As chat apps overtake SMS text messaging as the mobile messaging method of choice, what dangers does this hold for information governance and security?

According to a recent CNET article, in 2012, 19 billion messages were sent per day using chat apps (such as WhatsApp), compared with 17.6 billion messages sent via SMS text messaging. This represents a fundamental shift in the world of sending text messages, as third-party apps are now handling a majority of all messages being sent.

How does this shift in text messaging affect employers who want an accurate, up-to-date understanding of where their data is located for information governance, or for corporate InfoSec policies that focus solely on locking down or preventing SMS messaging by employees using corporate-issued mobile devices?

The Evolution of Mobile Messaging

Short Messaging Service (“SMS”) is part of most cellular service provider packages, and allows for the exchange of short text messages between mobile devices. First used approximately 20 years ago, SMS quickly proliferated and gained widespread acceptance as a primary method of communication between mobile devices. It also became a way for mobile carriers to generate additional revenue.

However, as mobile devices and their associated communication technologies have evolved, so has the manner in which devices can communicate with one another. For example, iPhones and BlackBerry devices both have proprietary apps that allow for direct communication between devices (iMessage and Messenger respectively). Combined with the introduction of third-party apps such as WhatsApp, there are now multiple choices for users to send messages from one mobile device to another.

Finding the Data

Unlike SMS messages, which are stored both on the device and with service providers for varying lengths of time (see the DOJ Cellular Service Provider Data Retention Guide for details), messaging apps store data exclusively on mobile devices -- meaning the mobile device is the only source of that data.

Often, that data is not always accessible or understandable because of the varied ways in which the apps store message data. For example, Apple’s iMessage app stores data on the device in a SQLite database, while other apps simply store their data in a plain text format. This is an important factor to consider when identifying locations where sensitive information could exist from a corporate information governance perspective, as it requires corporate InfoSec departments to keep up to date with the most popular chat apps available and perform rudimentary research on them to determine how they store data.

Should it become important to preserve messaging data from these chat apps, it is still a best practice to use personnel specially trained in the handling and collection of mobile devices. Performing a simple backup of an iPhone using iTunes, for example, may not capture all of the information available from each app on the device, rendering both the preservation and any subsequent data extraction tainted.

Using specialized software, trained personnel can preserve data on the device at the physical level, including data stored by various apps present on the device. Once the data has been properly preserved, relevant data can then be extracted and produced as needed.

Two Approaches to Information Governance

So how do corporations effectively incorporate the usage of these chat apps into their existing information governance and InfoSec policies? There are two basic approaches: using internal resources to handle everything, and retaining outside assistance. For those corporations large enough, internal resources (i.e. IT staff) can be trained to identify, preserve and extract potentially relevant data from company-issued mobile devices.

The plus side of this approach is that corporate personnel are already intimately familiar with the systems in place with the company, and there is only an incremental cost incurred (for training, hardware, and software). The downside to this approach is that it exposes corporate IT staff to scrutiny, potentially during testimony in open court, about internal policies and procedures.

Retaining outside assistance alleviates the risk associated with having internal IT staff perform the preservation and extraction of data from mobile devices, as well as removing the need for specialized training, hardware and software, as they (and their staff) should already be in possession of these “tools of the trade.” The downside to bringing in outside assistance is there can be a steep learning curve for outside personnel to become familiar with the systems and processes in place in a corporation.

Regardless of the approach taken, as the popularity of these chat apps continues to increase, it will become imperative for corporations to take affirmative steps to include them in their overall information governance strategies. As the old adage states, “failing to plan is planning to fail.”

Title image courtesy of Sergieiev (Shutterstock)

Editor's Note: To read more about the security risks involved with mobile in the enterprise, see Ajith Samuel's Bracing for the E-Discovery Dangers of BYOD