The U.S. House of Representatives’ Chief Administrative Officer (CAO), Catherine Szpindor, informed congressional staffers this week that WhatsApp is now banned from government phones. The move came after the CAO’s Office of Cybersecurity deemed the Meta-owned app to be “high-risk to users”—a claim that WhatsApp quickly rebutted.
But the CAO is correct. While WhatsApp is one of the more secure messaging apps out there, it does have some privacy and security risks. Users can mitigate some of these risks, but others are beyond their control. Here’s why WhatsApp is now banned in the U.S. House of Representatives and how you can make the app more secure on your phone.
What the Office of Cybersecurity said, exactly
The news that the CAO’s Office of Cybersecurity had announced a ban on WhatsApp this week came from Axios. On Tuesday, the publication published parts of an internal CAO memo it received, which was sent to congressional staffers on Monday, announcing that WhatsApp was now verboten on government phones.
The memo stipulated that “House staff are NOT allowed to download or keep the WhatsApp application on any House device, including any mobile, desktop, or web browser versions of its products.” It went on to add: “If you have a WhatsApp application on your House-managed device, you will be contacted to remove it.”
The reason? According to the memo, “The Office of Cybersecurity has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use.”
The CAO didn’t provide further details in the memo regarding the above risks. Still, it’s easy to interpret some of the things that may have made the CAO leery about the continued use of WhatsApp by Congressional staffers.
WhatsApp’s transparency issue
WhatsApp, like competing secure messaging apps including Apple’s iMessages and Signal, is end-to-end encrypted, meaning that no parties other than the ones in the chat, even including Meta, can read the chat messages. But WhatsApp collects a lot more metadata from each chat than other secure messaging apps do, and it sends this info to Meta
A chat’s metadata includes information such as the identities of the chat participants, IP addresses, phone numbers, and the timestamps of messages. No one knows exactly what Meta does with this metadata. Still, it is shared with Meta’s other platforms, including Instagram and Facebook. It is likely used to help the company build social graphs of users, leveraged for advertising purposes, and analyzed by the company to understand who is using their apps, and when and where. This opaqueness is likely some of the “lack of transparency” risk that the CAO was referring to.
As for the “absence of stored data encryption,” the CAO may have been referring to the default method by which WhatsApp backs up a user’s chats. While WhatsApp chats are end-to-end encrypted, if a user backs up those chats to the cloud, the backup itself is not end-to-end encrypted by default. This means that if a bad actor gains access to a WhatsApp user’s cloud backup, they could read all of that user’s messages. It’s no wonder the CAO’s Office of Cybersecurity finds this worrying.
WhatsApp also doesn’t have other privacy and security features on by default, including the ability to lock the app behind biometrics and requiring two-step verification when a WhatsApp account is installed on another phone.
If you don’t work in the House of Representatives, you can still keep WhatsApp on your phone. But you might want to mitigate its privacy and security risks. Here’s how.
How to make WhatsApp more secure on your phone
Unfortunately, there’s nothing you can do about WhatsApp’s metadata problem. Meta designs WhatsApp so that the metadata of your chats is sent directly to the company. There’s no way you can turn this data collection off. But you can make the app more secure on your phone by following some simple steps, including:
- End-to-end encrypt your WhatsApp backups: In WhatsApp, go to Settings>Chats>Chat Backup>End-to-End Encrypted Backup and turn this option on. Now your chat backups saved in the cloud will be end-to-end encrypted.
- Lock WhatsApp: You can set WhatsApp to refuse to open without further authentication by locking the app. This means that even if someone has access to your unlocked phone, they won’t be able to open WhatsApp unless they know your phone’s PIN, or have your face or fingerprint. To lock WhatsApp, go to WhatsApp’s Settings>Privacy>App Lock and toggle the feature on.
- Enable two-step verification: If someone logs into your WhatsApp account on their phone, they’ll be able to see your messages. That’s why you should set up two-step verification for your account. This will require a PIN that you set to be entered whenever an attempt is made to log into your WhatsApp account on a new device. If the PIN isn’t entered correctly, the new device won’t have access to your account. To enable two-step verification, go to WhatsApp’s Settings>Account>Two-Step Verification and toggle the feature on.
Apps the CAO suggests using instead
When reached for comment on the CAO’s decision to ban WhatsApp, the organization’s chief administrative officer, Catherine Szpindor, told Fast Company, “Protecting the People’s House is our topmost priority, and we are always monitoring and analyzing for potential cybersecurity risks that could endanger the data of House Members and staff. We routinely review the list of House-authorized apps and will amend the list as deemed appropriate.”
In the past, the CAO has banned or imposed partial bans on various foreign apps, including those from ByteDance, such as TikTok. But the CAO has also previously announced bans or restrictions on apps made by American companies, including Microsoft Copilot and the free versions of ChatGPT.
As for Meta, a company spokesperson told Fast Company that it disagrees with the CAO’s characterization of WhatsApp “in the strongest possible terms.” The spokesperson also asserted that, when it comes to end-to-end encryption, WhatsApp offers “a higher level of security than most of the apps on the CAO’s approved list that do not offer that protection.”
In the Office of Cybersecurity’s memo, the agency provided guidance on alternative secure messaging apps that House staffers could use now that WhatsApp had been banned. According to Axios, those apps include Apple’s iMessage and FaceTime, Microsoft Teams, Wickr, and Signal.
House workers have no choice in the matter, but you still do. If you decide to continue using WhatsApp, consider enhancing the privacy and security it already offers by enabling the optional protections described above.
The extended deadline for Fast Company’s Next Big Things in Tech Awards is this Friday, June 27, at 11:59 p.m. PT. Apply today.
