DoJ worries messaging apps could hide evidence of crime, corruption
Record keeping rules might need a tweak to ensure content is preserved
The United States Department of Justice is considering new guidelines for how businesses use messaging apps, so that they're not employed as a back channel to hide corrupt behavior.
The DoJ's interest in messaging apps was first stated in a September 2022 memorandum [PDF] on Corporate Criminal Enforcement Policies penned by deputy attorney general Lisa Monaco.
In that document, Monaco called for US organizations to implement "effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved" so they are available during criminal investigations.
A Thursday speech by acting principal deputy assistant attorney-general Nicole M Argentieri at the 39th International Conference on the Foreign Corrupt Practices Act (FCPA) hinted that proving compliance with the law may soon include similar requirements for messaging apps. The Act is the USA's legal instrument to prevent citizens and entities bribing foreign officials.
- US Justice Dept reportedly checking AI rent-pricing biz RealPage
- Uncle Sam says Chinese agents tried to interfere with Huawei criminal case in US
- SolarWinds and Dynatrace directors resign over antitrust concerns
- DoJ ‘very disappointed’ with probation sentence for Capital One hacker Paige Thompson
Argentieri's speech mostly concerned how the DoJ and its foreign partners police the Act. But in a final section she discussed policy changes – among them the possibility that compliance programs will include directives on the use of messaging apps.
"We at the Department recognize that there may be legitimate reasons for the use of these applications, such as reliability and enhanced security through end-to-end encryption," she said, before admitting "they also present significant challenges for companies' ability to ensure they have a well-functioning compliance program and ability to access such communications when necessary."
"Under the current rubric, the Department considers whether companies that permit employees to use these ephemeral messaging platforms are continually assessing and revising their policies in compliance with their legal obligations, including those related to retention," she added.
To date the DoJ's Corporate Enforcement Policy (CEP) has not specifically addressed messaging apps. They're probably covered under requirements that prohibit "improper destruction or deletion of business records" and require "appropriate guidance and controls" of personal communications and ephemeral messaging platforms.
But in light of the Criminal Division's guidance on messaging apps, the DoJ is considering measures that outline requirements for their use and management in the context of proving FCPA compliance.
Argentieri could not say what regulations, if any, the DoJ will require. But she promised they would be "clear and predictable."
The DoJ has thus given organizations two warnings that they need to ensure content staff produce using messaging apps is properly managed and preserved.
That will excite vendors of mobile device management (MDM) products – but probably also terrify them just a little. Myriad apps and services include messaging functionality that workers could use to discuss business matters.
Most MDM vendors make it possible for end users to employ personal devices for work purposes – usually by walling off a set of apps issued by a business from those an individual chooses for their own use. Such regimes can't force a user to use only a messaging app from within the managed environment on a device.
Yet the DoJ clearly wants all messages managed.
Grab some popcorn. This could be fun. ®