How often, when sending messages via a communication platform, are you thinking about your sensitive and private user information being exploited?

Communications platforms not only enable us to connect with colleagues, clients and partners, they are also keepers of sensitive and private user and client information. This means that they are also subject to data breaches that can have cataclysmic monetary and reputational impacts on companies or expose private information and conversations that can ruin the lives of everyday citizens. 

Plus, within our data-driven economy, where data is the new oil, every company makes big efforts to collect as much data as possible about their customers and their competition because it gives them a commercial advantage. 

How can you make sure that this information is safe? How can you assure your employees, partners or clients that their conversations can be seen by only the peers involved? Modern end-to-end encryption protocols do guarantee that only the sender and the recipient can see the content of the message by creating a private key that only they have access to.

What is overlooked is the metadata that accompanies every message — and every social post. The metadata, which is not encrypted, is there for the taking and may reveal an array of information, including who the messaging is from, whom it is addressed to, and when and where the messages were sent. 

Encrypting metadata is still a challenge for nearly every kind of encryption method. Even the most complex architecture available to protect metadata is not completely secure. If someone is eavesdropping or spying on the communication, it’s still possible to correlate who is sending and who is receiving by comparing the traffic. Government regimes have been able to leverage this flaw to spy on whistleblowers, journalists or others.

MIT researchers are working on a system that protects against hacker eavesdropping on large networks and mitigates some of the challenges — such as complexity, lack of scalability and speed — that have prevented the development of a widespread practical solution. 

While security experts understand the risks associated with unprotected metadata, consumers often do not — or at least they behave as if they don’t — and happily post their photos and other information to social media platforms. They are a walking target practice for marketers and hackers alike.

Data Protection vs. Data Privacy

Communication solution providers understand the need to keep your data protected against external parties like hackers or companies seeking unauthorized access to that data. Data protection is aimed for by most, if not all, communication platforms. But what is missing from the data security umbrella is data privacy. Data protection and data privacy are not the same things. For example, you can have data protection using Facebook, but you don’t have any data privacy. All too often, your data is being shared with anyone willing to pay for it.

To guarantee data privacy, you need to know exactly where the data is being used, collected and stored.

Data privacy means the user has full control over how their data is used. One method to ensure data privacy is for the administrator to host the communications server internally. It is a different approach from other communication platforms, requiring that you trust their servers and infrastructure. In the self-host scenario, the user hosts the server inside their own infrastructure, which gives that user complete control over their data. There is no external server interacting with — either receiving or sending — your data.

The data sovereignty aspect involved in the choice of where to deploy the solution is essential for data privacy. When you use a communication platform that operates as a service, for example, you need to trust their servers. You cannot take that server and host it inside your company infrastructure. You need to connect to the internet and send the data to their servers. They can apply all sorts of data protection to their servers, but you still need to trust that they respect your data privacy.

Along with data privacy, an additional advantage to self-hosting is that you can apply any of your security policies to the infrastructure. For instance, a health care company that needs to guarantee that the Health Insurance Portability and Accountability Act  (HIPAA) compliance standards are fulfilled can layer those policies to ensure they are enforced. Or a company that needs to be fully compliant with the General Data Protection Regulation (GDPR) can integrate those policies into the infrastructure.

Keep Your Data to Yourself

Make sure the communication solution you are using does not sell your data. Collecting data and selling it to other companies is standard practice for many communication brokers. Even if your data is masqueraded and your name is not shared, it is still your data. It’s still possible to create a target or a persona that will fit your profile and eventually be used for advertising products. Collecting user data to create a profile to be eventually sold for commercial use is detrimental to data privacy.

Employ an Open-Source Platform

Consider an open-source communication platform to guarantee complete transparency. Open-source platforms are open-books; their codes can be checked and audited by anyone to see if what they are doing behind the hood is consistent with what they say that they are doing. Using an open-source app is key to maintaining your data privacy because you can make sure that your information is being sent to the right place — not to someone or somewhere else.

If you can’t see what’s happening behind the hood, you do not know how your information is being used.

Guard Against a Backdoor

Using open-source solutions also protects you from a third party — such as a government agency — enforcing a backdoor in your app that you do not even know exists. Some governments are trying to force companies to put backdoors in their software or using weakened encryption algorithms to allow the government to decrypt the communication.

There is no such thing as a secure backdoor; once it exists, other parties can find it. A government agency may put it there for its use. Still, if a hacker or criminal organization — who are often more sophisticated than government security specialists — can find a backdoor, they will open it up and go right in.  

The only safe backdoor is the one that does not exist at all.

While self-hosting open-source solutions do present some challenges — you will need to take care of maintenance and configuring the servers — it is the only available method to guarantee that your metadata and data privacy are protected. The extra effort provides peace of mind that is not possible with an external server scheme.