CNN  — 

Jared Kushner’s unusual decision to use WhatsApp to communicate with foreign leaders and conduct government business has raised concerns among cybersecurity experts that highly sensitive government communications could be at risk of exploitation by foreign governments and hackers.

In a letter published Thursday, House Oversight Chairman Elijah Cummings, a Maryland Democrat, wrote that Kushner’s attorney, Abbe Lowell, had confirmed that Kushner, President Donald Trump’s son-in-law and senior adviser, had used the private messaging app on his phone to communicate with foreign leaders. He said he couldn’t say whether Kushner had shared classified information via the app.

A source close to the Saudi royal court told CNN national security analyst Peter Bergen that Kushner has used WhatsApp to communicate with Saudi Crown Prince Mohammed bin Salman, who sources have told CNN the CIA assesses with high confidence ordered the murder and dismemberment of Washington Post journalist Jamal Khashoggi.

As well as raising questions over whether Kushner has broken White House rules, cybersecurity experts have raised concerns that sensitive national security information communicated by him may be vulnerable to hackers and foreign governments.

“I don’t think there’s anything that’s fully secure, but there are degrees of security,” Daniel Schuman, a former House staffer who chairs the Congressional Data Coalition, a nonprofit that aims to encourage smarter tech practices in Congress, told CNN.

“Jared Kushner on his personal phone using a free commercial service that is connected to a company with huge security breaches is a recipe for disaster,” Shuman said.

How secure is WhatsApp?

WhatsApp was broadly praised by cybersecurity experts in 2016 for adopting the Signal end-to-end encryption protocol, which gives users on each end of a conversation unique keys to unlock each message. Chats intercepted in transit would appear scrambled, and to date there is no public indication that encryption protocol has been compromised.

Instead, the concern among experts is that skilled hackers or government intelligence agencies that want to see what’s on a WhatsApp user’s phone would try to hack the phone itself.

Selling phone exploits to governments has become an entire cottage industry in the Middle East, and leaked documents published on WikiLeaks in 2017 outlined a method to read messages from encrypted communications by hacking a target’s entire phone.

The fact that WhatsApp is owned by Facebook gives some experts pause. Though there have not been any major breaches of WhatsApp data since Facebook bought the app in 2014, unlike some other encrypted messaging apps including Signal, WhatsApp stores the call times, location and other metadata of its users’ chats, which means they’re held by Facebook.

Co-founder Brian Acton, who sold WhatsApp to Facebook, has urged people to delete their Facebook accounts because of its many privacy scandals.

On Thursday, Facebook admitted that it hadn’t properly masked the passwords of hundreds of millions of its users but had stored them as plain text in an internal database that could be accessed unencrypted by its staff.

The company said it had discovered the exposed passwords during a security review in January and launched an investigation.

White House rules

In 2017, the White House Counsel’s Office directed staff to conduct all work-related electronic communications on their official government email accounts, which are monitored for threats, especially high-profile officials like a senior presidential adviser. But at times when email is inconvenient, staff can use other methods, provided they don’t share classified information and they take screenshots.

An administration official told CNN that the counsel has determined that WhatsApp is permitted under those conditions and that Kushner is aware of those rules and complies.

According to Cummings, when pressed how Kushner was backing up his communications in order to assure that he wasn’t violating the Presidential Records Act, Lowell responded that Kushner took screenshots and forwarded them to his official White House email account or to the National Security Council. According to Cummings, when Lowell was asked if Kushner ever communicated classified information on WhatsApp, Lowell responded, “That’s above my paygrade.”

But even with the White House counsel’s blessing, experts warn that any high-profile government officials taking their cybersecurity into their own hands are putting their information at risk.

“We have organizations to evaluate the electronic communications threat models and individual security of VIPs,” said Emily Crose, a former National Security Agency analyst and current network security researcher.

“I trust a team of trained security experts from NSA way more than I trust a guy named Jared who sells real estate,” Crose told CNN. “It’s not up to Jared to decide what the best answer to security is for his official communications. That’s not his business.”

In a letter sent to Democratic Sen. Ron Wyden of Oregon in April 2018, then-NSA director Michael Rogers said that while the agency can offer guidance on securing White House staff’s personal phones, it doesn’t proactively inspect them for malicious activity.

Lowell didn’t immediately respond to CNN’s inquiry about whether Kushner does follow basic cybersecurity practices, like keeping his operating system up-to-date.

CNN’s Dana Bash, Manu Raju, Lauren Fox and Donie O’Sullivan contributed to this report.