Lawsuit alleges Meta can read WhatsApp messages despite encryption

[Skye Jacobs]

Ripple effect: Questions about whether WhatsApp's encryption works as Meta describes have taken center stage in a new international lawsuit filed in a US federal court, where plaintiffs allege that Meta misled billions of users about the privacy of their messages.

Filed Friday in the US District Court for the Northern District of California, the complaint accuses Meta of overstating the security of WhatsApp's end-to-end encryption – a technology the company has long promoted as the backbone of its privacy promise.

Plaintiffs from Australia, Brazil, India, Mexico, and South Africa claim that Meta and WhatsApp can "store, analyze, and access" messages that users are told remain private. The suit asks the court to treat the case as a class action on behalf of WhatsApp users globally.

Meta, which bought WhatsApp in 2014, has rejected the allegations. Company spokesperson Andy Stone called the claims "categorically false and absurd" in an emailed statement to Bloomberg, adding that WhatsApp "has been end-to-end encrypted using the Signal protocol for a decade." Stone described the case as "a frivolous work of fiction" and said Meta intends to seek sanctions against the plaintiffs' legal team.

The Signal protocol is a cryptographic system originally developed by Open Whisper Systems and recognized across the tech industry as a gold standard for private messaging. Meta has repeatedly said that the feature is enabled by default and that only participants in a conversation can read or listen to exchanges.

The lawsuit challenges this technical guarantee, alleging that Meta's internal infrastructure undermines the principle of end-to-end encryption. According to the complaint, the company retains data that should be inaccessible even to its own servers and allows its workforce to examine message content.

Those claims are reportedly based on information from unnamed whistleblowers, though the filings don't identify them or provide details about the evidence.

Attorneys from Quinn Emanuel Urquhart & Sullivan and Keller Postman LLP represent the plaintiffs, along with Jay Barnett of Barnett Legal. None of the lawyers involved has commented publicly beyond the court filings.

For years, cryptography experts have cited the Signal protocol – also used by the Signal app – as one of the most secure frameworks for consumer messaging, relying on asymmetric encryption and forward secrecy to prevent third-party access. If the plaintiffs' claims prove accurate, the implications would reach far beyond WhatsApp and potentially challenge how encryption standards are audited and communicated to the public.

Permalink to story:

Lawsuit alleges Meta can read WhatsApp messages despite encryption

 

[Rapob]

Ofc they can, are people stupid?

 

[MasterAce]

They just grab the messages before encryption? That’s how I always understood it, yes the internet part is encrypted but they control the platform and keylog etc. all day long. Applies to all bigtech products

 

[VariableSpike]

Could always be the case that the protocol is not being implemented properly despite how secure it might be in itself and either through incompetence or through intended malice, its not running as it should and leaking messages to Meta's servers, but I guess we'll see more actual details shpuld the case go forward

 

[Plutoisaplanet]

They just grab the messages before encryption? That’s how I always understood it, yes the internet part is encrypted but they control the platform and keylog etc. all day long. Applies to all bigtech products

Network traffic from a device with access to decrypted messages can easily be analyzed, so that would be easy to prove. Apparently in 2021 there was an investigation that found WhatsApp uses contractors and AI systems to analyze metadata and reported content (content decrypted by recipient/sender). Most likely this falls along those lines. Wikipedia cites a number of times that bugs have been found and fixed in the protocol's implementation: https://en.wikipedia.org/wiki/Reception_and_criticism_of_WhatsApp_security_and_privacy_features

 

[IMABEARLOL]

All they need to do is intercept and store the key exchange like they are one of the intended recipients. Without an independent audit there is no way to tell if they are properly implementing the signal protocol and not stealing the keys. The Signal app has been audited. WhatsApp is owned and operated by Meta for profit, Signal is owned and operated by the Signal Corporation which is a non-profit and is partnered with the Electronic Frontier Foundation who fight for personal privacy. What reason do you have to trust Meta? Because they say "trust me bro"?

Remember when zoom claimed end-to-end encryption when they defined their servers as one of those "ends"?

 

[scoffer]

But...but...........surely Meta wouldn't do anything nefarious such as selling your data??? Please say it ain't so Mr. Zuckercock!!

 

[airbornex]

This is either the biggest encryption scandal of the decade or the most confused lawsuit ever filed. Signal protocol is basically the industry gold standard, so the plaintiffs are implying Meta somehow invented secret extra math that lets them read your texts anyway.

 

[gamerk2]

They're not wrong. Tor is *maybe* the only secure end-to-end encryption, and I'm not entirely sold on that personally.

 

[Vanderlinde]

Some years ago, I find an article from the dutch police in where they explain how they actually intercept whenever your on a list. One thing of that states the real time monitoring of for example, whatsapp messages, but also live video or phone calls made through whatsapp.

It means there is a technical backdoor and whatsapp can grant that access if your a suspect in some sort of investigation. I also watched countless of PD youtube vids, in where detectives pretty much say, "You can delete messages in chat" but from a technical standpoint those messages still remain there but just with a "0" instead of a "1" and with the notice that the user has deleted that.

No company in the world is providing a chat business in both US and EU without any form of backdoor access like that, if they refuse they would be fined to **** or ordered to move to a different continent and likely to be forbidden in any of those.

The lawsuit is right. Meta cannot be trusted with consumer data - they have the tools to train on all your chats. The forced AI button now in WA says a lot and you can't remove it.

 

[Gravitytr1]

They just grab the messages before encryption? That’s how I always understood it, yes the internet part is encrypted but they control the platform and keylog etc. all day long. Applies to all bigtech products

This has been my belief as well, all these conglomerate programs that tout security and privacy, like Facebook or Apple, so provide that security, but it only works against the average person. The companies, government and various third parties like the Israeli spyware sector (cellibrite, NSO pegasus etc) have access and you can sometimes buy their access.

This makes it so you or anyone else can't reach the data if you ever lose access to it without the permission of a large entity.

Although beneficial, imo, I care more about stopping access from police and TSA and federal agencies and foreign governments more than I care about some random guy in Tennessee.

 

[LemmingO]

Of course they can. They might not have a human constantly looking at messages, it is just built to collect the messages, analyze for keywords and market **** to you.

Any Whatsapp chat is most definitely a conversation between you, your group and Meta.

Encryption is just for the packets being sent back and forward, so hackers can't "get into it" by using a network sniffer and looking at the data packets.

 

[OortCloud]

Given the human-horror-show in charge at Meta, nothing would surprise me.

 

[VaginaWhisperer]

Who cares, I dont use either.