With over three billion monthly active users, WhatsApp holds the title of the world’s most used messaging application. However, a recent class-action lawsuit alleges that Meta has been misleading the public about its end-to-end encryption, and may have been secretly reading all messages sent since 2016
.
Matthew Green, a cryptography expert at Johns Hopkins University, analyzed the accusations and considers them unlikely. Nevertheless, he recommends switching to Signal for reasons unrelated to conspiracy theories.
The Lawsuit Alleging Mass Fraud
The law firm Quinn Emanuel filed a class-action suit claiming Meta could access the content of all WhatsApp messages, with a few celebrities being exceptions. The accusation is based on unnamed “whistleblowers,” with no solid evidence to support the claims. Figures such as Elon Musk, owner of X, and Pavel Durov, CEO of Telegram, amplified the accusations on social media.
Both operate competing messaging platforms, which led the U.S. Department of Justice to investigate Meta based on these allegations, according to Bloomberg.
The irony is apparent, as for years, governments worldwide have pressured WhatsApp
arguing that the application is too encrypted and hinders law enforcement investigations.
A Potential Tech Fraud of Historic Proportions
Green explains why the accusation is technically improbable. He states that end-to-end encryption is executed on the user’s mobile application. If a backdoor existed that sent unencrypted copies of messages or encryption keys to Meta’s servers, that functionality would be visible in the application’s code.
Any security researcher can download historical versions of WhatsApp and reverse engineer the compiled code. Several experts have already done so with different parts of the application. Committing a fraud of this magnitude, with forensic evidence so readily accessible, would be, in Green’s words, “extremely foolish.”
WhatsApp implemented the Signal protocol between 2014 and 2016. This encryption system is widely recognized in the cybersecurity community and has been audited by independent experts. If Meta has been lying about its operation since then, it would be one of the biggest corporate cover-ups in tech history.
Matthew Green
The Real Flaws in WhatsApp’s Encryption
End-to-end encryption protects the content of messages, meaning Meta cannot read what you write. However, this does not mean WhatsApp is entirely private.
In practice, the application can see metadata: who you talk to, when you send messages, the duration of conversations, and their structure. This information is valuable from a commercial and surveillance standpoint.
Backups to the cloud represent another problem. If you save conversations to iCloud or Google Backup, that data may not be protected by end-to-end encryption, depending on the configuration. In the case of iCloud, they are only protected if you activate Apple’s Advanced Data Protection. Communications with businesses through WhatsApp Business have exceptions to encryption.
Recently introduced artificial intelligence features process some data outside the device, although Meta claims it does so in secure environments called TEEs (Trusted Execution Environments).
Governments Seeking to Break WhatsApp Encryption
WhatsApp has faced constant pressure from governments in the United States, the United Kingdom, and the European Union. These authorities demand access to encrypted messages, even when presenting court orders, but Meta has systematically refused.
This political pressure indirectly reinforces the idea that the application’s encryption is real. If the company could read messages secretly, there would be no intense government resistance or public requests for access.
Despite this, the expert acknowledges that there are legitimate reasons to distrust WhatsApp without resorting to conspiracy theories.
The application is closed-source, meaning it is not possible to audit the entire source code or compile your own version of the application for comparison with the official one. This lack of transparency generates distrust. The user must trust that Meta is not abusing its access to their information, which may be problematic for many.
In Doubt, Use Signal
Signal is an open-source application, allowing anyone with knowledge to audit the entire code, compile their own version, and verify that it works as claimed. This transparency eliminates the need to blindly trust the company. The application belongs to a non-profit foundation, has no commercial interests, and no need to monetize user data.
It also collects minimal metadata. It doesn’t know who you talk to or when, only needing the phone number to function. It uses the same encryption protocol as WhatsApp, the Signal protocol, but with greater transparency in its implementation.
The advantage is that it doesn’t offer artificial intelligence features that require cloud processing, and backups are end-to-end encrypted by default. The main disadvantage is the user base: around 40 million on Signal versus 3 billion on WhatsApp, a huge difference.
