I am building a chatbot for my university in GroupMe, which very popular there. The bot will, for example, allow users to send messages to their chat groups like /menus (assuming that "/" is the character that indicates a command to the bot), or /busschedules, /calendar, etc.
The problem is that the GroupMe bot API behaves in what seems to me like a very bad way from a privacy perspective. It sends a POST request to the bot's (my) server for every new message sent to any group in which the bot is installed (not just messages starting with "/"), unencrypted. For a number of reasons, I don't want to be in a situation where I can read the messages a large number of students at my school. This is not so much so I don't get tempted to read them, as much as:
I don't want to be asked by my school or the police to turn over messages sent by any student, and I think if I provide reasonable notification that the bot sees every message sent, that may turn a lot of students off from using the bot. I can't think of a way to prevent this problem. I don't think any type of server-side encryption is relevant since I receive the data raw (i.e., it's on my server raw at some point, so encrypting it later is useless).
The only solution I've come up with is, to create a 2nd AWS account (I'm using elastic beanstalk, API gateway and Lambda), have that account just be responsible for checking each message and only pass it on if it begins with "/", and then ask some trusted person (for example, the university's IT department) to change and keep the password (an AIM account with only billing privileges would be created to keep credit cards current). To increase security, that AWS account and Lambda script or server could be set to post a message in a public place anytime someone logs in, or if it stops receiving requests from GroupMe (indicating that someone told the GroupMe API to bypass that server).
Is this setup common? Are there other ways to protect people's messages in this context that I'm not thinking of (I have tried googling but not found anything)?