WhatsApp just got banned on Capitol Hill. Here's how you can make the Meta messaging platform more secure
The U.S. House of Representatives' Chief Administrative Officer (CAO), Catherine Szpindor, informed congressional staffers this week that WhatsApp is now banned from government phones. The move came after the CAO's Office of Cybersecurity deemed the Meta-owned app to be 'high-risk to users'—a claim that WhatsApp quickly rebutted.
But the CAO is correct. While WhatsApp is one of the more secure messaging apps out there, it does have some privacy and security risks. Users can mitigate some of these risks, but others are beyond their control. Here's why WhatsApp is now banned in the U.S. House of Representatives and how you can make the app more secure on your phone.
What the Office of Cybersecurity said, exactly
The news that the CAO's Office of Cybersecurity had announced a ban on WhatsApp this week came from Axios. On Tuesday, the publication published parts of an internal CAO memo it received, which was sent to congressional staffers on Monday, announcing that WhatsApp was now verboten on government phones.
The memo stipulated that 'House staff are NOT allowed to download or keep the WhatsApp application on any House device, including any mobile, desktop, or web browser versions of its products.' It went on to add: 'If you have a WhatsApp application on your House-managed device, you will be contacted to remove it.'
The reason? According to the memo, 'The Office of Cybersecurity has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use.'
The CAO didn't provide further details in the memo regarding the above risks. Still, it's easy to interpret some of the things that may have made the CAO leery about the continued use of WhatsApp by Congressional staffers.
WhatsApp's transparency issue
WhatsApp, like competing secure messaging apps including Apple's iMessages and Signal, is end-to-end encrypted, meaning that no parties other than the ones in the chat, even including Meta, can read the chat messages. But WhatsApp collects a lot more metadata from each chat than other secure messaging apps do, and it sends this info to Meta
A chat's metadata includes information such as the identities of the chat participants, IP addresses, phone numbers, and the timestamps of messages. No one knows exactly what Meta does with this metadata. Still, it is shared with Meta's other platforms, including Instagram and Facebook. It is likely used to help the company build social graphs of users, leveraged for advertising purposes, and analyzed by the company to understand who is using their apps, and when and where. This opaqueness is likely some of the 'lack of transparency' risk that the CAO was referring to.
As for the 'absence of stored data encryption,' the CAO may have been referring to the default method by which WhatsApp backs up a user's chats. While WhatsApp chats are end-to-end encrypted, if a user backs up those chats to the cloud, the backup itself is not end-to-end encrypted by default. This means that if a bad actor gains access to a WhatsApp user's cloud backup, they could read all of that user's messages. It's no wonder the CAO's Office of Cybersecurity finds this worrying.
WhatsApp also doesn't have other privacy and security features on by default, including the ability to lock the app behind biometrics and requiring two-step verification when a WhatsApp account is installed on another phone.
If you don't work in the House of Representatives, you can still keep WhatsApp on your phone. But you might want to mitigate its privacy and security risks. Here's how.
How to make WhatsApp more secure on your phone
Unfortunately, there's nothing you can do about WhatsApp's metadata problem. Meta designs WhatsApp so that the metadata of your chats is sent directly to the company. There's no way you can turn this data collection off. But you can make the app more secure on your phone by following some simple steps, including:
End-to-end encrypt your WhatsApp backups: In WhatsApp, go to Settings>Chats>Chat Backup>End-to-End Encrypted Backup and turn this option on. Now your chat backups saved in the cloud will be end-to-end encrypted.
Lock WhatsApp: You can set WhatsApp to refuse to open without further authentication by locking the app. This means that even if someone has access to your unlocked phone, they won't be able to open WhatsApp unless they know your phone's PIN, or have your face or fingerprint. To lock WhatsApp, go to WhatsApp's Settings>Privacy>App Lock and toggle the feature on.
Enable two-step verification: If someone logs into your WhatsApp account on their phone, they'll be able to see your messages. That's why you should set up two-step verification for your account. This will require a PIN that you set to be entered whenever an attempt is made to log into your WhatsApp account on a new device. If the PIN isn't entered correctly, the new device won't have access to your account. To enable two-step verification, go to WhatsApp's Settings>Account>Two-Step Verification and toggle the feature on.
Apps the CAO suggests using instead
When reached for comment on the CAO's decision to ban WhatsApp, the organization's chief administrative officer, Catherine Szpindor, told Fast Company, 'Protecting the People's House is our topmost priority, and we are always monitoring and analyzing for potential cybersecurity risks that could endanger the data of House Members and staff. We routinely review the list of House-authorized apps and will amend the list as deemed appropriate.'
In the past, the CAO has banned or imposed partial bans on various foreign apps, including those from ByteDance, such as TikTok. But the CAO has also previously announced bans or restrictions on apps made by American companies, including Microsoft Copilot and the free versions of ChatGPT.
As for Meta, a company spokesperson told Fast Company that it disagrees with the CAO's characterization of WhatsApp 'in the strongest possible terms.' The spokesperson also asserted that, when it comes to end-to-end encryption, WhatsApp offers 'a higher level of security than most of the apps on the CAO's approved list that do not offer that protection.'
In the Office of Cybersecurity's memo, the agency provided guidance on alternative secure messaging apps that House staffers could use now that WhatsApp had been banned. According to Axios, those apps include Apple's iMessage and FaceTime, Microsoft Teams, Wickr, and Signal.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Forbes
5 minutes ago
- Forbes
Delete Every App That's On This List—‘Risks Are Too Great'
You should never use these apps on your phone. Republished on June 28 with new national security warnings over use of these apps. Tens of millions of Android and iPhone users are being warned they have installed free apps that leave them at serious risk. Those users could now be sending their sensitive data to companies under the control of the Chinese government. Earlier this week, I reported on the list of iPhone and Android apps issued by the Tech Transparency Project (TTP). These are all VPNs — virtual private networks. Apps which are meant to make users safer and more secure but are doing the very opposite. 'Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies,' TTP says. It last reported on this threat in April, and now says 'Apple and Google app stores continue to offer private browsing apps that are surreptitiously owned by Chinese companies… six weeks after they were identified.' A raft of warnings now have followed that report, urging users to delete the apps. 'The risks are too great' to keep them on your phone, warns Top10VPNs Simon Migliano. 'In light of these findings, I strongly urge users to avoid Chinese-owned VPNs altogether." For its part, Google says it is "committed to compliance with applicable sanctions and trade compliance laws. When we locate accounts that may violate these laws, our related policies or Terms of Service, we take appropriate action.' While Apple makes similar assurances, and says it enforces App Store rules but does not differentiate its handling of apps by the location of their developers. It does say where VPNs are concerned that data sharing with third parties is prohibited. vpnMentor's Lisa Taylor says this is 'no surprise,' that "China usually uses different methods to gain other countries' citizen's personal information, most of which are often covered behind a legal front.' And that 'free VPNs are perfect cover up to these kind of operations,' often recording user activity even when they say they don't. BeyondTrust's James Maude agrees. 'If you aren't paying for a product, you are the product. These VPN services are a perfect example of the hidden costs of free apps where users seeking more privacy online are potentially unknowingly feeding data to a foreign nation state out of fear their local coffee shop Wi-Fi is spying on them.' While Black Duck's Vijay Dilwale calls TTP's report 'a sobering wake-up call that VPNs, which claim to protect privacy, can pose very serious security risks, especially when their true ownership is hidden. These apps have access to all user traffic, and when handled by Chinese-based entities, the implications are well beyond individual privacy.' TTP reports that all of the VPNs it has identified "are listed as free in the app stores. But during TTP's May spot check, researchers observed that some of the VPNs offered in-app purchases on top of whatever users get with the 'free' app.' This lack of transparency, Taylor told me, 'is one of the main reasons why we do not recommend free VPNs and we are concerned that with all the content restrictions throughout the world, people are flocking to free VPNs.' Migliano says "true internet freedom and privacy depend on transparency and trust. Yet despite being made aware of glaring privacy failures and opaque corporate structures, Google and Apple continue to permit these high-risk apps on their platforms.' There are also some more serious national security concerns that have been raised. The nature of these apps on devices with obscure geographical locations and ownership is a major issue when it comes to those handling sensitive data or making their locations. Cequence Security's Randolph Barr warns 'there's no question Apple and Google can and should do more to mitigate the national security and privacy risks posed by VPN apps with undisclosed foreign ownership, particularly those tied to hostile nation-states.' Which raises a question around an added layer of app store security. 'While they have frameworks in place for data protection and transparency,' Barr told me, 'enforcement is often inconsistent or delayed, especially when developers obscure their true ownership through complex corporate structures. Conducting deeper vetting requires significant legal, technical, and geopolitical effort, something these platforms have been slow to scale.' This leaves a vacuum others may need to fill. Barr suggests the following mitigating actions, and says if they can't be handled at app store level, they must be done by organizations needing to control such risks: Deepwatch's Chad Cragle has issued the same warning. 'When owned by Chinese companies and hidden behind layers of shell companies, it becomes a serious concern. Apple advocates for protecting our privacy, yet these apps are still accessible. Google?' Cragle says 'they often allow nearly any app on their store. It's time for the platforms to take responsibility and set the example. You can't claim to prioritize privacy if you're letting other parties control the playbook. If they don't properly scrutinize these apps, they're not just passively allowing it—they're helping to create the problem. And let's be honest, this isn't just about privacy; it's about national security, too.' Here is the list of apps from TTP's report: Apple App Store: Google Play Store: The Android app vpnify is also in TTP's report, but has now relocated outside China and has contacted TTP to update its information and to be removed from the report.
Bloomberg
18 minutes ago
- Bloomberg
The Cost of Living in NYC and Immigrating to the US
By Welcome to the Wall Street Week newsletter, bringing you stories of capitalism about things you need to know, but even more things you need to think about. I'm David Westin, and this week we told the stories of Democratic Socialist Zohran Mamdani winning the Democratic mayoral primary in New York City and of the business of countries selling the right to be a resident. If you're not yet a subscriber, sign up here for this newsletter. New York City held its Democratic mayoral primary this week, and chose relative newcomer, State Assemblyman Zohran Mamdani, over a crowded field that included former Governor Andrew Cuomo, who resigned in 2021 in the wake of multiple sexual harassment allegations that he denies. Mamdani stood out, not just for his disciplined, organized campaign, but for his embrace of "Democratic Socialism."
Forbes
18 minutes ago
- Forbes
Google Confirms Upgrade Choice For 2 Billion Android Users
Decide carefully as new upgrade confirmed. Republished on June 28 withy new warnings despite Google's reassurances. Google's 2 billion Gmail users face a critical decision, as the company upgrades the world's leading email platform to make more use of AI. This means Google's cloud-based AI accessing all your content — however personal and sensitive. I've warned before that Gmail users need to understand the risks before using all these new default updates. It's no accident or surprise that Gmail's AI upgrades conflict with its quasi end-to-end encryption upgrade. One is secure, the other is not. The issue with smart AI search and smart AI replies has been privacy — pure and simple. This week, all Android users have been hit with similar warnings, as a poorly written email from Google seemed to suggest AI would access sensitive apps — including Messages and WhatsApp — even if Gemini Activity is disabled. 'Gemini will soon be able to help you use Phone, Messages, WhatsApp, and Utilities on your phone, whether your Gemini Apps Activity is on or off,' the email told users. As Gizmodo reported: 'Google to Gemini users: We're going to look at your texts whether you like it or not.' And understandably, everyone read that email the same way. Google has now told me this is misleading — the update 'is good for users.' Android phones will 'use Gemini to complete daily tasks on their mobile devices like send messages, initiate phone calls, and set timers while Gemini Apps Activity is turned off.' What that actually means is that turning off Gemini Activity doesn't stop it working on phones, which would have happened before. But 'with Gemini Apps Activity turned off, Gemini chats are not being reviewed or used to improve our AI models.' Before, if you wanted to use Gemini with messaging apps, you'd need to keep Gemini Activity on which would mean those interactions being saved. That's a privacy nightmare and it's what Google has in effect fixed. This choice is good news. This welcome clarity reflects user concerns. But that's what is still missing in the Gmail AI debate, which has been more a take it or leave it offer. I would like to see the same transparent and easy privacy choice for Gmail as well, before this goes much further. One note of caution. Any use of Gemini on Android does still save interactions for 72-hours within your account, even if Activity is turned off. Keep that in mind. And the privacy warnings have not gone away. Per Android Headlines, 'Google's Gemini AI will soon be able to access apps like Phone and Messages, even if 'Gemini Apps Activity' is off, starting July 7, 2025. While Google clarifies that turning off activity still prevents data from being used for AI training, the change sparks user privacy concerns, balancing convenience with trust in Google's data handling.' This new report warns that 'deeper integration inevitably brings legitimate concerns to the forefront for many users. The prospect of an AI having access, even if temporary, to highly personal data within call logs, private messages, and WhatsApp chats immediately raises red flags regarding individual privacy and overall data security.' This was always going to happen — it was clear from the early days of Gemini's integration into email and messages and other apps, just as it's clear with the new news that WhatsApp is to do the same with its own users' messages. As Futurism puts it, 'WhatsApp is now offering AI summaries of text threads for those too lazy to read through their messages themselves… Because what says 'I care' like breezing through an AI-generated summary of the family group chat?" A balance needs to be struck, and the risk is that users do not know enough yet about the complex web of privacy polices to make those decisions.
