House bans WhatsApp
WhatsApp declared “high-risk” by the House CAO
Today, June 23, 2025, the U.S. House of Representatives banned WhatsApp to make a point: in government and tightly regulated finance, “good security” is more than just end-to-end (E2E) encryption. The Chief Administrative Officer’s memo, reported by Axios, labels WhatsApp “high-risk” because of its *“lack of transparency in how it protects user data”* and “absence of stored-data encryption.”
Encryption isn’t enough without tamper-proof storage
WhatsApp does encrypt messages, but it doesn't store them in a tamper-proof, searchable way that laws like FOIA and the Federal Records Act require. That means agencies can’t prove what was said if someone asks for the records. As WhatsApp’s own FAQ explains:
“WhatsApp's end-to-end encryption is used when you chat with another person using WhatsApp Messenger. End-to-end encryption keeps your personal messages and calls between you and the person you’re communicating with. No one outside of the chat, not even WhatsApp, can read, listen to, or share them. “
WhatsApp transmits messages via E2EE by default. (That’s a ‘duh’ moment.) But here’s the kicker: optional encrypted backups, although available, are off by default, so the retention is user-controlled.
WhatsApp’s retention limits: 30-day undelivered, instant purge for delivered
WhatsApp holds undelivered conversations for thirty days, but delivered messages are never kept on WhatsApp’s servers. The messages are ephemeral, failing FOIA tests, and if an auditor comes knocking, there’s nothing for Meta to provide.
The FOIA 20-Day Copy Rule
FOIA treats any federal electronic message (including instant messages) as a permanent record. Officers or employees must “forward a complete copy of the record to an official electronic messaging account … not later than 20 calendar days after the original creation or transmission of the record.”
Because WhatsApp provides no searchable archive, users would have to capture each chat at creation time -an unrealistic manual burden-hence the House ban. Without a clear audit trail, there is nothing left to forward. Agencies must capture the record; the law doesn’t excuse them if the app auto-erases it sooner, or if a user deletes a message.
Edits, deletions, and missing content
Users can edit a message for 15 minutes after sending or delete for everyone for roughly 2 days. While WhatsApp can supply metadata (contacts, timestamps, device info), it cannot reproduce what was actually said. Another compliance gap.
The case for an immutable, searchable archive
Unless an organization adds a real-time, immutable archive, any WhatsApp conversation about official business risks violating the Federal Records Act and leaves the agency unable to respond to a FOIA request. To stay compliant, a messaging tool must pair encryption with clear policy controls, shareable keys, and an unchangeable archive. Encryption alone doesn’t pass today’s risk-management tests.
Need a compliant WhatsApp archive? We can help
If you’re using WhatsApp for business messages and need an immutable, near-real-time archive, we’ve got you covered. Our solution captures messages even if users edit or delete them, stores them in a WORM storage, and preserves chain-of-custody for compliance teams.
Contact us today for a Demo to see how we can help you stay secure, compliant, all while using the communication apps you want to.
