I'm sorry, it's just flatly wrong to suggest Microsoft Teams is safer than WhatsApp and everyone here bandwagoning on this ridiculous decision should feel bad.
Perhaps you're unaware that there is a special, DoD-certified version of Teams called "Gov Teams", which can be used to share data at multiple impact levels securely. This version of Teams, and the entire Office365 suite, has undergone extensive security certification for use with high IL data.
In this case the certification program is extremely onerous, having experienced it myself. A government testing agency will not give you an authorization to operate on a given network or given data impact level until they can independently verify you meet very specific standards, including keeping data at different impact levels physically separate and encrypted at rest at specific encryption standards, keeping processes that access such data on different machines, allowing only one way data transfer across specialized hardware, having a physically separate network from the internet, etc.
Just getting a well-known Python package authorized for install on a single machine can take multiple years. People are used to corporations engaging in security theater, but in the DoD world it's much the opposite: the security apparatus is so paranoid and strict that nobody can get anything done.
They're almost certainly not using the same version as the general public. Most major service providers have a specific version for government with additional controls and restrictions and have undergone certification through FedRAMP, including Microsoft:
Or in some cases, different (but overall worse) controls to meet FedRAMP requirements, and much less security monitoring or active testing than the commercial environment.
The unwarranted confidence is stunning in a post that is so fundamentally incorrect. I don't like Teams, but your take is deeply unaligned with reality.
MS products allow you to store data locally without any egress, so an IT team has access to it.
This is the sticking point, because WhatsApp has now integrated Meta AI into the app, but (obviously) do not provide an on-prem data store. This is why Deepseek AI (the Deepseek app) and ChatGPT (the OpenAI app) are barred as well.
Data Stewardship and Zero Trust has been an internal initiative in the House for a couple years now.
The fact that almost no one on this thead knows these (imo overused) terms and design patterns highlights one of the various major gaps in Software Dev I've been observing for several years now - especially the North American market (given the hours that this was posted). The inability to incorporate or understand some basic security architectures is a major gap.
Edit: Keep pushing the downvotes. The truth hurts, and plays a role in jobs leaving, and funds like my employer funding cybersecurity startups in Israel, India, and Eastern Europe because the ecosystem doesn't exist in the US anymore. A similar trend happened in data layer related work.
We don't need more SKLearn plumbers calling themselves "ML Engineers" or Angular monkeys calling themselves "Fullstack Engineers" - we need people who truly understand fundamentals (or - shudders - first principles), be they mathematical (optimization), systems (virtualization), or algorithms (efficient data structures)
> The fact that almost no one on this [thread] knows these
Its not that they aren't known, but rather we just came off a long trend of thin-clients and cloud storage. Some companies merely stay in that ethereal space, while others had concerns about their data. Criticizing people for doing what experts were pushing for the past 20 years doesn't need to devolve into calling their expertise into question.
The downvotes are for that, not because "you're wrong".
Around 15ish years ago, there was a heavy push for things like parallel computing, hosting things on 'the cloud', and managing "big data". So the overarching recommendation was for devices and data to be accessible through a server. It was cheaper to use a third-party for high end compute and large storage rather than storing locally. Remember this was a time when Dropbox was still quite popular.
My original comment is mostly saying that it is too critical of staff saying "how did they not know" when we're now starting to return to in-house solutions. The prior solution was "Go Cloud", now its "Stay Home". In a decade, once enough people learn the struggles of having everything in-house, the next solution will be "Go Cloud" again, or whatever the future equivalent is.
The overall purpose of my comment was more akin to "calm down, we're just in a new tech cycle, no one's an idiot for following the last cycle's solution".
I disagree with your statement simply because I myself started my tech career in the midst of the Cloud First hype cycle, and even then principles around data management and limiting access (eg. via RBAC) was already well understood.
Maybe a significant portion of the HN base simply never worked with companies that either sold to or were a part of regulated industries, but I do not buy that.
Furthermore, all of the design patterns I am describing can and have be implemented within cloud environments as well.
I remember something about llama only being open-weight, not open-source. Does that mean deepseek is under a similar license and not completely open? I seem to recall some concern about llama's license.
Teams absolutely has more compliance controls than WhatsApp. Encryption, compliance, data governance, security, etc are all related but very different things.
This is very reasonable if you have compliance needs or similar. That’s not what this office is saying - it’s saying teams is more secure. This is wrong. The nature of banning private messaging apps is trading security for legibility. If this office is interested in that (which it’s not - it allows Signal), they should say so.
I do have a compliance need, similar to this office i imagine.
Teams is more secure in my opinion.
I as an admin can control who you can/can't talk to, what you can share with them, when you can share it. Correctly configured MS Teams is a pretty secure setup.
On the flipside im not sure i can make someone else's Whatsapp not auto download anything sent to it.... The two apps aren't really comparable unless I've missed an entire 'Whatapps for government/enterprise' business arm.
Microsoft maintains specific secure government versions of Teams that use their own special secure data centers. It's a full parallel extra secure set of infrastructure.
Teams doesn’t require access to my entire contacts book on my phone to run smoothly. I can choose the individuals whose contact details I want to give it
E2EE is mostly useful for consumer applications, where you trust the endpoint (yourself), but not the intermediary servers (some megacorp that doesn't care about you).
The situation is entirely different when you are managing very large organizations.
In those situation, you don't necessarily need the need the data to be invisible to the intermediary servers, because you might either just be able to control them yourself, secure them with NDAs, etc. And if the server is controlled by you, then you might not even want the data to be invisible to yourself. But, your primary risks may be the compromise of endpoint devices, mistakes or leaks by your users, or a lack of controls over data exchange. Also, many organizations may need to provide records of their internal communications in order to comply with legal requirements.
You might be surprised to know that enterprise offerings of many apps that otherwise support E2EE, often have a way for administrators to intentionally turn those features off.
Lack of complete e2ee is a feature for many large organizations—they still want everything encrypted, they just want a master key to be able to audit communications for compliance/investigations/insider threat identification. They also want strict control over who does what with the app, and where all of the associated data lives. Teams is just a totally different product from WhatsApp in that regard, with all sorts of functionality that will never exist in WhatsApp—tons of control over user identity and access management, integration with all sorts of other security tooling, etc.
The threat model of an organisation is almost the opposite of you as an individual.
For you, you trust yourself the most, followed by your device, and the intermediate servers are a threat. For an organisation, the servers are the most trusted entity, followed by the org-provided device, and a certain percentage of users are an active threat.
Their statement doesn't sound like what you said at all:
> The Office of Cybersecurity has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use
(Of course that statement seems to be highly confused overall. What "stored data encryption"?)
Does WhatsApp encrypt the data on the device after it’s received and decrypted at your phone’s end (then stored indefinitely)? I thought the term of art was “encrypted at rest,” but “stored data encryption” makes sense to me too.
I was of the impression that Whatsapp’s messages (and its backups, photos, etc) kind of just hung around in plaintext once they reached the device.
Which would seem to be a problem should the device be stolen, or observed by other applications on the phone or a tethered device, or twiddled with sneaky hardware (e.g. [0]) that might use physical means to access the device’s file system.
Although as I understand it, the privacy claims are kind of window dressing anyway, and Meta has been more than willing to share plenty of WhatsApp’s data with all and sundry… even before AI-in-the-same-search-bar came along [1]
> Does WhatsApp encrypt the data on the device after it’s received and decrypted at your phone’s end (then stored indefinitely)?
The operating system (Android/iOS) encrypts everything anyway. Why would you double that? More to the point, do any of the other "safe" apps, like iMessage, do that?
Given the events of the last few days, it's possible the United States Government - who just dropped massive weaponry onto a target the size of a dishwasher from halfway across the world without anyone knowing - aren't the incompetent boobs your purport they are, despite their rejection of venture-backed smartphone apps.
