Vendors add surveillance support for WhatsApp alternatives

A controversial update to WhatsApp’s privacy policy is driving interest from trading institutions in rival messaging platforms such as Signal and Telegram, and surveillance providers say they are adding integrations to their offerings in response.

“People are concerned about WhatsApp because of the Facebook data-sharing requirement,” says Lee Garf, general manager for financial markets compliance at Nice Actimize.

In January, WhatsApp effectively told its more than two billion customers that they had to agree to share data with parent company Facebook by February 8 or WhatsApp would delete their accounts. Millions of users left the platform in protest, migrating primarily to Telegram and Signal instead. Telegram told the New York Times that it added 25 million users in just three days in January, pushing it to over half a billion users, while Signal added nearly 1.3 million in just one day, and was the top free app on the iOS App Store and Google Play Store. 

Amid the furor, WhatsApp pushed back the deadline to May 15. The company insists that the update changes little for users, that the controversy surrounding the update was based on misinformation, and that it has shared metadata with Facebook since 2016. However users are still concerned that the tech giant, which has a dismal record on privacy issues, will mine and monetize their data. 

Garf says that customers used to be interested primarily in surveillance capabilities for WhatsApp and WeChat. However, since the WhatsApp announcement, he has seen more demand from buy-side and sell-side firms for Signal and Telegram.

Neil Bond, former head of trading at Ardevora Asset Management, says firms must prevent information leakage to competitors, and to Big Tech companies like Facebook or Google.

“If WhatsApp shares data with Facebook, you have to ask to whom Facebook might sell that data,” he says.

Telegram does not offer end-to-end encryption by default. Signal, which markets itself as a privacy-focused app, does do so, as does WhatsApp, which in fact implemented the same protocol that underpins Signal. However, unlike Signal, WhatsApp collects metadata on users, including phone numbers, the make and model of their handsets, IP addresses, and any financial transactions made over the app.  

The problem for compliance managers at financial institutions is that, while many of these firms ban or limit the use of chat apps and encourage using single, secure platforms to interact with clients, traders like using them. Controlling the usage of WhatsApp has become particularly difficult since the pandemic shifted even some of the most highly regulated staff to remote working. 

Nice Actimize saw an uptick in the use of mobile apps over the last year as investment firms have surrendered to staff members’ determination to use them, Garf says. Before the pandemic, perhaps 5% of its customers supported the use of these apps, but that figure has jumped to 50%, he says.

London-based VoxSmart is also developing support for alternative apps, says its CEO, Oliver Blower. “We have begun adding things like Telegram and Signal, which are increasingly popular in the digital asset space, and in emerging markets,” he says.

Blower says he saw an increase in the use of WhatsApp, even before the pandemic, across the buy side and sell side.

“The whole market moved over to WhatsApp in 2016. Our clients, who were mainly inter-dealer brokers had no choice, they had to find a solution. They could not just ban it. So we developed a solution,” he says.

The VoxSmart surveillance solution currently captures three to five client messages per second on WhatsApp.

Garf adds, however, that “firms have taken the position that they will support these mobile applications, but only when they can securely capture them.” There are still some restrictions on how these apps can be used and they need to be fully monitored for breaches in protocol.

JP Morgan banned corporate and investment bank staff from participating in instant message groups involving multiple banks or dealers back in 2013. The bank disciplined senior staff for using WhatsApp at work in 2017, including firing a veteran trader. Deutsche Bank banned WhatsApp on company phones in 2017. However, these firms are starting to bow to the inevitable. In 2020, Deutsche enabled Symphony’s Connect Solution for chat with clients via WhatsApp.

Surveillance support

Nice Actimize will apply the same technologies and methods it currently uses for surveilling WhatsApp and WeChat to the new apps Signal and Telegram. To capture data from these mobile messaging apps, the user must consent to the vendor installing a monitoring app on their device. Once deployed, the technology operates behind the scenes, monitoring the user’s communications.

The data cannot be captured while it is being exchanged between users since it is encrypted, but once the user grants permission for the app to access data, it can be captured, archived, and analyzed for suspicious activity. “The communications are encrypted, but when you install this plug-in or app on one of the phones, it can get to that information,” Garf says. 

Text messages can be analyzed using natural language processing to identify potential misbehavior. Audio files can be converted to text for the same analysis. If the system identifies an activity as possibly suspicious, it will create an alert for the compliance analyst at a client firm to inspect for possible breaches.

Garf says the surveillance technology operates in much the same manner across all the mobile messaging apps.

“Once it’s captured, and it’s stored in our archive, we then surveil the data that is there,” he says. “At that point, once it is in the archive, the surveillance is exactly the same” as other applications the company is already surveilling.

Nice Actimize’s surveillance capabilities for Signal and Telegram are scheduled to be rolled out in the second half of this year.

VoxSmart is about to go into production with its surveillance offering for Telegram, but it will take two more months until its tech can support Signal.

Blower says Telegram usage is more widespread in emerging markets. “[It is] mainly in the East, Russia, China, Eastern Europe, and in digital markets, like cryptocurrencies.” However, Signal is still “relatively unknown”, he adds. He says the market demand has not yet fully emerged for Signal, although he says that a lot of clients reached out about the app when the news about the WhatsApp privacy update first broke earlier in the year.

Matt Smith, CEO at surveillance specialist SteelEye, says although WhatsApp has taken a reputational hit due to its new policy, users will not abandon it in enough numbers to cause it concern. “Firms that are progressive will allow it, but they can only do that if they can monitor it,” Smith says. 

SteelEye offers surveillance for WhatsApp but is not currently developing support for Signal and Telegram. Roughly 20% to 30% of the vendor’s clients are capturing data from the service, Smith says.  

As new communication venues become increasingly popular, compliance teams will come under more pressure to keep track of all the apps regulated users are downloading and using for work. The problem, Smith says, is that bad actors can easily switch to new communication channels if they are determined to carry out illegal activity. “If you are somebody who is doing something nefarious, and you know somebody just installed something on your phone to monitor WhatsApp, what will you do if you want to continue doing the things you do? You just jump for the next thing,” Smith says.