{"id":152,"date":"2018-09-10T14:37:00","date_gmt":"2018-09-10T14:37:00","guid":{"rendered":"https:\/\/jamesflint.net\/?p=152"},"modified":"2018-09-10T14:37:00","modified_gmt":"2018-09-10T14:37:00","slug":"2018-09-10-whats-the-matter-with-whatsapp","status":"publish","type":"post","link":"https:\/\/jamesflint.net\/?p=152","title":{"rendered":"What\u2019s the matter with WhatsApp?"},"content":{"rendered":"<\/p>\n<\/p>\n<\/p>\n
<\/p>\n

\"Broken-Whatsapp.png\"<\/p><\/div>\n<\/p><\/div>\n<\/figure><\/div>\n

\n

Given that I run a messaging platform,  Hospify<\/a>, specifically designed to offer people a data-compliant alternative to tools like WhatsApp, Messenger and Telegram when chatting in a health care context, it\u2019s no surprise that I\u2019m often asked: \u201cWhat\u2019s the matter with WhatsApp?\u201d<\/p>\n

So here it is: my cut-out-n-keep guide to the subject, in eight easy lessons.<\/p>\n

1. Where it\u2019s at<\/strong><\/p>\n

Under the EU\u2019s  General Data Protection Regulation<\/a>, which got enacted in UK law back in May (just in case you\u2019ve had your head under a rock all year), personally identifiable data held about other people by you as a user of a technology platform should be stored, physically, somewhere in Europe. Meaning that the servers have to be in Europe and only in Europe, not spread all round the planet, like WhatsApp\u2019s are.<\/p>\n

Why does this matter in health care? Because users of a health care messaging platform are likely to include doctors and nurses, and doctors and nurses tend to talk about patients. As soon as you mention a patient by name in a text message and add any details about their condition, then you\u2019re holding personally identifiable data about them \u2014 and data of the most personal kind.<\/p>\n

If you worked in insurance or marketing, you\u2019d have to ask (and get a record of) the patient\u2019s permission before you could send or store that information on the internet. But  thankfully GDPR contains an exemption for those who work in health and care: they are allowed to communicate and store details about patients without asking express permission, as long as they\u2019re doing it in the course of delivering their care.<\/p>\n

To take advantage of this exemption, though, UK & EU-based health care professionals need to use a communications system that handles data in a way that is otherwise compliant with both GDPR and the information governance rules of their health care employer. WhatsApp is compliant with neither, purely on the basis of the geographical location of its servers.<\/p>\n

2. Hand it over<\/strong><\/p>\n

The second problem is to do with accessing the information once it exists. WhatsApp messages are encrypted both in transit as they ping around the internet and at rest on WhatsApp\u2019s servers, where they\u2019re stored. But storing them like this creates big problems. If you\u2019re a doctor and you\u2019ve chatted with another doctor about one of your patients \u2014 to get some advice or a second opinion about their condition, for example \u2014 then you don\u2019t own that data. Your employer, i.e. the hospital or surgery where you work, owns it instead, even if it\u2019s on your phone. Your employer is therefore ultimately responsible for it, and \u2014 by law \u2014 has to be able to hand it over to the patient if the patient asks for it, which patients can do by issuing a fairly straightforward subject data access request.<\/p>\n

As we\u2019ve seen from cases like the  2017 Westminster knife attack<\/a>, when WhatsApp refused to hand over the content of the attacker\u2019s messages to the Home Office on the grounds that even it couldn\u2019t de-encrypt them, getting access to WhatsApp messages is tricky. This creates a paradox. In the case of the patient, the law says that the hospital has to hand them over. But if they\u2019re on WhatsApp it cannot hand them over, because without de-encrypting them it can\u2019t work out which ones they are. So because a doctor talked about a patient on WhatsApp, and that patient issued a subject data access request, the hospital is now in data breach twice over: because the messages are being stored on a server outside of Europe (most likely at a WhatsApp server farm on the Eastern seaboard of the US), and because it cannot de-encrypt the messages and hand them over.<\/p>\n

3. Snap happy<\/strong><\/p>\n

Another issue one is photos. Have you ever received a picture on WhatsApp? Have a look in your phone\u2019s main photo gallery. The picture will most likely appear there, as well as in WhatsApp itself. This is because nearly everyone\u2019s devices automatically backup such pictures to cloud services that are likely to be geographically-located outside of Europe, and often shared with other members of your family. Even if you switch this feature off, gaffs by Apple<\/a> and others can mean it gets switched back on without your knowledge.<\/p>\n

4. Notify me<\/strong><\/p>\n

Another inadvertent source of data breach is the home screen notification. You can switch notifications off for WhatsApp, but almost no one does \u2014 you want to know when you\u2019ve got a new message, after all. The trouble is that the notification contains a snippet of that message, available for anyone within viewing distance of your phone to see. This potentially exposes sensitive patient data to prying eyes, breaks most employers\u2019 \u201cclean screen\u201d policies, and is therefore another reason that WhatsApp doesn\u2019t pass muster when it comes to health care information governance.<\/p>\n

5. UnPINned access<\/strong><\/p>\n

It\u2019s also not possible to set a separate PIN code or fingerprint lock on the WhatsApp app itself, which therefore relies solely on your phone\u2019s security lock to keep intruders out. If your phone is stolen or you leave it on the train and you\u2019ve left it unlocked for any reason \u2014 increasingly likely now that lots of phones offer to keep themselves unlocked for convenience when they\u2019re connected to wireless devices like keyboards or headphones \u2014 then there\u2019s nothing to stop someone getting access to your entire message history.<\/p>\n

6. Conspiracy theories<\/strong><\/p>\n

Then there\u2019s the question of what WhatsApp is really doing with your data. Earlier this year Google  struck a deal<\/a>  with WhatsApp (which itself is owned by  Facebook<\/a>) to allow WhatsApp users to back up all their chats and photos to their Google Drive accounts without impinging the 15GB free storage limit set on those accounts.<\/p>\n

Now, this seems quite an odd thing for Google to agree to, given that Google and Facebook are major league competitors for online advertising spend. Would Google do such a deal out of the goodness of its heart? Call me paranoid, but I don\u2019t believe it would. Presumably it\u2019s getting some kind of value out of storing all that content which, despite being encrypted, would still be rich with all kinds of associated metadata that the search giant could use to improve its profile and advertising of \u2014 yes, dear reader \u2014 you.<\/p>\n

7. Secure doesn\u2019t mean secure<\/strong><\/p>\n

All of which bring us to the thorny issue of security. People think that WhatsApp is really secure because all its messages are encrypted. But it turns out that it\u2019s not that secure at all. A bunch of white-hat hackers called  Check Point Research<\/a>  recently found that WhatsApp\u2019s QR-code feature, which allows a user to route his or her account via a laptop or desktop computer for ease of access, contains a vulnerability that allows an attacker to intercept group messages, change the identify of the sender, alter the text of replies to the group, and send private messages that go public to a group when responded to \u2014 all of which open the app to abuse and compromise privacy.<\/p>\n

8. WhatsApp is changing<\/strong><\/p>\n

Finally, did I mention that WhatsApp is now owned by Facebook? Back in June WhatsApp\u2019s original founders Jan Koum and Brian Acton  resigned from the board of the company<\/a>  in protest at Facebook\u2019s plans to introduce marketing and advertising into their chat app \u2014 which they\u2019d faithfully promised from the service\u2019s inception would never be allowed. (They were serious, too \u2014 their resignations cost them around $1.5bn in forfeited share options; a hefty price to pay for sticking to your principles). What does this mean? It means that Facebook\u2019s coming after the data you expose through WhatsApp in order to allow businesses to target you. And if the data you\u2019re exposing is information about someone else\u2019s health, then that\u2019s a major problem.<\/p>\n

To conclude\u2026<\/strong><\/p>\n

Don\u2019t get me wrong. WhatsApp is a great tool that delivers 65 billion messages a day to its 1.5bn users around the world with incredible efficiency. I use it to keep in touch with family and friends, and you probably use it too. But that utility does not make it appropriate for communicating in situations where one user has a legal and social responsibility to safeguard another user\u2019s privacy, and that\u2019s the case in health care.<\/p>\n

Which is exactly why we built  Hospify<\/a>  \u2014 a chat app with the utility of WhatsApp but without the vulnerabilities outlined above, that health care professionals and patients can use without worrying that they are inadvertently going to fall foul of the increasingly stringent data protection laws now in place in the UK and EU.<\/p>\n

If you work in health care check it out \u2014 the basic service is free because there\u2019s a premium version that people pay for, not because we sell your data!<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Given that I run a messaging platform,  Hospify, specifically designed to offer people a data-compliant alternative to tools like WhatsApp, Messenger and Telegram when chatting in a health care context, it\u2019s no surprise that I\u2019m often asked: \u201cWhat\u2019s the matter with WhatsApp?\u201d So here it is: my cut-out-n-keep guide to the subject, in eight easy […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[16,17,24],"class_list":["post-152","post","type-post","status-publish","format-standard","hentry","category-hospify","tag-data-protection","tag-gdpr","tag-health"],"_links":{"self":[{"href":"https:\/\/jamesflint.net\/index.php?rest_route=\/wp\/v2\/posts\/152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jamesflint.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jamesflint.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jamesflint.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jamesflint.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=152"}],"version-history":[{"count":0,"href":"https:\/\/jamesflint.net\/index.php?rest_route=\/wp\/v2\/posts\/152\/revisions"}],"wp:attachment":[{"href":"https:\/\/jamesflint.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jamesflint.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jamesflint.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}