but users previously can opt out. On 8 February, however, users would have to accept the updated terms to keep using the app.

Whilst messages on WhatsApp are encrypted and Facebook will not be able to see them, the former would still have collected data that can be shared to its parent company.

Ernst & Young consulting leader on Asia-Pacific cybersecurity risk Richard Watson noted that despite the encrypted messages on WhatsApp, employees may unwittingly be disclosing information they are not aware of to third parties, including device metadata, phone numbers, and business information.

“Social media platforms of this nature are often mixed between business and pleasure, increasing the risk of sensitive information being disclosed to the wrong party,” he said.

The use of encryption has increased dramatically in APAC in response to regulation which requires it, particularly upon the need to pass personally identifiable information to third parties. Many commonly used business software platforms automatically encrypt information, which has increased its take up.

Watson explained, however, that attackers can still access business data once inside the corporate environment as much corporate “data at rest” is still unencrypted.

Meanwhile, Kaspersky senior researcher Anna Larkina shared that nothing is truly free in social media platforms.

“Unfortunately, the current business model for free services means that, essentially, we pay with our data. Social networks, some messengers and search engines make money off of advertising, and the more personalized it is the better,” Larkina said.

She described how Facebook and other companies have been collecting data through its services even before, with most companies being transparent about its policies. These apps only trace “technical and account information.”

Law enforcement on cybersecurity

Beyond the concerns over WhatsApp privacy policy change, concerns on cybersecurity is also increasing as employees continue to work from home or choose flexible working arrangements amidst the pandemic, as well as more companies going online to conduct businesses.

DLA Piper associate Yue Lin Lee noted that it has been an area under increasing scrutiny by regulators.

In 2018, Singapore recently passed its Cybersecurity Act, establishing the framework for the protection of critical infrastructure against cybersecurity threats, as well as the measures which can be taken by the Cyber Security Agency to prevent, manage and respond to cybersecurity threats and incidents in the country.

The Monetary Authority of Singapore has also recently updated its Technology Risk Management guidelines on the back of the hacking incident suffered by the US last year.

“The ever-increasing laws and regulations are a clear signal that cybersecurity issues and breach incidents are becoming increasingly commonplace,” Lee said.

She mentioned that despite such occurrence, the risks for companies in areas like human.error, regular software updates, cybersecurity incident plans, and cyber insurance are still the same as before.

Taking holistic approach to data sharing

Watson emphasised that whilst some regulations require encryption of data, other regulations forbid it in certain jurisdictions.

“The encryption debate is particularly hot in areas of law enforcement, where you get the tension between users who want communications to be private and law enforcement agencies who want access to that data, generally in the fight against terrorism and crime,” he said.

With this, Lee noted that companies should take a holistic approach in data sharing between businesses, taking into consideration the agreement on data sharing between the parties, what is permissible under the relevant laws, what the company’s communications to the user say and if it is clear enough, and what is actually shared by companies with others.

“It is important for a company’s communication to its users to be clear and transparent, and for this to be followed through in its data sharing agreements with other businesses as well,” she said.

Lee also advised companies to regularly remind employees on safe internet and cybersecurity practices.