The recent arrest of Pavel Durov, the CEO and founder of Telegram, has reverberated across both the tech industry and society at large. Durov’s detention in France, driven by accusations tied to the misuse of his platform, has sparked global debate. At the heart of the controversy are concerns about the responsibilities of tech leaders in moderating content, which has broad implications for privacy and accountability in the digital age.
As messaging apps become a staple in both personal and professional communications, the preservation and review of messages within these platforms have become critical in various legal contexts. Durov’s detention has intensified discussions around how mobile messaging apps operate, particularly regarding their backend technology, and the challenges that the preservation and review of messages pose during forensic investigations. It is therefore essential
that corporate investigators and law enforcement understand the apps’ underlying technologies and the hurdles those technologies present.
The Growing Role of Messaging Apps in Modern Communication
Before diving into the technicalities of encryption and data storage, it is important to acknowledge the ubiquity of mobile messaging apps in today’s communication landscape. Apps like Telegram, WhatsApp, and Signal are not just tools for personal interaction; they are increasingly used in professional settings. This widespread use raises critical questions: How secure are these platforms? How do they protect (or hinder) access to information? And what impact does their use have on forensic investigations?
The answers to these questions lie in the technical foundations of these apps, which, while designed to protect user privacy, can also complicate efforts to uncover crucial evidence in legal cases.
Encryption: The Paradox of Security
At the core of most messaging apps is encryption, a technology that scrambles messages so that only the intended recipients can read them. End-to-end encryption, used by apps like WhatsApp and Signal, ensures that even the platform providers cannot access the content of the communications. This technology is a powerful tool for protecting user privacy against cyber threats and unauthorized access. However, this same encryption poses significant challenges for
forensic investigators, who may find themselves unable to access vital evidence without the cooperation of the users or the companies behind the apps.
This issue, where the same technology that guards our privacy can also obstruct justice, has become a central concern in discussions about digital privacy laws and the role of technology in society. Both companies and regulators have debated whether to attempt to restrict the use of such apps in certain contexts. However, the privacy features of these apps that facilitate illicit activities also promote users’ privacy, a legitimate interest in free societies, albeit complicating any effort to control or regulate the apps’ use.
Navigating the Complexities of Data Storage and Backups
Beyond encryption, another critical aspect of messaging apps is how they handle data storage and backups. How data is retained varies widely across different platforms. For example, Telegram stores regular chat messages on cloud servers, allowing users to access their messages from any device, while secret chats are stored locally on the devices involved. In contrast, other apps like Signal do not store messages on their servers at all, relying solely on local device storage.
Further, certain applications fragment data, spreading it across multiple devices and cloud servers. Investigators may then have to locate and piece together these fragments before they can even begin analysing the content. Missing, duplicate, or tampered fragments can make it difficult to establish a clear and accurate timeline of events — akin to attempting to assemble a puzzle without the image on the box, where pieces may even be missing or altered.
These differences in data storage can have significant implications for forensic investigations. The ability to access, preserve, and review messages depends heavily on how the app in question manages its data. Apps with cloud storage options might offer more accessible data by allowing access to it even when it may have been deleted from a device.
However, jurisdictional and legal barriers may impede such access. Investigators, even with subpoena powers and/or when working with cooperative companies, may need to navigate how technology companies store data in different countries, each with its own legal requirements and protections.
For apps that store data locally, the collection of the data may be relatively straightforward, with simpler jurisdictional issues and without any need to work with the technology companies. Nevertheless, accessing locally stored data may prove difficult or impossible if the device has been wiped or destroyed. Additionally, while accessing data stored on company-issued devices may be relatively straightforward in some regions for corporate investigators, it may still be
difficult in countries with strong privacy protections. And accessing data, even when it relates to company matters, may simply be impossible for corporate investigators when that data is stored on an employee’s personal device.
The Rising Cost of Non-Compliance in Ephemeral Messaging
In December 2021, JPMorgan Chase agreed to a combined settlement of $200 million with US regulators, including the SEC and CFTC, for allowing employees to use unauthorized messaging platforms like WhatsApp for business communications 1. This fine was part of a broader crackdown on the use of off-channel communications, where employees discussed
sensitive business matters on apps that lacked proper record-keeping capabilities, making it difficult for regulators to monitor financial transactions and ensure compliance. The hefty fines underscored the importance of adhering to federal record-keeping rules and the rising enforcement efforts aimed at securing transparency in communications.
This case was not an isolated incident — many companies across industries, especially in finance, have faced similar penalties. In early 2024, the SEC issued $81 million in fines against 16 Wall Street firms for similar violations, highlighting the ongoing regulatory focus on ephemeral messaging 2. As regulatory bodies continue to impose significant penalties
for breaches, we may see such enforcement actions expand to other regions, including the Middle East.
Companies in the UAE and the wider GCC are increasingly adopting global financial practices. They could thus face similar scrutiny if they fail to govern the use of encrypted or ephemeral messaging platforms properly. For instance, the Dubai Financial Services Authority (DFSA) has issued rules stating that authorized firms must retain “electronic communications” relating to transactions. Guidance to the rule even explicitly states that they must retain communications
made over mobile phones 3.
The Verdict: Should You Ban Private Messaging Apps at your Organization?
In highly regulated industries where there are data retention and transparency requirements, banning messaging apps or limiting their use to non-sensitive communication may be necessary to maintain regulatory compliance. However, simply banning private messaging apps outright may not be necessary or practicable for many organizations. Indeed, it may exacerbate the issue by incentivizing employees to use the apps on their personal mobile phones rather than company devices. Employees use such messaging apps because of the advantages that they confer, including being less formal than email and allowing the sender to know when a message has been viewed.
Given this reality, there are several steps that companies should adopt. First, companies should train employees and ensure that they are aware of the regulatory and practical risks associated with using messaging apps for company business. Second, companies should offer secure, company-approved messaging platforms — such as Microsoft Teams, Slack or Webex — that can help strike a balance between convenience and security. Further, organizations can monitor employee communication activities and identify instances of non-compliance, as well as encourage employees to register work-related chats on messaging apps into the corporate record. Ultimately, the decisions will be based on the companies’ risk profiles and regulatory obligations, with proper safeguards in place to mitigate potential forensic challenges.
Looking Forward: The Future of Forensic Investigations
As mobile messaging apps continue to evolve, so too will the challenges and opportunities they present for forensic investigations. The growing reliance on these platforms means that their role in legal cases will likely increase, but the effectiveness of these investigations will depend on several factors. The ongoing development of digital privacy laws, the adaptability of forensic tools, and the policies and practices of tech companies will all play a crucial role in shaping the
future landscape of digital forensics.
The balance between protecting user privacy and ensuring justice is a delicate one, and how it is managed will have significant implications for both individuals and society as a whole. As we look ahead, it is clear that the intersection of technology and law will continue to be a critical area of focus for both regulators and investigators.
Notes
[1] Source: https://www.sec.gov/newsroom/press-releases/2021-262; https://www.cftc.gov/PressRoom/PressReleases/8914-24
[2] Source: https://www.sec.gov/newsroom/press-releases/2024-18
[3] The DFSA Rulebook, Conduct of Business Module (COB), Section 6.7.1, Record keeping – voice and electronic communications.
https://dfsaen.thomsonreuters.com/sites/default/files/net_file_store/DFSA1547_12383_VER460624.pdf