WhatsApp and WeChat – the next big headache for compliance?

Over the last eighteen months the use of WhatsApp and WeChat has steadily grown within financial services. It doesn’t matter which country you operate in, I guarantee there’s a regulation that says you need to authorise its use and capture conversations. How you do it is a complex question to answer.

WeChat has been around since 2011, WhatsApp even longer, so why is that they are only becoming a problem now for compliance? The simple answer is popularity. Just as the once big players in the messaging world replaced the popular ICQ in the nineties and the noughties, so now the preferred chat apps are changing again.

They are helped no doubt by the demise of MSN Messenger, the retirement of Google Talk, the lack of a desktop client in Yahoo! Messenger, and the unwillingness of AOL to provide support to regulated industries. Although this is hardly unexpected because managing desktop applications is expensive for a developer, especially as instant messaging moves more to mobile devices, and these applications were all technically aimed at consumers.

Unlike their previous counterparts, both WeChat and WhatsApp allow users to send messages that are encrypted end to end. From a compliance and eDiscovery standpoint this makes them difficult to intercept and capture. Until now firms have been limited to just a few choices in their ability to achieve compliance:

  • force users off their mobile clients and onto the desktop web-browser interface where it can be recorded
  • install resource-hungry screen-grabber type technology on mobile devices to record screen updates
  • rely on the user to back-up their mobile device regularly and provide the backup to their employer.

None of these methods are truly satisfactory in the scope of what’s achievable today. Applications such as WeChat and WhatsApp are designed to be used primarily on mobile devices. In a world of BYOD (Bring Your Own Device), how many users would be happy to allow their company to see all of their personal activity alongside the business elements and submit the whole of their system backup to their company?

In recent times, there has been a huge shift in electronic communications away from traditional desktop hardware and operating systems towards mobile devices. This is especially prevalent in the instant messaging and social media world. Mobile applications are quick and functional to use, and for a lot of individuals they are run on personal devices with which there is an emotional attachment because all their contacts and photos are there and it’s a device that stays close to their person at all times.

A lot of companies try to ban the use of text messaging or mobile applications because they are hard to track. But despite this, users pick up their phone and quickly “WhatsApp” or “WeChat” someone anyway, because they forget and it seems unnatural to go to the PC to use those applications.

This could be combatted by installing screen grabber-type technology on the mobile device that builds a series of image files into an “audit” video that can be played back. However, this doesn’t just potentially impact on the performance of the handset, but creates a set of files that can only be searched by date stamp and handset owner. It’s not possible to access the message in a way that makes it easy to search without first post-processing the content through an image / video OCR (Optical Character Recognition) system. This means you can’t proactively look for infringements of regulations, and a wide reaching eDiscovery request will leave you shaking your head in despair.

Source: Finextra

Leave a Reply

%d bloggers like this: