Mobile Messaging in the Public Sector after Schrems II

So. You work in the Public Sector or a Trade Union in Sweden and your organisation has mobile apps?

Interesting. You have a legal duty of confidentiality to your employees, members and the general public.

But - the chances are your apps are using products like Google Firebase Messaging, and Apple Push Notification Service to send notifications to your users. 

This presents a tiny dilemma. Information that you send to notify your users travels through - and is stored on - infrastructure owned by US companies. Not only does this mean that an unknown number of the literally hundreds of thousands of employees of these companies may have access to your confidential communications, but also that any 3-letter agency in the US can access those communications without your knowledge. Then even send that information onward to any of the "5-eyes" affiliated states. 

So the truth is you do not know who has access to your messages once you click "send"!

Your private info is public
Your confidential info simply isn't.

 

Note that this is not just an issue of trust - whether one "trusts" these companies or not is absolutely irrelevant (even though misplaced). US companies can be compelled by US law to allow access to your information by a foreign state, no matter where it is located, and furthermore be compelled by US law not to inform you.

To make matters worse, Apple forces applications to use their own APNS messaging infrastructure - third party push-notifications are explicitly forbidden and cannot run on Apple iOS. To send messages to iOS devices, one must use Apple's infrastructure.

Oh dear. 

 

Here at Digitalist Sweden, as part of our initiative "The Open Nation" we are committed to integrity and confidentiality within public organisations as as such are researching methods to circumvent the vendor lock-in and security exposure of these services so as to better protect the integrity of our clients and their users through the use of software that is neither proprietary nor patent-encumbered.

One such idea under discussion is to use the proprietary messaging services to deliver end-to-end encrypted communications in our applications, or to simply send silent "background" notifications with no content useful to a 3rd party which may then be used by our apps to retrieve the message content from infrastructure not subject to legal notices from a foreign state.

We shall keep you posted.