By Jason Nelson
5 min read
For years, WhatsApp has assured its roughly three billion users that their messages are protected by end-to-end encryption—so secure that not even WhatsApp can read them.
A new lawsuit challenging that claim is drawing swift skepticism from cryptographers and privacy lawyers, many of whom say the allegations raise more questions about evidence and timing than about WhatsApp’s underlying security.
Technologists contacted by Decrypt said they see no clear technical path for Meta to routinely access the plaintext of WhatsApp messages, as the lawsuit alleges.
Matthew Green, a professor of cryptography at Johns Hopkins University, said the only realistic way WhatsApp messages might be exposed at scale would be through unencrypted cloud backups stored with third-party providers like Google or Apple, systems outside Meta’s control.
“Backdoors in an app are always theoretically possible,” Green said. “But they’d generally be detectable by reverse-engineering the app. The fact that the plaintiffs don’t demonstrate or claim anything specific is a pretty good sign that they don’t know of a backdoor, because finding a flaw like that would make their case a lot stronger.”
Nick Doty, a technologist at the Center for Democracy and Technology, took a more cautious view, telling Decrypt that outsiders lack full visibility into proprietary messaging systems but that the claims remain unlikely.
“I think it’s hard for any third party to be able to tell you with that much confidence,” Doty said. “I would be very surprised if the claims are accurate.”
Doty added that encryption is not a cure-all. Messages can be exposed without breaking the encryption itself, for example, through malware installed on a user’s device or through users voluntarily reporting abusive content. But the lawsuit appears to allege something broader, he said.
“What’s described in the brief description in this suit doesn’t seem to cover those cases,” Doty said. “It seems to be specific that it is talking about all messages, not just some messages, and messages accessed directly by Meta.”
Legal experts, meanwhile, questioned whether the complaint offers the specificity required to survive early scrutiny in court.
Maria Villegas Bravo, counsel at the Electronic Privacy Information Center, echoed those doubts from a legal perspective, saying the complaint appears light on factual detail about WhatsApp’s actual software.
“I’m not seeing any factual allegations or any information about the actual software itself,” Villegas Bravo said. “I have a lot of questions that I would want answered before I would want this lawsuit to proceed.”
Villegas Bravo also questioned the timing of the case, noting that it arrives as WhatsApp continues to litigate against NSO Group, the spyware maker behind Pegasus.
In that case, WhatsApp accused NSO of abusing its infrastructure to deliver malware to users’ devices, an attack vector that did not involve breaking WhatsApp’s encryption.
“It’s very suspicious timing that this is happening as that appeal is happening, as NSO Group is trying to lobby to get delisted from sanctions in the U.S. government,” she said, pointing to a similar lawsuit filed in Israel.
In May 2025, NSO was ordered to pay more than $167 million in damages to WhatsApp for unlawfully targeting over 1,400 users.
“I don’t think there’s any merit in this lawsuit,” Villegas Bravo said.
The case has also attracted commentary from rival messaging executives.
Telegram founder and CEO Pavel Durov wrote on X that the allegations aligned with Telegram’s past critiques of WhatsApp’s security, though he offered no evidence tied to the lawsuit itself.
X owner Elon Musk likewise claimed that “WhatsApp is not secure,” urging users to switch to X’s encrypted messaging feature.
Neither executive substantiated their claims, and experts cautioned against conflating competitive rhetoric with technical proof. Still, the lawsuit lands at a sensitive moment for Meta, particularly in emerging markets where WhatsApp dominates daily communication.
India alone accounts for more than 850 million WhatsApp users, with Brazil adding another 148 million, making any serious challenge to the platform’s privacy promises consequential well beyond U.S. courts.
The skepticism follows the proposed class action’s filing in federal court in California on Friday that accuses Meta and its WhatsApp subsidiary of maintaining internal tools that allow employees to access private message content, despite public claims of end-to-end encryption.
The plaintiffs, including users from Australia, Brazil, India, Mexico, and South Africa, seek to represent non-U.S. and non-European WhatsApp users since 2016.
The complaint alleges that Meta “siloed” internal teams in ways that prevented employees from fully understanding how WhatsApp message access worked, and that users are forced to rely on Meta’s public assurances because WhatsApp’s full messaging stack is not open-source or independently auditable.
It claims violations of federal and California privacy laws, breach of contract, unjust enrichment, and unfair competition, and points to past public statements by Meta CEO Mark Zuckerberg asserting that the company cannot read WhatsApp messages.
Meta has forcefully rejected the allegations. In a statement shared with Decrypt, a company spokesperson called the claims “categorically false and absurd.”
“WhatsApp has been end-to-end encrypted using the Signal protocol for a decade,” the spokesperson said. “This lawsuit is a frivolous work of fiction, and we will pursue sanctions against plaintiffs’ counsel.”
Decrypt-a-cookie
This website or its third-party tools use cookies. Cookie policy By clicking the accept button, you agree to the use of cookies.