3 minute read
Cybersecurity concerns rise over WhatsApp new privacy policy
Users will have to accept the updated terms to keep using the app
With messaging app WhatsApp set to change its privacy policy, concerns are now growing over data privacy and the security of businesses in Asia-Pacific, especially with employees using unsanctioned social media platforms as their means of conducting business conversations, especially during the COVID-19 pandemic.
WhatsApp has shared certain data with its owner Facebook since 2016, but users previously could opt out. From 8 February, however, users will have to accept the updated terms to keep using the app.
Whilst messages on WhatsApp are encrypted and Facebook will not be able to see these messages and conrent, the former will still have collected data that can be shared to its parent company.
Ernst & Young (EY) consulting leader on Asia-Pacific cybersecurity risk Richard Watson noted that despite the encrypted messages on WhatsApp, employees may unwittingly be disclosing information they are not aware of to third parties, including device metadata, phone numbers, and business information.
“Social media platforms of this nature are often mixed between business and pleasure, increasing the risk of sensitive information being disclosed to the wrong party,” he said.
The use of encryption has increased dramatically in APAC in response to regulation which requires it, particularly upon the need to pass personally identifiable information to third parties.
Many commonly used business software platforms also automatically encrypt the information, which has also contributed to an increased take up.
Watson explained, however, that attackers can still access business data once inside the corporate environment as much corporate “data at rest” is still unencrypted.
Meanwhile, Kaspersky senior researcher Anna Larkina shared that nothing is truly free in social media platforms.
“Unfortunately, the current business model for free services means that, essentially, we pay with our data.
Social networks, some messengers and search engines make money off of advertising, and the more personalized it is the better,” Larkina said.
She described how Facebook and other companies have been collecting data through its services even before, with most companies being transparent about its policies. These apps only trace “technical and account information.”
Law enforcement on cybersecurity
Beyond the concerns over WhatsApp privacy policy change, concerns on cybersecurity is also increasing as employees continue to work from home or choose flexible working arrangements amidst the pandemic, as well as more companies going online to conduct businesses.
DLA Piper associate Yue Lin Lee noted that it has been an area under increasing scrutiny by regulators. She mentioned that the WhatsApp privacy policy change caught the attention of the Privacy Commissioner in Hong Kong. There is no separate law in Hong Kong regulating cybersecurity.
However, if a business is in a regulated industry such as financial services, both the Hong Kong Monetary Authority and the Securities and Futures Commission have recently issued new communications on cybersecurity or updated their existing cybersecurity frameworks.
“The ever-increasing laws and regulations are a clear signal that cybersecurity issues and breach incidents are becoming increasingly commonplace,” Lee said.
She added that despite such occurrence, the risks for companies in areas like human.error, regular software updates, cybersecurity incident plans, and cyber insurance are still the same as before.
Taking holistic approach to data sharing
Watson emphasised that whilst some regulations require encryption of data, other regulations forbid it in certain jurisdictions.
“The encryption debate is particularly hot in areas of law enforcement, where you get the tension between users who want communications to be private and law enforcement agencies who want access to that data, generally in the fight against terrorism and crime,” he said.
With this, Lee noted that companies should take a holistic approach in data sharing between businesses, taking into consideration the agreement on data sharing between the parties, what is permissible under the relevant laws, what the company’s communications to the user say and if it is clear enough, and what is actually shared by companies with others.
“It is important for a company’s communication to its users to be clear and transparent, and for this to be followed through in its data sharing agreements with other businesses as well,” she said.
Lee also advised companies to regularly remind employees on safe internet and cybersecurity practices.
