A newly filed lawsuit in the US alleges that WhatsApp’s end-to-end encryption (E2EE) is an illusion, claiming Meta employees can access user messages at will.
Meta has dismissed the allegations as “absurd,” firmly defending WhatsApp’s encryption model and promising legal action in response.
The lawsuit, filed on January 26, 2026, in a San Francisco federal court, was brought forward by users in Australia, Mexico, and South Africa. It claims, without providing technical proof, that Meta employees can access WhatsApp messages directly via internal tools. According to the plaintiffs, this access is triggered by sending a simple “task” request to Meta engineers, who then allegedly unlock a widget allowing full, real-time message visibility based on a user’s ID.
The lawsuit cites unnamed “courageous whistleblowers” but fails to provide technical evidence, logs, or documentation to substantiate its claims. WhatsApp, which has over 3 billion users globally, responded swiftly. Will Cathcart, the head of WhatsApp at Meta, called the lawsuit “headline-seeking fiction” and stressed that the service cannot access message contents, as encryption keys are stored only on users' devices.
Meta further highlighted that WhatsApp has used the Signal protocol, the widely respected encryption standard, for the past decade. “Any claim that people’s WhatsApp messages are not encrypted is categorically false and absurd,” the company told the media, stating its intent to pursue sanctions against the plaintiffs' legal team.
WhatsApp is part of Meta Platforms, Inc., a tech giant formerly known as Facebook, which owns multiple social and messaging services, including Instagram and Messenger. While Meta has faced repeated criticism over privacy issues, WhatsApp’s encryption implementation has largely withstood scrutiny over the years.
CyberInsider has previously highlighted incidents such as WhatsApp group links and user profiles being indexed by Google searches in 2021, exposing personal data, and controversial updates to its Terms of Service that allowed extensive sharing of metadata with Meta. That data includes user IDs, device info, IP addresses, contacts, and even payment details. However, none of these issues are related to the actual confidentiality of message contents protected by E2EE.
From a technical standpoint, WhatsApp’s use of the Signal protocol provides a strong foundation for message security. Nevertheless, researchers have occasionally uncovered weaknesses in how WhatsApp implements that protocol. Notably, the 2025 “Prekey Pogo” study by European cryptographers revealed that WhatsApp’s failure to rate-limit prekey requests could allow attackers to undermine forward secrecy, enabling message tracking and device fingerprinting. The attack, while stealthy and impactful, did not provide a way to decrypt message content or suggest intentional access by Meta employees.
The current lawsuit does not reference any such technical findings or known vulnerabilities. Instead, it hinges on insider claims and assertions about Meta's internal systems, without offering code, network captures, or audit results.
Despite the lack of supporting evidence, some high-profile figures seized on the moment to cast doubt on WhatsApp’s security. Elon Musk suggested that “even Signal is questionable,” while Telegram CEO Pavel Durov tweeted, “You’d have to be braindead to believe WhatsApp is secure in 2026.” Neither provided technical backing for their statements.
As of now, there is no verifiable evidence that WhatsApp’s E2EE has been intentionally circumvented or is non-functional. For concerned users, it’s important to understand the distinction between metadata (which WhatsApp does share with Meta) and message content (which remains encrypted). Until compelling technical evidence emerges, WhatsApp’s end-to-end encryption remains trustworthy, even if not immune to implementation flaws.
The people I know that use this dont care . It made some shallow promises of E2E ; but it really didn’t matter .
People who are concerned about the security these apps offer ….. don’t use them .