Scotland’s brave new world of end-to-end encrypted workplace messaging

By now you’d assume most government organisations are aware of the risks associated with consumer messaging apps like WhatsApp, Signal and Telegram being used in the workplace.

Consumer apps, convenient for personal use, are completely unsuited for official communications. They lack the necessary security, auditability and management controls that public sector organisations require. Furthermore, imagine your country’s digital infrastructure being operationally dependent on a consumer app from a private tech company, run out of an entirely different country...

Yet the Scottish government raised eyebrows when it announced it is banning the use of WhatsApp and any other "non-corporate" messaging services from spring next year.

The ban is for all the right reasons. In the UK, it’s been jaw-dropping to see the likes of Boris Johnson, Rishi Sunak, Nicola Sturgeon and others stammering to explain how all their Covid related WhatsApp messages suddenly disappeared.

That’s not just because of their dubious claims - let’s not forget that WhatsApp makes it trivial to back up your messages. It’s that the Cabinet Office was run via WhatsApp in the first place. Which means, of course, there was absolutely zero formal management of who is in chat groups and no record keeping, or controls to stop the service reading messages or metadata.

So it’s refreshing to hear Deputy First Minister Kate Forbes say her government was committed to "standards of openness, transparency, and accountability" and that "government business should happen on government systems which are secure, searchable and allow the appropriate sharing of information, in line with our statutory duties."

A ban is futile

However as Element has seen countless times, a simple ban is never enough. According to a study conducted by Forrester Consulting, 52% of leaders say their employees are commonly using unsanctioned, real-time messaging apps in the workplace.

Concerningly, Forbes also said ministers and staff should instead use corporate-approved apps, such as Teams and email. Not only are they nowhere near as convenient to use, they are also fundamentally insecure. Neither are end-to-end encrypted, which is an unacceptable risk as recently highlighted by Salt Typhoon. Microsoft Teams is a walled garden that stymies conversation between separate organisations and email is, well, from yesteryear…

The fact is, consumer messaging apps are endemic in everyday life. People are so used to the speed and ease of messaging apps that the Scottish government will have to provide an alternative messenger if it’s serious about stopping non-corporate messaging services. That means something that’s just as easy to use, but that is built for the workplace to ensure security, control and compliance.

The French government’s use of Tchap

France provides an excellent example of both compliant and end-to-end encrypted messaging. President Macron and his team famously used Telegram as they campaigned but, once he became the nation’s leader, France’s National Agency for Information System Security (ANSSI) moved quickly to introduce a far more secure alternative. In partnership with Element, the French government developed Tchap, a messaging platform for the French government and civil service based on the decentralised Matrix open standard. France has also banned the use of consumer-grade messaging apps, and Tchap is now used by more than 300K French civil servants.

Similarly, the German Armed Forces has already standardised on its BwMessenger, while the German healthcare system is introducing the Matrix-based TI-Messenger initiative to underpin real-time secure communication for more than 150,000 healthcare organisations and 74M public insured citizens.

NATO is also experimenting with NI2CE Messenger, its own digitally sovereign alternative to WhatsApp.

A new era of communications

All these government messengers have the same three baseline requirements:

Interoperability to enable multiple government departments and the private sector to communicate in the same way they would use email. For example, NATO being able to use NI2CE Messenger to communicate with the German Armed Forces using BwMessenger.

Digital sovereignty to ensure a government has complete ownership and control of its communications solution, rather than having to trust a specific software vendor’s cloud-based solution.

End-to-end encryption to protect sensitive conversation from those outside of the conversation.

The brave new world

Deploying and managing messaging software on their own infrastructure, organisations can customise their communications platforms to meet their specific needs, be that maximum convenience or implement the correct security measures, and ensure compliance with relevant regulations.

By embracing messaging apps designed for the workplace the Scottish government can do a whole lot more than ensure transparency and public trust. It can deliver secure real-time communications across the entire public sector, and its private sector partners, to safely transform ways of working.