How Not To Think About Wickr: A Primer for Business Leaders

I consider myself a privacy advocate. I read Orwell’s 1984 and want no part of it. But I’ve also been a kid with well-meaning parents, a well-meaning parent myself, a government employee, a small business employee, and a big business employee in a highly regulated industry. In those contexts, privacy is — well, complicated. But only if you’re thinking about it the wrong way.

We’ve all called a bank or service provider and heard something like, “This call will be recorded for quality and training purposes.” That subtle little phrase tells us that the call will likely be heard by more than just us and the company representative with whom we are speaking. 

Do I, a self-described privacy advocate, have a problem with that? Of course not. The company has a legitimate need to record the call, and even though I’m communicating sensitive information, I don’t expect or need my words to be private between me and just one person at the company. However, I do expect and need my words to be private between me and the company as a whole or, ideally, a subset of the same.

Privacy isn’t just about a two-person text chat. 

That’s ground zero, perhaps, or the theoretical limit we aspire to when building a product like Wickr. But the two-person version of privacy is often too simplistic for the parent, business leader, or regulator. That’s ok.  Privacy — real, meaningful privacy — is also delivered in the form of groups, families, teams, and companies. It’s about enforcing a “need to know” boundary, wherever it’s defined.

Business leaders sometimes get caught up in the notion that the things that make Wickr special — end-to-end encryption, ephemeral messaging, zero-trust product design, zero-knowledge system design, etc. — are too rigid for their more complex view of messaging privacy. They’re not.  

While the first version of Wickr released in 2012 was squarely aimed at the ground zero use case, we’ve since poured what we learned into an enterprise communication and collaboration platform that is purpose-built to support the more complex privacy, security, and scaling needs of business users ranging from small to large to highly regulated. As a result of that work, we’ve transformed secure messaging from something that some businesses may once have viewed as disruptive into something that they can no longer risk doing any other way.

How Wickr is different and a more secure messaging solution.

One of the most fundamental differences between the Wickr brand of secure messaging and virtually all other enterprise messaging products is that Wickr is built on a decentralized security model, whereas others embrace centralization. The ramifications of this difference in terms of message privacy can be dramatic when the system is under attack. A messaging system built on centralization is vulnerable to compromise anywhere — on user devices and most notably (and notoriously) at the central server. 

Whether that server is managed privately or by a SaaS provider, it’s not only trusted from a privacy perspective — it’s the MOST trusted thing in the system, beyond even the user devices themselves. One compromise can therefore bring down the whole house of cards and expose an entire system’s worth of data to an attacker. What kind of compromise could have such impact? It can involve several kinds of attacks and vulnerabilities, from those a DevOps team could hope to stay ahead of with a well-oiled patching program, to the “doomsday” types for which there is little chance to avoid, such as 2018’s Spectre/Meltdown or last week’s Intel CSME flaw.

A system built on decentralized security, on the other hand, exposes no single point of failure within the system. It is vulnerable to compromise only at the endpoints, which significantly limits the damage that can be done in any one event, regardless of type. In fact, all of Wickr’s security virtues stem from the following theory: prevent the attacks you can, and minimize the impact of those you can’t.

Why privacy matters to you as a business leader.

If you’re a business leader and you’re thinking about privacy in the context of a two-person text chat, or if you think of Wickr as something that undermines your complex corporate governance or regulatory framework, you’re thinking about it all wrong.

When offered within the administrative control framework of AWS Wickr or the compliance framework of Wickr Enterprise, end-to-end encryption, ephemeral messaging, zero-trust product design, and zero-knowledge system design are not rigid security mechanisms that can appeal to only elite users with no secondary corporate policy or compliance concerns. They are table stakes data protections for anyone who is serious about securing business communications.