go to content

Can Your Boss Read Your WhatsApp Messages?

Sort of. But not really.

Originally posted on
Updated on

The headlines are pretty alarming: "WARNING: Your boss can now read EVERY Facebook and WhatsApp message you send at WORK," the Daily Express says, using LOTS of CAPITALS.

"Your boss can now read your personal email, Facebook and WhatsApp messages," says the Mirror. The Daily Mail says "Britons have been warned not to use Facebook, Twitter, Google Chat or other messaging platforms at work".

So what's happened to spark the alarm – and are they right that we should be worried?

What's happened?

The warnings all stem from a decision by the European Court of Human Rights this week about an unfair dismissal claim from a man in Romania, who was fired for using his work computer to send personal messages.

The man was fired for chatting with his fiancé and his brother using Yahoo Messenger from his work computer in 2007. As most people now use WhatsApp or Facebook more than Yahoo, the headlines focused on the more recent messaging apps.

His complaint was that his employer violated his privacy by accessing and storing the content of his messages, especially as they covered sensitive topics including his "health and sex life".

The court ruled six-to-one against him, finding that it was reasonable for his employer to track the contents of his messages, as they were doing it to check compliance with their policy of not allowing any personal internet use on work time.

Does that mean my boss can read my messages?

The decision doesn't really change anything: Your boss was probably already both allowed and able to read what you post when you're at work.

If you have access to the internet from a work computer, most major employers – including BuzzFeed – will stipulate in contracts or employee handbooks what you're allowed to do on the internet at work, and in almost all cases, will specifically tell you that they're entitled to monitor what you're doing.

It's worth checking your contract, here. Even if you don't think it's in there, it probably is, and it's often blunt: "Employees should have no expectation of privacy" on work systems is a fairly standard phrase on both sides of the Atlantic.

What does this mean in practice? What has my boss seen? WHAT HAVE I DONE?

Most large employers will have monitoring software of some form or another on their IT systems. This can range from letting bosses remotely and undetectably "snoop" on your screen, to logging the keystrokes you make on your computer, to monitoring your internet history.

However, this doesn't give your boss unlimited power (sorry, bosses). EU data protection rules – as well as human rights protections – mean the data they collect and store must be reasonable and proportionate.

If your boss accesses your internet history through formal channels because they suspect you're breaching the terms of your employment (watching porn at work, for example), they're totally within their rights.

If they use the keylogger to find out your Facebook password and then read your messages late at night for their own prurient interests, they've almost certainly broken the law (in the EU, at least). It's not quite as bad as it seems.

But is my boss reading my WhatsApp, though?

Probably not. While monitoring what you do on your work PC or Mac is quite straightforward, it's a lot less simple for employers to monitor what you're doing on your mobile phone.

If you've got a personal mobile (rather than a company phone), it's impossible for your boss to see your WhatsApp messages – even if you're using the company Wi-Fi to send them. This is because WhatsApp, like Facebook Messenger, iMessage, and other services, now uses strong end-to-end encryption.

If you've got a sophisticated employer, there's a chance they'll be able to see you've used a messaging service on work time through work internet – but they won't be able to see the actual messages. Encryption is great.

If you're using a work phone, there's a chance you're being monitored more closely, but this is actually a little rarer and trickier than desktop surveillance.

If you're using WhatsApp on your work desktop, then the messages are secure in transit (they can't be intercepted), but if your employer is monitoring your screen, or using a keylogger, what you type and what you see will get caught in these. So tread carefully!

What about Gchat (or Google Hangouts)?

There's a couple of things to be careful of here: Firstly, as with WhatsApp, these can be picked up if you're using them on your work computer through screen monitoring or keyloggers (which track what you type).

Otherwise, the thing to watch here is your chat history: By default both Hangouts and GChat log your conversation history, which means it's saved exactly like emails. If you use these services on your work email account, this means they're stored for your boss to peruse at their leisure (for reasonable and proportionate purposes).

It is possible – provided your employer hasn't disabled the setting – to turn chat history off, though. There's a guide on how to do this here, and so far as we can tell, employers can't secretly log chats if history is turned off through Google's tools.

So what did this ruling actually change?

Absolutely nothing. The European Court didn't let your boss do anything they couldn't do last week. Despite the panicked front pages, it's been clear under UK and US law for years that employers can do this.

There are UK employment tribunal cases dealing with internet monitoring at work dating from 2010, there's official government advice to employers on the circumstances internet use can be tracked, and there's longstanding legal advice that your boss can monitor your social media use at work without your consent.

TL;DR – your boss was allowed to monitor your social media use at work before, and still is. But if you do it from your personal mobile, it's quite hard for them to do it.

UPDATE

In a blog for the Huffington Post, the Council of Europe, which the ECHR is a part of, said coverage of this week's ruling had "set something of a new benchmark" for mis-reporting of Europe's institutions.

"Numerous outlets - primarily, but not exclusively, from the UK - have portrayed Tuesday's judgment as giving bosses across the continent a new 'right' to snoop on all of their staff's personal messages sent using Facebook, Twitter, What'sApp, Gmail or any other platform," wrote Council of Europe spokesperson Andrew Cutting.

"It sounds scary, and it makes a good story, but it's not true."

Cutting wrote that the ECHR cannot "invent new rights which instantly apply" and that no legislation had changed in any of the Council of Europe's 46-member states, including the UK.

You can read the full blog post here.

James Ball is a special correspondent for BuzzFeed News and is based in London. PGP: here

Contact James Ball at James.Ball@buzzfeed.com.

Got a confidential tip? Submit it here.