
A class action lawsuit accuses Meta and WhatsApp of accessing end-to-end encrypted messages. Cryptography experts aren’t buying it. Neither are legal scholars. They question the technical feasibility. They question the legal basis.
The lawsuit claims Meta’s been accessing messages from non-U.S., non-European WhatsApp users since 2016. WhatsApp uses the Signal protocol for encryption. It’s deployed across roughly three billion users.
Experts familiar with WhatsApp’s encryption architecture say the allegations don’t hold up. Matthew Green is a professor at Johns Hopkins University. He told Decrypt that “large exposures are more likely via unencrypted cloud backups” rather than through any backdoor in WhatsApp’s encryption system. The Signal protocol is widely regarded as one of the most secure messaging encryption standards available.
Nick Doty works at the Center for Democracy and Technology. He pointed to a different vulnerability entirely. “Encryption doesn’t prevent device-level compromise,” he told Decrypt. His point? Messages might be intercepted. But the more likely culprit would be spyware or malware on users’ devices. Not systematic access by Meta.
Legal experts are equally unimpressed. Maria Villegas Bravo is with the Electronic Privacy Information Center. She told Decrypt that “the filing is thin on factual details about WhatsApp’s software.” The lack of specificity raises questions. Do the plaintiffs have concrete evidence? Or are they relying on speculation?
The timing’s noteworthy. WhatsApp is fighting its own legal battle against NSO Group. That’s the Israeli company behind Pegasus spyware. It’s been used to compromise devices globally. The coincidence has led some observers to wonder. Is the class action suit politically motivated? No direct connection has been established.
The allegations could have significant implications. That’s true even with expert skepticism. WhatsApp dominates messaging in key markets like India and Brazil. Trust in end-to-end encryption is fundamental to WhatsApp’s value proposition. Any perception that the company can access private messages could affect user confidence. It could invite regulatory scrutiny. Doesn’t matter if it’s technically unfounded.
For now, the technical and legal communities appear unconvinced. The lawsuit doesn’t present a credible challenge to WhatsApp’s encryption claims.
