When millions were forced to hunker down at home during the pandemic, the global economy would have ground to a halt if not for remote working tools. Many organisations already used software like Zoom, Slack and Microsoft Teams to varying degrees but now they depended on them.
All of a sudden, confidential information that might have not left a meeting room or encrypted on-prem data stores was freely being discussed in virtual chatrooms, sometimes with few to no security protocols – a phenomenon that has continued into the hybrid-work era.
Slack doesn’t have end-to-end encryption, which risks messages or data being intercepted in transit. Microsoft Teams introduced end-to-end encryption in 2021 for business customers but it isn’t the default setting. Both have become regular targets for attackers.
In response, developers have resorted to building tools to scrape and search Slack for confidential information, lest they fall victim to a data breach such as the one recently suffered by Disney. Enterprise readiness to mitigate or counter these attacks remains poor in the private sector. End-to-end encrypted chat tool Element could be a solution to this problem.
Unlike Slack or Teams, Element is end-to-end encrypted by default. It uses the Matrix protocol, an open source standard designed to introduce privacy to instant messaging conversations and file transfers, which was first launched 10 years ago. The internet isn’t private and unencrypted messages or data in transit is vulnerable to interception or surveillance, so Matrix was pitched as the “missing communication layer” for the internet to address those problems. Its proponents hoped that Element, its flagship chat client, would promote the use of Matrix and help foster an ecosystem around the protocol.
“There is no understanding of the risks of sending all of your data to Microsoft, where it will sit unencrypted in a single-point-of-failure data centre, that we already know is compromised by [hacking group] Cozy Bear, [Russian military intelligence] the GRU and other nation-state adversaries,” says Matthew Hodgson, the founder and CEO of Element.
“It’s just a matter of time before it’s all leaked in one great big WikiLeaks-style torrent where you can download the entire chat history of anybody ever on Teams,” he says. “It’s just waiting to happen.” With 320 million monthly active Microsoft Teams users, as of early 2024, such a leak would be a disaster.
Could digital sovereignty drive enterprise privacy?
Unusually for privacy tech, open source communities aren’t the only groups spearheading adoption of Element – government departments are also adopting it.
Element counts the German army, the French civil service, NATO and the US Space Force among its customers.
We are stuck in this vendor-lock-in dystopia
Germany, for example, uses Element for the foundation of its ‘Bundes Messenger’ – a free messaging service for the public sector with a website that touts “sovereignty, security and freedom”. Meanwhile, NATO now uses Element in place of WhatsApp within the organisation. The US, according to Hodgson, is seeking “operational independence” from Microsoft “particularly at the more sensitive classifications”.
“Governments realise it’s absolutely insane to be operationally dependent on a US tech company,” Hodgson says, referring to Microsoft. “What if there is a big cyber attack against this big single point of failure, which would be a really obvious first step in an online cyber war? So we’ve seen a very strong product-market fit with governments.”
Beyond a ‘weird techie thing’
If governments are cottoning on to the risks of insecure and unencrypted remote data, why hasn’t much of the private sector?
People value their digital privacy and surveys show that they will act to defend it. Yet the conversation appears to be missing among many enterprises, whose main concern about privacy starts and ends with compliance around GDPR.
“It’s very frustrating that your typical CISO or CIO or CEO isn’t aware of these privacy risks,” Hodgson says. “Instead we are stuck in this vendor-lock-in dystopia where Microsoft in particular exploits antitrust behaviour patterns to make everyone use Teams effectively for free by bundling it with Windows and Microsoft 365.”
Hodgson suggests part of the reason might be that very few enterprises used communication platforms until recently. It was “email or bust” or maybe phone calls, he says. “So, when Teams rolled around, particularly for non-technical people, it was their first experience of collaborating in this manner,” he says. “People almost cannot imagine a different solution – it would be like moving away from Windows.”
Meanwhile, several large companies, including Google, have this year jettisoned the chief privacy officer role from their C-Suite.
But privacy risks are more pressing than ever. Insecure, unencrypted, personally identifiable or confidential information is seen as an open invitation for attackers to infiltrate organisations and exfiltrate data.
Hodgson hopes that, by pitching to public sector organisations focused on privacy and data sovereignty, Element can be “a bit like the internet” and spread from being a “weird techie thing”, predominantly used by academics, researchers and governments, to more widespread adoption.
“We’re hoping we might manage a similar effect,” Hodgson says. But he concedes it may be a tough road ahead. Unlike the early days of the web, when the only competing communication technologies were BBS, phone lines and fax machines, Hodgson says: “Today we are fighting against a very established incumbent.”
