29
Lawsuit Alleges That WhatsApp Has No End-to-End Encryption (it.slashdot.org)
submitted 3 months ago by technocrit@lemmy.dbzer0.com to c/technology@lemmy.world
37 comments fedilink hide all child comments

As evidence, the lawsuit cites unnamed "courageous whistleblowers" who allege that WhatsApp and Meta employees can request to view a user's messages through a simple process, thus bypassing the app's end-to-end encryption. "A worker need only send a 'task' (i.e., request via Meta's internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job," the lawsuit claims. "The Meta engineering team will then grant access -- often without any scrutiny at all -- and the worker's workstation will then have a new window or widget available that can pull up any WhatsApp user's messages based on the user's User ID number, which is unique to a user but identical across all Meta products."

"Once the Meta worker has this access, they can read users' messages by opening the widget; no separate decryption step is required," the 51-page complaint adds. "The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources. Messages appear almost as soon as they are communicated -- essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted." The lawsuit does not provide any technical details to back up the rather sensational claims.

top 37 comments
sorted by: hot top controversial new old
[-] lavander@lemmy.dbzer0.com 3 points 3 months ago

Call me old fashioned but I really think that for real E2EE the vendor of the encryption and the vendor of the infrastructure should be two different entities.

For example PGP/GPG on … great! Proton? Not great

Jabber/XMMP with e2ee encryption great! WhatsApp/Telegram/signal… less so (sure I take signal over the other two every day… but it’s enough to compromise a single entity for accessing the data)

[-] phtheven@lemmy.world 0 points 3 months ago* (last edited 3 months ago)

Okay Old Fashioned, but doesn't open source encryption audited by a third party solve this problem? Signal protocol for example? Also proton, I'm guessing, but I'm too lazy to check

[-] BoJackHorseman@lemmy.world 3 points 3 months ago* (last edited 3 months ago)

Cynical me would say they don't have to use the code they put up on GitHub in production.

[-] kinther@lemmy.world 1 points 3 months ago

Yep

[-] phtheven@lemmy.world 1 points 3 months ago

By this logic, can we trust any open source software, even if they claim to use some third party encryption? They could say they're using a super secure encryption, even show it implemented in their open source code base, then just put the other, secret evil backdoor code base in production? Is there a way for any open source project to prove that the code in their open source repo is the code in production?

[-] BoJackHorseman@lemmy.world 1 points 3 months ago

If you can self host it, yes. Like matrix

[-] darkmogool@feddit.org 3 points 3 months ago

insert pikachushockedface

[-] herseycokguzelolacak@lemmy.ml 3 points 3 months ago

WhatsApp client is closed source. Any claims around E2EE is pointless, since it's impossible to verify.

[-] cley_faye@lemmy.world 3 points 3 months ago

It's E2EE alright. Just, don't ask what "ends" we're talking about.

[-] escapeVelocity@lemmy.ca 3 points 3 months ago

TMBE

Trust me bro encryption

[-] CeeBee_Eh@lemmy.world 1 points 3 months ago

Any claims around E2EE is pointless, since it's impossible to verify.

This is objectively false. Reverse engineering is a thing, as is packet inspection.

[-] snowboardbumvt@lemmy.world 0 points 3 months ago

Reverse engineering is theoretically possible, but often very difficult in practice.

I'm not enough of an expert in cryptography to know for sure if packet inspection would allow you to tell if a ciphertext could be decrypted by a second "back door" key. My gut says it's not possible, but I'd be happy to be proven wrong.

[-] black0ut@pawb.social 1 points 3 months ago* (last edited 3 months ago)

Hell, as far as I know, E2EE would be indistinguishable from client to server encryption, where the server can read everything without the need for a secret "backdoor key". You can see that the channel is encrypted, but you can't know who has the other key.

[-] escapeVelocity@lemmy.ca -1 points 3 months ago

Outside of open-source. That shit is usually illegal

[-] just_another_person@lemmy.world 2 points 3 months ago

DUH

[-] sexy_peach@feddit.org 1 points 3 months ago

No if this is proven it would be a real scandal and would bring a lot of users to better alternatives.

If it's false that's good too, since then WA has e2e encryption

[-] MrSoup@lemmy.zip 2 points 3 months ago

would bring a lot of users to better alternatives.

Most users of whatsapp don't care about e2e. They hardly even know what it is.

[-] dependencyinjection@discuss.tchncs.de 1 points 3 months ago

Right. This place sometimes forget that we are tiny community of techies that hate the system. Makes me see this place as a bit of a circlejerk at times.

[-] BanMe@lemmy.world 2 points 3 months ago

Well if I can't trust Meta with my information, who CAN I trust

[-] bjoern_tantau@swg-empire.de 2 points 3 months ago

The biggest news is that Slashdot is still alive.

[-] Jyek@sh.itjust.works 2 points 3 months ago

A lot of victim blaming in this thread. Why can't you just be mad for someone who was deceived?

[-] matlag@sh.itjust.works 2 points 3 months ago* (last edited 3 months ago)

Because it's the gazillionth time the exactly totally absolutely same kind of shit happens with the very exactly same company that didn't even try to hide who they were.
And next week the very very same deceived people will be of Facebook, Instagram, etc. And maybe, just MAYBE they'll migrate away from Whatsapp… to join another proprietary network of another billonaire's controlled megacorp.

Because I'm tired of being "that pain in the ass" when barely suggesting to use something else all to see at the end people crying over things they've be warned about.

If a kid burns themself once on a kitchen's hotplate, you assume they learnt their lesson in an unfortunate way despite all the warnings.
If adults keep burning themselves over and over… and over and over and over, at which point are you entitled to say they're part of the f*cking problem??

[-] gustofwind@lemmy.world 1 points 3 months ago

at what point is it someone's responsibility to simply know better?

this isn't some complicated deceit it's literally one of the most untrustworthy companies in the world lying to your face. A company we've known for now like two decades is untrustworthy and overtly harms people to make money

do people have responsibility at all?

[-] YeahToast@aussie.zone 2 points 3 months ago

People can't take increase responsibility for every single aspect of life. It seems straightforward to you because you're likely tech literate. Do you know every process around how the mechanic services your vehicle, how medicines are made that you consume, how food is curated that you consume, how energy is generated that you consume? People can't have intimate knowledge of every aspect of life, therefore if a company says "this is E2EE" you should be able to believe that at face value and rely on consumer protection agencies to follow up if it's inaccurate.

[-] ToTheGraveMyLove@sh.itjust.works 1 points 3 months ago

You don't need to be tech literate to follow the news. Meta has been caught in lie after lie for YEARS and it has all been widely reported on. Meta needs to face actual repercussions for their crimes against humanity, but anybody still buying into their bullshit is being willfully ignorant.

[-] gustofwind@lemmy.world -1 points 3 months ago

No that’s not correct at all. If a company says something you do not in fact just get to believe it at face value and do 0 research, this applies in every field you mentioned. What planet are you from where you are supposed to just believe what companies say at face value????

People often get second options from different mechanics, doctors, contractors, and all sorts of specialists when told something because you need to do your own research to know about stuff.

You literally do in fact need to try and learn and make informed decisions about everything in life.

[-] YeahToast@aussie.zone 1 points 3 months ago* (last edited 3 months ago)

Chief, if you needed to make an informed decision about every decision in life, there'd be no time for life. That's why other people specialize in jobs so that within reason, confidence can be placed to their decision. I'm not saying you blindly agree and follow everything, but people can't be responsible for every decision. For example, who made the seatbelt in your car? What research did you personally do to verify the safety of your seatbelt. What maintenance have you done to it to ensure that it works as intended? Pretty important life saving bit of equipment.

Edit: my presumption is that you(or the vast majority of the population) haven't done any research into your seatbelt because you trust in the car company and the safety rating requirements of your nation to ensure adequate protection.

[-] fodor@lemmy.zip 1 points 3 months ago

What you're positing here is a view of life that Margaret Thatcher loved. The idea is, "There is no society. There are no laws. There is no oversight. Everything, all responsibility, all of it is 1000% individual."

Of course in reality that's nonsense. We live in a world with laws that are sometimes enforced, where governments sometimes protect us, because we want them to, because that's good for us all.

But even if you believe in Thatcher's view, then you have the problem of corporations. You can't seriously argue that we should be responsible for everything ourselves, as individuals, and also that corporations should exist, because they are anti-individual.

[-] fodor@lemmy.zip 1 points 3 months ago

If companies are lying in their advertising to the general public, then that is something the companies are responsible for. You can blame the victims, but that's kind of stupid because there are so many people in the world who are not technically savvy. They don't have the resources, background, knowledge, and skills to evaluate whether what the company is telling them is true. That's why there are laws designed to protect consumers from lying companies.

Would it be great if everyone was an expert in everything? Yes. Are they? No. They never will be. That's why we have laws.

[-] wuffah@lemmy.world 1 points 3 months ago

Assume the same for Telegram and pretty much any chat platform that controls your private keys.

[-] myfunnyaccountname@lemmy.zip 1 points 3 months ago

What?!! No. The owner of WhatsApp would never lie to us.

[-] Delilah@lemmy.blahaj.zone 1 points 3 months ago

Wait, you are telling me that the company whos entire business is collecting personal information, including people who don't sign up for their services, to leverage for advertising, is keeping their platforms unsecured they can continually grab more information rather than secure it?

I for one am shocked, absolutely shocked.

[-] M1k3y@discuss.tchncs.de 0 points 3 months ago

Im not a big fan of meta and WhatsApp, but these claims are a bit much. Any employee gets access to messages through a well documented internal process? "No separate decryption step is required" , so the WhatsApp CLIENT is not doing any actual e2e encryption and no attempt at reverse engineering or traffic analysis has ever seen that this is the case?

Where can one see, what these whistleblowers have actually published? I would expect to see this "simple process" and how that interface actually works... And I would expect any journalist to request some proof (show me the last message i sent to Alice) before trusting an anonymous whistleblower making such an extraordinary claim.

From what I heard so far, that anonymous whistleblower could be a troll or an ex-employee who just wants to cause some trouble for meta.

We should not trust anything blindly, even if it fits with our view of the world. Meta is an evil company, but as long as there is no indication for these specific allegations to be true, we should treat them as unfounded allegations.

[-] ricdeh@lemmy.world 1 points 3 months ago

In principle the messages themselves could be E2E encrypted, but the closed-source WhatsApp client could transmit decryption keys to Meta HQ without anyone finding out. As long as the client or the client device is unsafe and not trusted, E2EE is not really effective. Which is why one should always demand a FOSS client for E2EE.

[-] Kazumara@discuss.tchncs.de -1 points 3 months ago

Even if that's all true, it's not evidence that the end to end encryption is broken.

That sort of debug access could simply be included in the clients.

[-] JcbAzPx@lemmy.world 1 points 3 months ago

I'm not sure if it's the encryption part you don't understand, the end to end, or both.

this post was submitted on 27 Jan 2026
29 points (100.0% liked)

Technology

84222 readers
248 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws