Lawsuit Alleges That WhatsApp Has No End-to-End Encryption (pcmag.com)
- Reference: 0180663372
- News link: https://it.slashdot.org/story/26/01/27/0550249/lawsuit-alleges-that-whatsapp-has-no-end-to-end-encryption
- Source link: https://www.pcmag.com/news/lawsuit-alleges-that-whatsapp-has-no-end-to-end-encryption?test_uuid=04IpBmWGZleS0I0J3epvMrC&test_variant=A
> A lawsuit [2]claims that WhatsApp's end-to-end encryption is a sham , and is demanding damages, but the app's parent company, Meta, calls the claims "false and absurd." The [3]lawsuit was filed in a San Francisco US district court on Friday and comes from a group of users based in countries such as Australia, Mexico, and South Africa, according to [4]Bloomberg .
>
> As evidence, the lawsuit cites unnamed "courageous whistleblowers" who allege that WhatsApp and Meta employees can request to view a user's messages through a simple process, thus bypassing the app's end-to-end encryption. "A worker need only send a 'task' (i.e., request via Meta's internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job," the lawsuit claims. "The Meta engineering team will then grant access -- often without any scrutiny at all -- and the worker's workstation will then have a new window or widget available that can pull up any WhatsApp user's messages based on the user's User ID number, which is unique to a user but identical across all Meta products."
>
> "Once the Meta worker has this access, they can read users' messages by opening the widget; no separate decryption step is required," the 51-page complaint adds. "The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources. Messages appear almost as soon as they are communicated -- essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted." The lawsuit does not provide any technical details to back up the rather sensational claims.
[1] https://slashdot.org/~schwit1
[2] https://www.pcmag.com/news/lawsuit-alleges-that-whatsapp-has-no-end-to-end-encryption?test_uuid=04IpBmWGZleS0I0J3epvMrC&test_variant=A
[3] https://www.scribd.com/document/987788928/Whatsapp-Lawsuit
[4] https://www.bloomberg.com/news/articles/2026-01-25/lawsuit-claims-meta-can-see-whatsapp-chats-in-breach-of-privacy
Meta? Abusing private data and the lying about it? (Score:3)
Gee, what would lead anyone think they were capable of doing such a thing?
Re: (Score:1)
Define "end".
Re: (Score:1)
The point though is that the original WhatsApp, before it was acquired by Facebook/Meta, did claim true end-to-end encryption. So Zuckerberg had to deliberately order that the safeguards be removed without announcing it to the users.
Re: Couldn't happen to a nicer mob (Score:3)
I don't think that's how it happened at all. Original WhatsApp didn't have E2E encryption. After it's 2014 acquisition, in 2016 they implemented the Open Whisper systems E2E protocol.
I'm inclined to believe it (Score:5, Insightful)
I worked there. Although there were safeguards against rando engineers stalking celebs or spying for nation states without approval, there were a lot of deceptive practices and attitudes. More details will emerge since this isn't just a news story but a lawsuit which will require proof.
Re: (Score:3)
The backdoor was probably mandated by the feddy gov.
closed (Score:5, Insightful)
> "The lawsuit does not provide any technical details to back up the rather sensational claims."
That is an inherent problem with closed code and closed platforms. They can claim anything they want and there isn't much way we can verify their claims. I admit, this story seems really sensational (a little hard to believe), but it is plausible.
Also, there can be word-trickery here. It is possible things can be claimed to be "end-to-end encrypted" and yet still have ways for the mothership to decrypt anything at will (by having intentional secret holes/weaknesses, by storing your or another key, or a method they can pull the key from your device through their own control over the app, or by having master keys present at the start). I think that would be a misuse of the term "end-to-end encryption", yet term use/definitions mutate all the time. Anyway this can backfire spectacularly if discovered and lead to a lot of legal issues- if they had denied law enforcement/courts access in the past with the excuse that they can't decrypt it and then it is discovered they could.
Re: (Score:3)
No, I'm sorry... There's no room for word trickery here, end-to-end encryption means only the sender and receiver can read that communication.
Otherwise it would be end-to-middle-to-end encryption, wouldn't it?
Re:closed (Score:4, Insightful)
> "Otherwise it would be end-to-middle-to-end encryption, wouldn't it?"
Nope, that would imply it is being decrypted and then re-encrypted in the middle. That doesn't have to happen. It would still have stayed encrypted from one end (sender) to the other end (receiver). The middle can just store the message and decrypt it later, if needed, if they have access to the keys (now or later) or a weakness/backdoor.
Re: (Score:1)
Here we are, arguing about end-to-end-to-man-in-the-middle word trickery, when the real issue is that they use ROT13 encryption.
Re: (Score:3)
You're saying what if they secretly upload everyone's private keys? They could no longer claim end-to-end but that's probably the least of their problems if they got caught.
Re: closed (Score:2)
If it's just tls then you only have a public key, which is not "having the key". Having the private key is what qualifies and for TLS that remains on the server side.
And another thing... (Score:3)
> Meta, calls the claims "false and absurd."
Meta also says they routinely see false claims and speculation like this in lots of users' WhatsApp messages - and none are true. ;-)
Who ever believed in end-to-end encryption? (Score:1)
Since I first read about the "end-to-end encryption" I was very skeptical because there's no control on the private key required by the asymmetric cryptography. Even if there's a private key stored somewhere in the app, Meta can get it and read all the messages. How else would they make money?
Meta will prevail - too many loopholes (Score:4, Interesting)
Trivial example - Meta could claim end-to-end encryption even if every single user's messages are encrypted using the same key. Even if they generate unique keys per user, if they store them on servers, or can have their app send the keys to their support staff on request, they could still technically claim end-to-end encryption. There are so many loopholes in claiming end-to-end encryption, no way Meta is not covered in many ways.
Re: (Score:2)
Exploiting such loopholes would still leave them open to claims of fraud. [1]They've stated in no uncertain terms [whatsapp.com] that "with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them.".
It would be such a brazen lie that it makes me skeptical of the allegations of this lawsuit, even given my very low trust in Meta.
[1] https://faq.whatsapp.com/820124435853543
Secure key distribution mechanism (Score:2)
When E2EE was first rolled out, a message appeared in each chat saying that communications were now secure. I always wondered how they managed to distribute the keys without Facebook ever gaining access to them. I long suspected that they might secretly keep a copy of the keys, perhaps obtained during the key distribution process itself. Now those suspicions are gone
also it keeps a local cache of attachments (Score:2)
Any supposedly secure attachment you send to your colleague will be openly stored on their phone in a place where they don't know what exists and will not likely be able to delete it
Not the first time (Score:2)
We know media corporations are spying on their users: This isn't the first story to reveal one of them pretends to use end-to-end encryption to hide their power over the users and their greed.