WhatsApp banned on House staffers' devices
96 comments
·June 23, 2025benced
ghc
Perhaps you're unaware that there is a special, DoD-certified version of Teams called "Gov Teams", which can be used to share data at multiple impact levels securely. This version of Teams, and the entire Office365 suite, has undergone extensive security certification for use with high IL data.
worik
> has undergone extensive security certification
Yea, right
pimlottc
They're almost certainly not using the same version as the general public. Most major service providers have a specific version for government with additional controls and restrictions and have undergone certification through FedRAMP, including Microsoft:
https://www.microsoft.com/en-us/microsoft-365/government
Some other examples:
- AWS GovCloud https://aws.amazon.com/govcloud-us/
- Google Workspace for Government https://workspace.google.com/industries/government/
- GovSlack https://slack.com/solutions/govslack
- Atlassian Government Cloud https://www.atlassian.com/government
karlgkk
> it's just flatly wrong
The unwarranted confidence is stunning in a post that is so fundamentally incorrect. I don't like Teams, but your take is deeply unaligned with reality.
GuB-42
It doesn't mean that MS Teams is safer, it means that the government has tighter control on MS Teams.
Or maybe that Microsoft pays more than Meta.
alephnerd
MS products allow you to store data locally without any egress, so an IT team has access to it.
This is the sticking point, because WhatsApp has now integrated Meta AI into the app, but (obviously) do not provide an on-prem data store. This is why Deepseek AI (the Deepseek app) and ChatGPT (the OpenAI app) are barred as well.
Data Stewardship and Zero Trust has been an internal initiative in the House for a couple years now.
The fact that almost no one on this thead knows these (imo overused) terms and design patterns highlights one of the various major gaps in Software Dev I've been observing for several years now - especially the North American market (given the hours that this was posted). The inability to incorporate or understand some basic security architectures is a major gap.
Edit: Keep pushing the downvotes. The truth hurts, and plays a role in jobs leaving, and funds like my employer funding cybersecurity startups in Israel, India, and Eastern Europe because the ecosystem doesn't exist in the US anymore. A similar trend happened in data layer related work.
We don't need more SKLearn plumbers calling themselves "ML Engineers" or Angular monkeys calling themselves "Fullstack Engineers" - we need people who truly understand fundamentals (or - shudders - first principles), be they mathematical (optimization), systems (virtualization), or algorithms (efficient data structures)
tsumnia
> The fact that almost no one on this [thread] knows these
Its not that they aren't known, but rather we just came off a long trend of thin-clients and cloud storage. Some companies merely stay in that ethereal space, while others had concerns about their data. Criticizing people for doing what experts were pushing for the past 20 years doesn't need to devolve into calling their expertise into question.
The downvotes are for that, not because "you're wrong".
HWR_14
Isn't deepseek 100% open source?
kube-system
Teams absolutely has more compliance controls than WhatsApp. Encryption, compliance, data governance, security, etc are all related but very different things.
Angostura
Teams doesn’t require access to my entire contacts book on my phone to run smoothly. I can choose the individuals whose contact details I want to give it
Goronmon
How is WhatsApp safer to use than Microsoft Teams?
swarnie
I ban Whatsapp but require Teams on company devices.
Can you explain why the thinking is wrong?
benced
This is very reasonable if you have compliance needs or similar. That’s not what this office is saying - it’s saying teams is more secure. This is wrong. The nature of banning private messaging apps is trading security for legibility. If this office is interested in that (which it’s not - it allows Signal), they should say so.
swarnie
I do have a compliance need, similar to this office i imagine.
Teams is more secure in my opinion.
I as an admin can control who you can/can't talk to, what you can share with them, when you can share it. Correctly configured MS Teams is a pretty secure setup.
On the flipside im not sure i can make someone else's Whatsapp not auto download anything sent to it.... The two apps aren't really comparable unless I've missed an entire 'Whatapps for government/enterprise' business arm.
egberts1
Not wrong.
MS Teams allow for offline/local storage of its video/chat conferencing.
v5v3
Government: Zuck put a backdoor in WhatsApp or we will put you in a blacksite UFC ring and beat you up.
Also Government: WhatsApp has a backdoor. Don't use it.
godelski
Also government: installed special version of Signal that includes a backdoor (logs)
People: don't use Signal! It has a back door! Instead, use Telegram, it doesn't have encryption by default and is highly suspect of a foreign adversary
Also people: "I'll just send copies of all my messages to the government because they have my data anyways"
null
nicce
Also Government: uses Israel-backdoored custom Signal
linotype
What source do you have for that?
mattnewton
They used it in view of press cameras, many articles about this but here’s the first one from Google for me: https://www.404media.co/mike-waltz-accidentally-reveals-obsc...
moomin
Jeffrey Goldberg.
immibis
Yeah but Israel is Israel, so there's no actual problem there. Now, if it was Iran...
some_random
The Government is made up of a huge number of organizations with competing goals, budgets, capabilities, and interests.
pplm8
[dead]
midtake
Explains why Zuck has been training Brazilian jiu-jitsu.
gruez
>Government: Zuck put a backdoor in WhatsApp or we will put you in a blacksite UFC ring and beat you up.
Source?
>Also Government: WhatsApp has a backdoor. Don't use it.
If "zuck" is really in the pocket of the US government, why should they worry about their own backdoors?
latexr
> If "zuck" is really in the pocket of the US government, why should they worry about their own backdoors?
Have you ever watched a Saturday morning cartoon? Minions betray their masters all the time. An effective evil overlord doesn’t underestimate their lackey’s capacity for duplicity and betrayal at a pivotal moment.
The most fun may even appreciate the gall: https://memory-alpha.fandom.com/wiki/The_Nagus_(episode)#:~:...
kurthr
Once it's backdoored you don't know who's watching it.
It's the most hilarious thing about backdoors or collecting extensive covert intel on your own population, that any failure of opsec makes it much easier for all your adversaries to also spy on them in ways they would never otherwise be able to, then compromise them, and flip them.
bix6
Why would there be a source for a backdoor of a closed source application?
some_random
Usually when you make important claims it's expected you back them up with some sort of evidence.
0x457
Sources to back up the claim, not source code of the application.
null
ElevenLathe
House (legislative branch) staffers presumably don't want executive branch snoops reading their group chats. Doubly so for Democratic staffers not wanting specifically the Trump executive branch reading them.
numair
some_random
Software frequently has bugs and sometimes they have security implications. In order to claim that a specific bug is a backdoor you need to have evidence beyond the existence of a bug.
duxup
I can't imagine any justification for any government device that should be secure to have anything on it but the bare minimum software and the device in whatever hardened mode it has.
If they visit the White House, government facility ... should go in a locker.
I worked for a company that sent people onsite to government contractors. One contractor we rarely visited was at a facility where you arrived at the front gate in your rental car with your ID, keys, and equipment you needed. You were told if you brought anything else expect to lose it.
They took your ID and keys at the gate, searched the car, you were blindfoled and they escorted you to the location of the equipment. If you had to go to the bathroom your were escorted (all the way...). You left with the clothes on your back.
We went through a lot of laptops, but ... that place was secure.
jandrewrogers
> "Messages on WhatsApp are end-to-end encrypted by default, meaning only the recipients and not even WhatsApp can see them."
The handling and metadata around encrypted messages is nearly as exploitable as the actual message contents. End-to-end encryption is necessary but not sufficient. The infrastructure has to be designed to minimize risk of other forms of exploitive analysis as well but in the case of WhatsApp that is essentially their business model.
dijit
If the network controls the endpoints; then E2EE is meaningless.
benced
What implementation of end to end encryption doesn't involve this?
dijit
OTR, for IRC/XMPP, PGP for Email and Olm/Megolm provided by Element for Matrix operators.
Essentially the software creating the keys is not controlled by the same entity controlling the transmission method.
In email/matrix you have an additional protection in that you can host your own server; the best protection is the one you never have the possibility of traffic being diverted, and even if it was it would be encrypted so that the server doesn’t leak anyway, security is like an onion after all.
williamscales
I mean, regardless of any argument about Whatsapp, shouldn't installing any app on a government phone that's not allowed be impossible? Sheesh. This shouldn't even be a discussion in the first place.
theodric
When I was at unnamed major financial institution, we were ordered to stop using WhatsApp, but it had nothing to do with security and everything to do with avoiding even the possibility of the appearance of backroom dealing or production avoidance in the event of subpoena. Maybe the truth has more to do with that, or maybe not, what do I know, who are all you people anyway, and why am I posting here?
kube-system
> nothing to do with security and everything to do with avoiding even the possibility of the appearance of backroom dealing or production avoidance in the event of subpoena
But that is a concern of information security.
Compliance is often part of this calculus, and many on this forum get wrapped around the axle thinking it's always about cryptography or something. Encryption is only a small part of the broader practice of information security.
Marsymars
WhatsApp also feels... tonally weird to use at a serious company, like in the same way it would feel weird to be using snapchat for team meetings.
oceansky
WhatsApp is already the de facto communication channel in a lot of countries.
In Brazil even subpoenas can be sent via WhatsApp.
BeetleB
Heh. I have a friend here in the US. His father passed away in his home country. No will. The whole family needed to show up in court for probate, but he could not travel at that time.
The court: "No problem, just join the session on video using WhatsApp"
LgLasagnaModel
Totally agree. Now let me go play with this model I got off of Hugging Face
GuinansEyebrows
i feel the same way about so many government departments switching to X as a primary public communications platform instead of... you know, the open web (with distribution to downstream closed platforms), as they always have. it just reeks of unseriousness.
GuinansEyebrows
i heard (anecdotally) that wall street used to run on Yahoo IM - fascinating. do you know if that extended into your previous employer?
axus
> "We know members and their staffs regularly use WhatsApp and we look forward to ensuring members of the House can join their Senate counterparts in doing so officially," Stone said.
Go on...
alephnerd
This is due to the addition of Meta AI in WhatsApp [0].
Unsurprisingly, data egress to third parties is a major security vector - especially for mission critical jobs like working in the House. MS apps incorporating Copilot have faced similar blocks as well.
This requirement for data stewardship is called out in HITPOL8 as well [1][2] (the AI tool standards set by the House CAO).
[0] - https://faq.whatsapp.com/203220822537614/?cms_platform=iphon...
[1] - https://cha.house.gov/_cache/files/4/2/42dca19e-194b-481e-b1...
[2] - https://cha.house.gov/_cache/files/0/8/08476380-95c3-4989-ad...
esafak
Source for reason?
alephnerd
The article as well as HITPOL8 [0][1]. WhatsApp has been blocked for the same reason Deepseek AI (the Deepseek app) is blocked - "Stewardship of Legislative Branch Data".
[0] - https://cha.house.gov/_cache/files/4/2/42dca19e-194b-481e-b1...
[1] - https://cha.house.gov/_cache/files/0/8/08476380-95c3-4989-ad...
deadbabe
Maybe they should use Meshtastic
aaroninsf
Serious question: who else takes for granted that Zuck gets a daily summary of all high-level federal governmental communications, as harvested via backdoors or simply from non-end-to-end encrypted traffic on any Meta property?
I assume he does. I assume moreover that most people aware of this at Meta consider this due diligence in defending shareholder value. What's that line from Dune 2, a wise hunter climbs the tallest hill? _You need to see._
baxtr
>Andy Stone, a spokesperson for WhatsApp parent company Meta, said in a statement to Axios, "We disagree with the House Chief Administrative Officer's characterization in the strongest possible terms."
(..)
"Messages on WhatsApp are end-to-end encrypted by default, meaning only the recipients and not even WhatsApp can see them. This is a higher level of security than most of the apps on the CAO's approved list that do not offer that protection."
josefritzishere
This seems sensible.
I'm sorry, it's just flatly wrong to suggest Microsoft Teams is safer than WhatsApp and everyone here bandwagoning on this ridiculous decision should feel bad.