"Consumer messaging apps were never designed to handle sensitive communications" – Government decision-makers are confused about messaging security, BlackBerry report finds

Government and critical infrastructure organizations are deeply confused about messaging security, with the vast majority using consumer messaging apps for sensitive discussions, according to BlackBerry research.

In a survey of 700 security decision-makers in the US, UK, Canada, and Singapore, researchers at BlackBerry Secure Communications have found that 83% use WhatsApp for sensitive communications.

Indeed, they said, it's the most-used communication method, at 83%, way ahead of personal email, at 54%, and Teams at 50%.

They showed little understanding of what security these apps actually provide, with 52% wrongly believing that encryption protects metadata, including location data, IP addresses, and communication patterns, and 47% thinking it prevents impersonation, deepfake, or spoofing attacks. More than four-in-ten thought that communications are still secured, even after a device has been compromised.

"Consumer messaging apps were never designed to handle sensitive communications, protect confidentiality, or meet the demands of high-security environments," said Christine Gadsby, chief security advisor at BlackBerry Secure Communications.

"They rely on phone numbers, not verified identities – and encryption protects the channel, not who is on it. That gap is already being exploited, as recent intelligence warnings show, and governments and critical infrastructure organizations are responding by moving toward communications infrastructure they own and trust."

The problem is that only 10% fully understand what encryption actually protects, with more than seven-in-ten viewing end-to-end encryption (E2EE) as a comprehensive security solution.

Their main misconceptions are that E2EE protects data before or after decryption, that it verifies or protects the identity of communicating parties, hides or protects metadata, and can secure devices that may have already been compromised. This misunderstanding was found pretty uniformly across all four countries surveyed, ranging from 89% to 91%.

"Organizations believe one thing while doing another. They recognize threats but trust tools that do not address them. They require capabilities their platforms cannot provide. They express confidence that exceeds their actual preparedness," the researchers concluded.

The problem, they said, is a mismatch between what security tools do and what organizations believe they do, and between policy requirements and infrastructure architecture.

"This translation failure has been enabled by marketing that emphasizes strengths while obscuring limitations, by procurement processes that accept vendor claims without independent verification, and by the natural human tendency to believe that visible security measures provide comprehensive protection," the researchers said.

Intelligence agencies in the US, the UK, and Europe have repeatedly warned about the risks of messaging apps.

Last month, the US' FBI and Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) warned that the Russian Intelligence Services were bypassing encryption in commercial messaging applications to compromise individual user accounts, including current and former US government officials, military personnel, political figures, and journalists.

And there's been similar activity from China-affiliated APT31 and Iran's Islamic Revolutionary Guard Corps (IRGC).