A rather tumultuous year is rapidly winding down, with all its struggle and hype and surprises.  The stress of getting through another year seems to always bring out the “Gee, remember when…?” syndrome, as in, “Gee, remember when the holidays weren’t so hectic?”; or, “Gee, remember when you got your coffee at home, and not for 6 bucks?”.  Well, add another one, as in “Gee, remember when discovery didn’t have an ‘e’ in front of it, when it meant just collecting a few files or boxes from a couple employees, or even just getting a few emails (for the younger crowd)?”  Ok, maybe it was never that easy – time does dim the pain.  But now, “pain” and “discovery”…with an ‘e’…go together almost seamlessly, along with “stress” and “OMG”.  Well, the past very few years have added tremendously to that pain, mostly through the arrival of BYOD and with it the proliferation of new apps, seemingly daily.  And among the most popular seem to be new messaging apps…pick a color, pick a name and there’s a new messaging app just for you.  What caused this tirade, you may ask. An article in the NYTimes Technology section is to blame; or the app that the article ably describes, to be specific.

It seems that a messaging app named Signal from Whisper Systems claims to have the best encryption capabilities around.  So good, in fact, that other companies such as WhatsApp, Facebook Messenger and Google are embedding Signal’s messaging system into their own apps, according to the article.  The most noticeable aspect of this app’s security is that basically nothing, as in metadata or other information about the sender or recipient, is saved on the Whisper Systems server, other than the last time a user connected to the server and when a person signed up for Signal.  The encryption key is shared only between sender and recipient…Whisper Systems doesn’t see it/store it, so could not provide it in response to subpoena, or any other information.  The app security seems to be so tight, that it is almost considered a drawback – obviously, the ‘crowd’ that a user can interact with is quite limited, so it certainly doesn’t lend itself to community chatting or sharing.  Because it does not have some other ‘gooey’ features yet such as smiley faces and so forth, younger users may not see it as a fun app.  The author of the article brings that out in a way that, to me at least, I scary…stating that because this app is so tuned into small audience with requirement for key sharing, etc., that the user might want to consider this app for business, and a more open app for friends (my emphasis added, obviously).

So, there we go…the yellow brick road can easily become a slippery slope.  What are you, as the IT security manager, the Legal Hold Administrator, or the attorney or company itself, to do about ensuring that company information is not being indiscriminately or negatively shared outside your electronic universe?  I’m not going to try to answer that, it’s almost unanswerable on a general basis.  All I think of when I see the proliferation of these apps, whose capabilities so quickly outstrip a company’s IT or security system’s ability to manage, is that the company must double down (or triple or ‘pick a number’) on training and strong policy statements regarding use of these apps.  I haven’t really gotten a hold on a thought that keeps popping into my brain, wondering if this wild-west landscape we are in regarding apps will cause companies to look askance again at BYOD.  Those unfortunate souls in charge of managing information security may arrive at the point of saying, “We cannot allow BYOD tools in-house with their ability to use any app the employee desires.  We can only control our own phones/ipads/etc. – what an employee does outside of those confines is another issue, at least we can track whether they are sending information outside through our tools.”  And the e-discovery headache is so obvious that I will save comment on that for later…I think I need to take a deep breath, or medication, before I go down that road.

I am as much in favor of new technology, new ways to work, and accommodating those ways and tools that new employees are familiar with.  But I also am constantly reading court cases that address information theft by current and former employees and thinking, “These are just the ones who get caught.”  Technology, security and productivity in the workplace have become uneasy partners; as we head into the dark recesses of year-end, perhaps the only reassuring sound is Santa saying, “Hey, I’ve brought drinks for all…Happy Holidays!”