Whistleblowers Say Meta Staff Can Read Your WhatsApp Messages

What Meta Says

Meta spokesperson Andy Stone responded forcefully: "Any claim that people's WhatsApp messages are not encrypted is categorically false and absurd. WhatsApp has been end to end encrypted using the Signal protocol for a decade."

It is important to note that the lawsuit's allegations remain unproven. The complaint relies on whistleblower accounts but does not include technical proof of a cryptographic backdoor or definitive evidence that the encryption itself has been broken. The case is at an early stage, and no court has made any findings on the merits.

What We Know About WhatsApp's Privacy Limits

Even before this lawsuit, security researchers have pointed out that "end to end encrypted" does not mean "fully private." There are several documented ways that WhatsApp message contents or metadata can be accessed:

• Reported messages. When a user reports a message, WhatsApp receives the decrypted content of that message along with recent messages from the same conversation for context.
• Cloud backups. Until recently, WhatsApp backups stored on Google Drive or iCloud were not encrypted. Even with encrypted backups now available, users must opt in, and the feature is not enabled by default.
• Metadata collection. WhatsApp collects extensive metadata: who messages whom, when, how often, group membership, phone numbers, IP addresses, and device information. This data is not protected by end to end encryption.
• Linked devices. WhatsApp's multi device architecture means decrypted messages exist on multiple endpoints, each of which is a potential access point.

The Trust Problem With Closed Source Encryption

The lawsuit highlights a fundamental tension in modern messaging security. WhatsApp uses the Signal protocol, which is open source and widely regarded as cryptographically sound. But the Signal protocol is only one component of the system. Everything else, including how WhatsApp implements the protocol, how keys are managed, and what happens on Meta's servers, is proprietary and closed source.

This means users cannot independently verify that the encryption works as advertised. They must trust Meta's assurances. For a company that has been fined billions of dollars for privacy violations and that generates virtually all of its revenue from targeted advertising, that trust is not unconditional for many users.

What You Can Do

Regardless of whether the lawsuit's allegations prove true, the case is a useful reminder to evaluate your messaging security honestly:

• Enable encrypted backups. If you use WhatsApp, turn on encrypted backups in Settings > Chats > Chat Backup > End to End Encrypted Backup. Without this, your messages are stored unencrypted in the cloud.
• Consider open source alternatives. Signal, the app, is fully open source on both client and server. Its encryption and implementation can be independently audited by anyone.
• Be aware of metadata. Even with perfect encryption, who you talk to, when, and how often is valuable intelligence. No mainstream messaging app fully solves this problem.
• Verify security codes. WhatsApp lets you verify encryption keys with your contacts by comparing security codes. This can detect certain types of interception, though it doesn't address the server side concerns raised by the lawsuit.

Why This Case Matters

Two billion people use WhatsApp. Many of them chose it specifically because of its encryption promises. If a court ultimately finds that Meta maintained a system capable of bypassing that encryption, it would represent one of the largest breaches of user trust in the history of digital communications.

Even if the allegations are not substantiated, the case serves as a catalyst for a necessary conversation: encryption claims should be verifiable, not accepted on faith. The security of your private messages should not depend on a corporation's pinky promise.