A headline-grabbing international lawsuit has cast some doubt on the security of WhatsApp chats, with claims that parent company Meta is not providing true end-to-end encryption and retains the ability to access user conversations internally. However, Meta claims that the suit is a PR stunt by a law firm that is also representing spyware vendor NSO Group in its appeal of a prior decision in favor of WhatsApp.
Suit claims Meta has internal access to private WhatsApp chats
WhatsApp has been taken to task for privacy issues before, specifically policies of metadata collection and sharing of user data between Meta platforms. However, there have not yet been any credible third-party accusations of Meta being able to access WhatsApp chats. The service is advertised as having end-to-end encryption that limits the ability to view messages only to senders and recipients.
The accuser, law firm Quinn Emanuel Urquhart & Sullivan, represents a collection of anonymous plaintiffs that it says are from an assortment of countries including Australia, India and Mexico and frames it as a whistleblowing case. For its part, Meta notes that this same firm also represents Israeli spyware vendor NSO Group in its appeal against WhatsApp attempting to halt a judgement over deployment of its Pegasus spyware on the platform.
Meta claims the law firm filed what it calls an “unsubstantiated” lawsuit as a means of generating publicity and potentially influencing the other decision. A partner from the firm has countered with the claim that Meta has not directly acknowledged the core assertion that its employees can view WhatsApp messages. However, there has not been a substantial third-party security analysis of any sort that supports the claim that the platform’s end-to-end encryption is secretly compromised in some way.
NSO Group and WhatsApp have now been in a years-long legal battle over the former’s use of the latter’s messaging platform as a delivery vehicle for its notorious Pegasus spyware, without Meta being aware of its use in this way. This culminated in a May 2025 ruling in the US courts in favor of WhatsApp, with an order to the spyware vendor to pay over $167 million in damages. NSO Group had exploited a previously unknown vulnerability in the platform’s audio calling tool in 2019 to infect some 1,400 people, including government officials and journalists, before the flaw was discovered and addressed. That judgement was later reduced to $4 million due to constitutional restrictions on punitive damages, but NSO Group is also challenging an injunction that essentially prevents it from accessing the platform at all with its spyware products.
Encryption lawsuit populated by “anonymous whistleblowers”
It is unclear as to how the WhatsApp chats suit is a case of whistleblowing, as the plaintiffs are not named. At this point it cannot be determined if they are or were employees or contractors for the company, and obtained some sort of inside information about potential compromise of the platform’s encryption in that way.
US authorities have since investigated the suit’s claim, and a spokesperson for the US Department of Commerce has told media sources that it has not yet found anything to substantiate WhatsApp chats being visible to Meta employees. This tracks with both independent security analysis and common sense; any issue with the platform’s encryption known to its employees likely would have been leaked long ago. An end-to-end encryption app discovered to be secretly reading user messages would be immediately out of business, and would likely have devastating second-order impacts to other Meta businesses given the company’s privacy history.
The suit does make specific technical claims about how WhatsApp chats are spied on, however. It claims that any worker at Meta is able to create a “task” requesting access to user messages that is then forwarded to an engineer. If the engineer grants access, the employee can then pull up a full list of messages associated with a particular user ID and can also monitor new messages “essentially” in real time. The suit also claims that Meta keeps an archive of all messages sent since the user created the account, even those that have been deleted. The suit does not offer any screenshots or evidence of this, however, nor does it include any technical details about the supposed encryption bypass beyond these general statements.
Previous studies by independent security researchers have determined that WhatsApp captures unencrypted metadata and may share it with law enforcement upon request, and that if user messages are reported to WhatsApp staff for abuse they (naturally) become visible to staff and may not be stored in an encrypted form. Some prior security analysis has taken issue with the resilience of WhatsApp chats against certain types of attacks, but the platform is known to be built on the Signal protocol and store keys on user devices. It would thus be extremely difficult for a company to have some sort of stealth backdoor access to user messages that would not be sniffed out by someone.
