Episode 108: Are Your Messages Really Private?

Jon Prial: What would get you really nervous? What have you heard in the news that Slack was hacked? Was there anything you said to a colleague that you wouldn't want others to see? What about WhatsApp or Facebook Messenger or any other messaging tool? Basically, is the product you've chosen is secure as it can possibly be? We've talked in the past about how companies should be making security a priority, building a foundation of trust with their customers. But it's so important, we're going to be doing it again. And sadly it's no longer just email or recent data hacks that should be on your worry list, it's also messaging. So are you ready to look in the mirror and think about how exposed your company might be? I'm Jon Prial, and welcome to the Georgian Impact Podcast. Today, we'll be focused on secure messaging. As we talk to Navroop Mitter, who is the CEO of ArmorText. ArmorText sells an end- to- end encrypted collaboration platform. This is a critical infrastructure protection and regulated industries. They target what they call the most sensitive communications in the enterprise. And of course, those are around a securities operation center, network operations center, and of course, the executive C- suite and board level communications. I'm sure ArmorText is more than happy to expand their install base within each enterprise, but at least now you know where they're coming from. Navroop serves on several technology advisory boards and has been repeatedly been called upon to brief congressional staffers on the nuts and bolts of encryption and cyber threats to national security and public policy. I'm already feeling better knowing that they're not being, quote, lobbied to per se. And hopefully you'll feel the same way too after hearing from Navroop. Navroop, welcome to the show.

Navroop Mitter: Glad to be here. Thank you for having me on.

Jon Prial: For the moment, I want to leave out government and law enforcement and give you my take on privacy. And we get a sense that there's two parts of this. There's a contextual element to privacy, you and I talking. And then of course, everything evolves to rules and laws. I don't expect someone to look in the windows of my house. I think if they do, it's against the law. I don't expect someone to look over my shoulder when I'm working on my computer or take my phone from my hand. But in all those cases, I've got window shades or I've got software and passwords. But I think as we get started into this, just give me a few seconds if you don't mind, what the plain view doctrine is. I think that'll help set the tone first.

Navroop Mitter: Yeah. Great question. Look, when it comes to digital systems, oftentimes companies are being asked now to either turn over credentials or other forms of access to these systems. When they do so, there's oftentimes a scope of the inquiry, which says," Hey, we're looking for something related to topic X." When you turn over privileged credentials to most systems today, whether it's a database or some other system, those credentials are oftentimes able to search for dramatically more than just topic X. And as a result, our courts are starting to lean heavily in favor of this notion that if by virtue of an investigator's access to the underlying systems, they're able to see something beyond just topic X, that that too is admissible in court. And a lot of this plain view doctrine for digital systems got established out of cases that were originally related to major league sports. I won't go into the specifics of the case here, but they've basically analogized it to if we had a warrant or some other requirement to be able to search your bedroom and we walked through the front door and then saw something in the living room along the way, that would have been considered in plain sight and admissible. They've extended that analogy into the digital sphere. So if they have privileged credential access to additional materials, and they happen to run a search that then exposes something other than just the topic they were originally supposed to be searching for, that is also admissible.

Jon Prial: Wow. Interesting. So then tell me what privacy means to you and ArmorText and the messaging marketplace. Let's take it down to that electronic world.

Navroop Mitter: Yeah. Great question. When we look at the landscape of messaging capabilities, whether it's for consumers or for the enterprise, we think there's a really important distinction to draw up front, and that's that there is a difference between privacy and security. You and I as individuals want to have private communications whereby we know our provider, whether it be a Facebook or an Apple or a Google or anyone else, are not able to listen in on our communications. They're not able to read what you and I say. When it comes to enterprises, however, especially those in regulated industries or those in critical infrastructure, and today there are very few companies that aren't at least regulated let alone in critical infrastructure, for those companies, they have a responsibility to be able to review who said what and to whom, when it was said and how it was consumed. That audit trail, so to speak, that retention and review requirement, that governance set of requirements, that these kinds of companies are under mean that they can't adopt private communications in the way that you and I, as consumers, might adopt. Instead, they have to adopt a security- oriented approach, which is secure those communications as well as possible, so long as we can still execute our responsible retention and review requirements. And if we can't, then reduce the level of security. And that's kind of been the unfortunate position that enterprises have been put in. They've had to either choose between an extreme privacy- oriented approach that then precluded governance and review requirements, or applications that especially as collaboration moved to the cloud meant that their providers could see the information, their providers then saying that by virtue of our ability to see it, we can also then recall it for you and provide it back for your retention and review. What we at ArmorText have done is actually bridge that gap. We've given you the kind of end-to-end encryption that would typically only be available in your consumer- oriented privacy applications, but built it to meet requirements for governance and review capabilities within the enterprise without necessarily requiring you to also either run it on- premise or have very complicated on- premise key escrow infrastructure.

Jon Prial: Sure, so let me contrast then. I think it's great to have that enterprise differentiation because if I'm an employee of a particular company, I've always known, they say these systems are for your business use only, it's not for your personal use. We might look the other way if you use it for personal, but don't do anything insane. But they own it. And the best example I can think of is when you're working with stockbrokers, and in my old days of working with e- discovery systems, someone could not write an email to me saying," I think you should buy XYZ or sell XYZ" because that's supposed to be done verbally and not via email. And that gets caught. So that's a bit of governance and ruling around an email space. That still holds true whether it's encrypted or not. I need a little compare and contrast if you don't mind, please.

Navroop Mitter: Yeah. Great question. So let's use a different analogy that I think a lot of people can relate to.

Jon Prial: Great. Thank you.

Navroop Mitter: One is, let's say your doctor is now communicating with other hospital staff. You've gone to visit the doctor, you're in the ER, the doctor is communicating with other hospital staff, something goes wrong. Those communications happen over an end- to- end encrypted channel for which the hospital has no ability to go back and review who said what to whom. When you now have to go back and review what actually took place, the hospital is in a position where they're unable to do so. And that becomes problematic.

Jon Prial: Yeah.

Navroop Mitter: We expect a certain level of retention and review, especially for these industries that are so heavily regulated and that they are so heavily regulated because of the level of risk and liability that potentially comes with some of the things that can go wrong. And so I think that's an analogy that we can all understand. We've all had to go to a hospital or at least had to go to a doctor, see them, and then realize that they are taking notes. And that if they were to do something wrong or inadvertently screw up, that could have serious impact to us. And we want to actually be able to recall those communications then and see them, and then be able to act on them, provide them to our lawyers so they can actually then help give us just compensation.

Jon Prial: That's an interesting balance. And you've already mentioned security and privacy. So for sure, this communications between the doctor and anyone else must be secure, must be not hackable. Privacy is in the eye of the beholder, maybe a horrible phrase to say, but it's going to maintain privacy, but I've given up the rights for the doctor and the hospital to talk to each other. Yet, I still need to come back and get access to it potentially if something, hopefully doesn't happen, but if something goes wrong. So it's an interesting balance of the options that are here, the choices.

Navroop Mitter: That's right. So that in that example there, while we talk about it in terms of patient confidentiality and patient privacy, really is what we're really talking about is security for those communications. Because if they were truly 100% private communications about you as a patient, we would never have the ability to recall and review them. And so even though HIPAA specifically is talking about privacy patients, the reality is what we're really trying to address is providing the best security possible while still maintaining that ability to go back and do reviews. And so that's an example of how this plays out in the healthcare sector. There are similar types of requirements though, that are imposed upon other critical infrastructure in regulated industries as well. Right? Utilities also have responsibility to go back and be able to perform an after action review. Let's say their security operations center has now encountered an incident of some sort or a threat, and they're now managing to mitigate it. But then they then want to go back and start to look at, well, what actually happened? This risk has now been realized. It's truly an issue. We need to go back and do an after action report at the very end. If all those communications took place purely on a private only channel for which there was no ability to have records, retention or review or any other type of governance, what do you do? And when it comes to security and privacy, there are a couple of other things that play, right? It's not just about retention and review. A lot of times people focus just on that element of it. The other aspect of it is, I can actually discuss this by way of analogy. There are two security oriented companies in Silicon Valley. These two companies happen to be competitors. Executive A leaves company A and goes to company B. For the next one year, company B continuously beats company A to market by almost a week in almost all cases, even when company A moves up its timeline by almost 30 days. The reason is, is because while company A had adopted and then encrypted communications on WhatsApp, as its standard medium of communicating, especially about private matters related to product management, things that they considered their equivalent of state secrets, when that executive left company A to go to company B, while he was removed from a handful of those WhatsApp conversations by his peers who knew he was leaving, over time, he had been added into multiple other conversations. And these conversations were effectively directed at his personal WhatsApp account on his personal phone number, because most of us have our cell phones follow us. And so as a result, they were inadvertently exposing state secrets, so to speak, to this executive, well after his departure from the company. There was no centralized user management. There was no centralized administration of policy, no centralized ability to remediate and or recall communications from this person who had left. So you can have amazing levels of end-to-end encryption in a privacy- oriented solution, and yet be wholly missing a whole series of enterprise controls and governance capabilities that have nothing to do with even the retention and review side of the house.

Jon Prial: I find that fascinating because it's clear it took a while, but companies have done a good job when an employee leaves a company. They finally created the checklist of all the things that you need to do. So within X hours of departure, everything's shut down. And what I'm hearing in this particular case, they probably had fantastic controls around an email system, and they sort of forgot about this bolt- on messaging system that was on the site. Wow, what a problem.

Navroop Mitter: Yeah. And that's actually the interesting thing. If you were to talk to the company, the reason it went unrealized is because they actually did have other enterprise messaging that fell under the scope of their identity and access management program, the program that would have automatically deprovisioned access. But this was a quote unquote out of bands communication method for the more sensitive conversations. And interesting enough, the more sensitive conversations then were actually left less protected in some ways, even though they thought they were upleveling their level of security and privacy on them by adopting something that had end-to- end encryption. So it's that law of unintended consequences.

Jon Prial: Wow. Obviously, other than an ArmorText type solution, it does seem like messaging is still new enough, even though it's been around forever it seems to me, it has created some new problems or new elements of risk until this really gets integrated into this enterprise security ethos, right?

Navroop Mitter: Yeah. I think it's an interesting state of affairs, right? If I look back at my entire career, going back to my days at IBM, we had IBM Sametime back in 2002 when I first joined IBM. If I'm not mistaken, Sametime had actually already been around for a few years prior to that. Jabber had already been in existence. I don't think it'd been acquired by Cisco yet, but that was shortly thereafter. We've had messaging at the enterprise in the form of Microsoft Lync and Communicator, Cisco Jabber, IBM Sametime and a host of other solutions that were meant to be run as on- premise technologies. When we had the on- premise technologies for the enterprise, there were always a series of vulnerabilities that we had to accept, one of which was that there were folks who had eyes on the data. They were by and large your own folks, they're you're your own internal IT administrators. And so because you had these IT admins who had eyes on the data, you had accept that level of risk, right? This was a risk that they might go and do something wrong. But if you didn't accept that risk, if you somehow shut everyone out of it, A, they could have been missed the system and B, when you had to go back and do a review, there was no one to actually write the queries into the system for you, who could then pull the materials out, hand them to the general council and let them do their job on a review side of the house. So those things were all accepted. There's assumable risk acceptance that went along with that. Once those kinds of communications moved to the cloud, suddenly there were a whole host of other people who had eyes on your data. It was your provider, who could potentially data mine those communications. And there are very specific groups built to data mine communications in a number of the leading platforms for messaging and collaboration in the cloud today. Not only are they data mining it, but because it now sits in the cloud in a form that they can read, they're also being subpoenaed directly for those communications. And the case of many providers now, we're starting to see evidence that they've been hacked explicitly for the purpose of getting access to multiple organizations or multiple persons communications who otherwise unrelated all at once. So a bulk hack.

Jon Prial: Wow. So you didn't mention the names of the security companies and I'll try to avoid mentioning names. I've referred in the past some of the New York Times privacy project articles. And there was a relatively recent piece about data that might be a risk for a particular company. I shouldn't say the name of the company, it recently IPO'd, the name rhymes with Slack. Tell me what you might think that means then as we move to this new world of recognizing what's out there in the cloud, the risks have increased as we get out on the cloud?

Navroop Mitter: Yeah. To that company's credit, one of the things they did prior to their IPO was to very specifically state that they were at risk from nation state actors, organized crime, hacktivists, and others who recognize that they are a repository of sensitive communications from multiple organizations, right? And so they at least have acknowledged that that risk does exist. A bulk hack of their systems would enable a hacker to expose the communications of hundreds, if not thousands of organizations at once. So at the very least, they've at least recognized it. And I think that's important to recognize and be honest and upfront about that potential risk. That is more than what we can say for a lot of other companies. So to their credit, they've done that. The article you're referring to, I think in the New York Times though, brought to light something that a lot of folks had inadvertently relied upon, which was that if they were using the freemium or the free version of this particular product, that their messages would automatically be expunged post the 10,000 message mark. We don't have to worry about those messages because in roughly 24 to 48 hours, based on the rate of messaging that we have internally, they're going to be gone anyways. And so we're not so worried about the protection levels that are or are not provided those communications. Well, what the EFF does in this particular article.

Jon Prial: That's the Electronic Freedom Foundation, yep.

Navroop Mitter: Yep. Yep. So the EFF, a great organization, what they call out in this article is that the company in question here is actually maintaining those communications. They're not actually being expunged and it's actually a part of their current business model, which is that when your organization decides to finally go ahead and adopt the paid version of the product, you aren't suddenly starting from scratch, your historic communications are now made available to you, as they would have been had been paying from the get go, right? So you are suddenly able to access those communications. And in that, that's what the EFF has identified as potentially being a significant risk, right? If those communications that people thought had been expunged, or if they were speaking more freely prior to paying for the version of the product that you would pay for, were speaking more freely or not planning to pay it all because they thought that this would just be one of their automatic security controls, at the very least been mistaken and potentially have been misled. And that's a problem that they've called out.

Jon Prial: Wow. So I think one of the most interesting features that I see when I looked at ArmorText, and we always think about a cloud and zillions of users that are there, but you actually think about companies that are collaborating across platforms. So there are groups of org users organized by companies per se, and you allow them to manage and maintain its own data. Do I have that right? This is, I think, as important thing to talk about.

Navroop Mitter: It is. When we think about the world of federated communications, right? The best analogy that we have is that email is effectively a federated system. You run your own email servers, or at least you did at one point. Now we all pretty much just use Gmail or something similar. But what's upon a time, you ran your exchange servers in your organization, I ran my exchange servers. When we communicated with each other, you weren't establishing a guest account on my system. Rather, I was simply emailing you at your email address. Your organization never lost control over your email account, nor did they lose governance or retention or review capabilities over the emails that you were sending and receiving on your side of the house. Well, fast forward to the world of online messaging collaboration in the cloud and 2019 here, when we, by and large, invite others to communicate with us in our workspace, they're actually establishing a guest account in our workspace, right? And I say this is not our as in ArmorText's but our as in a lot of the popular products that are out there. And so when you establish a guest account in someone else's workspace, your home organization has lost that governance capability over your account, whether it's as simple as user management or being able to enforce policies or controls that they might be required to enforce upon their employees, that has been lost to them at that point. In the ArmorText's model, what we've done is taken a step back and say," Look, we can move towards a model where we actually increase the level of federation capability." And in our federated model, ArmorText's customers are able to establish their own private directory that is for their internal communications, their are people. And then from there, they can set up what we call trust relationships with other ArmorText customers, and they dictate who those trust relationships are with, the degree that those trusts encompass. Is it your entire organization to all of theirs, a subset on your side to a subset of theirs, or just a party and a party on either side or combination thereof? However you want to mix and match. Those trust relationships then allow each organization to maintain its governance. They don't lose oversight over anything that's being sent or received by their people. You're not a subject guest account in the other person's systems. You rather are communicating from your primary account in your home organization's private directory, you're just able to bridge across these private channels as need be.

Jon Prial: It's interesting. So what I'm hearing, you actually answered the question I'm going to get to, but I want to restate it. To me, based on the size and maturity of a company, there could be different degrees of document retention, information life cycle management, protections of these federated sources of data. And we talked earlier about mail versus messaging and messaging was some degree forgotten, but it could be brought back into it. But it sounds like we're in a little bit of a different world now because we have such a richness of communication options in terms of how we capture the data and that almost a new mindset needs to be brought forward. Is that a fair categorization?

Navroop Mitter: Absolutely. Nemertes is a research group similar to like a Gartner. One of the things that we've been seeing from their research, as well as our own experience in the field, is that more and more we're seeing organizations adopt purpose- driven messaging. For a little while there, there's this assumption that messaging would be like email, there'd be one to rule them all, and that your organization would adopt a single standard and that everyone would go there. And there was some merit to that idea in that it would in theory, be easier to manage, it would be a single repository, we wouldn't have to have disparate capabilities. Why should we have overlap? This should actually help with rationalization. But ultimately what they found was that more and more, there were specific use cases that were better answered with different capability sets. So banking has been a great example of this. They literally sponsored the development of a trading specific communications platform. And in so doing, have given this tool out to their traders to communicate on for the trading purposes. But they didn't necessarily roll that out in mass to every single other person in the organization. Quite the opposite. They recognized that their dev ops people would be better served by other tools that were more dev ops oriented. They also recognize that their executives would be better served by tools of communication that were more centered around the communications they would have to have as executives, or as salespeople or other parties with the rest of the world that weren't necessarily trading oriented. And so we've seen the rise of purpose- driven messaging more and more. The most mature industry is the one that had the most security controls, like the financial services industries, have all been leading the charge on driving the adoption of purpose- driven messaging. They will rationalize a bit and then go back towards a little more purpose- driven, rationalize a little bit and go back towards more purpose driven messaging.

Jon Prial: Well, I can't tell how much I like this because I've never heard this context in the case of messaging. There is no doubt in my mind, we moved to this world of micro something so that we went from three or four broadcast television networks to micro channels, whether you're sitting on cable or you're looking at the over the top channels. We grow from the world of two magazines around news to hundreds of subsets of magazines around news. You do not go back to the mass. It makes sense to me. I really like this purpose driven thought that people should think about what they're trying to accomplish, and what's the best way to do it for the right subset of users. So given that there is purpose- driven messaging, how do you see ArmorText fitting into that space?

Navroop Mitter: That's a great question. So we look at our primary objective to provide security and end-to-end encryption for communications and collaboration around the most sensitive communications in the enterprise. Those sensitive communications are often centered around the security operations center, the network operations center, and then the executive C- suite and board level communications. So we actually provide, for secure information sharing, among those parties. Now sometimes that means it proliferates and becomes broader throughout the enterprise. But other times, that's actually what we're starting with is the SOC, the NOC, the security teams, dev sec ops, the C- suite, the board and the executives.

Jon Prial: So unbelievable discussion, this is great. Let me wrap it up and ask you an interesting question for you. So one of our portfolio companies in the cybersecurity space has always led with a message of," You will be hacked." It gets their attention. So what would be the message that you would want to deliver to a CEO that would make a CSO smile?

Navroop Mitter: The adversary is already on the network. And because of that, they are already listening and gathering intelligence. When your communications matter most, you need to make sure that you're on a capability that is both out of bands and provides redundancy, but also addresses security so that those communications that you're having are secure no matter what, even if they compromise your credentials.

Jon Prial: Fantastic. What a great dialogue. Thank you so much for spending the time with us today. I really enjoyed our conversation. Thanks so much for being with us.

Navroop Mitter: Absolutely. Thank you for having me on.