WhatsApp Security Claims Challenged in New Lawsuit | Meta Accused of False Encryption

A class action lawsuit filed in the United States in January 2026 accuses Meta of misleading billions of users by falsely claiming that the WhatsApp application offers genuine end-to-end encryption (E2EE). The allegations, circulating on platforms like X, Reddit, and Threads for some time, center around claims that Meta employees can readily access the full content of user messages – past and present, including those purportedly deleted – through a simplified internal process.

WhatsApp’s Security Questioned

According to the lawsuit, reported by Bloomberg, access is granted by submitting a “task” to a Meta engineer with minimal professional justification, allowing them to consult messages in near real-time via an internal tool without apparent decryption. This directly contradicts WhatsApp’s core promise: that only conversation participants hold the keys, and messages remain encrypted on servers, inaccessible to Meta.

WhatsApp, founded by Jan Koum and Brian Acton with a strong emphasis on privacy (utilizing the Signal protocol since approximately 2016), and Meta have consistently asserted that no one outside the conversation – including the company itself – can read message content. This stance has drawn scrutiny from governments, including the United Kingdom.

Cryptographer Matthew Green, a professor at Johns Hopkins University, analyzed these allegations in a blog post dated February 2, 2026. While noting that WhatsApp’s client-side code is not open source (preventing easy independent verification, similar to Apple’s iMessage), he considers the accusations highly improbable for three primary reasons:

1. A massive backdoor of this nature would almost certainly be discovered: historical versions of the application are downloadable and decompilable to verify any data or key exfiltration.
2. It would be technically visible in the code or behavior of the app.
3. The risk of exposure would lead to catastrophic legal, reputational, and commercial consequences – rendering the operation “deeply stupid” for Meta.

Green concludes that, absent concrete evidence, trusting WhatsApp’s E2EE claims is reasonable, especially given the lack of proven widespread compromise despite past incidents and billions of users.

Meta has dismissed the lawsuit as “frivolous” and “categorically false,” promising a vigorous defense in court. Some reports suggest a connection to interests related to previous litigation (e.g., against NSO Group), but nothing has been proven to date. Should the allegations prove true, it would represent one of the largest privacy scandals in the tech industry.

The lawsuit stems from allegations made by Attaullah Baig, WhatsApp’s former head of security, who filed a suit in U.S. District Court for the Northern District of California in September 2025. Baig alleged “systemic cybersecurity failures” within WhatsApp that could compromise user privacy. He claimed he notified Meta leaders, including CEO Mark Zuckerberg, of these security issues and faced negative performance feedback and retaliation after doing so.

Specifically, Baig alleged that during a test with Meta’s central security team, he discovered approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information. These employees, he claims, could move or steal this data without detection or audit trails. This access, according to the suit, violated federal securities laws and Meta’s legal obligations stemming from a 2020 privacy settlement with the Federal Trade Commission.

Meta disputed Baig’s allegations, downplaying his role and ranking within the company and characterizing the lawsuit as a “familiar playbook” of a disgruntled former employee making distorted claims. A Meta spokesperson stated the company prides itself on its strong record of protecting people’s privacy and that security is an adversarial space requiring constant improvement.

The Financial Express reported that Meta strongly denied the allegations, describing the lawsuit as “frivolous” and reaffirming WhatsApp’s commitment to security. LinkedIn also reported on the lawsuit, highlighting Baig’s claims of major security and privacy flaws.

The timing of this lawsuit coincides with increasing user questioning of encryption practices across messaging platforms. The emergence of the RCS protocol, now supported by iMessage on Android, offers an alternative with end-to-end encryption, prompting users to re-evaluate their messaging choices.