Meta Denies Lawsuit Claiming WhatsApp Encryption Can Be Bypassed

A new lawsuit is raising serious questions about whether WhatsApp’s end-to-end encryption works the way Meta says it does. Filed in San Francisco by international plaintiffs, the suit claims Meta employees can access user messages through an internal process, effectively sidestepping encryption that’s supposed to make those messages private, even from Meta itself. The complaint cites unnamed whistleblowers but offers no technical evidence to back up the claims.

Meta is pushing back hard.

Calling the lawsuit “absurd” and “fiction,” the company insists WhatsApp has used the well-known Signal protocol for encryption for over a decade, and that only users have access to their messages.

They’ve even threatened to countersue the lawyers behind the case, who are also known for representing the spyware firm NSO Group.

Why It Matters: While WhatsApp isn’t a primary enterprise communication platform, it plays a significant role in global messaging, and its encryption practices are often cited in broader conversations about privacy, data access, and trust in digital communications. Legal challenges like this one often prompt deeper scrutiny of how encryption is implemented and governed.

• Allegations Center on Internal Access Mechanisms: The core of the lawsuit alleges that Meta staff can access WhatsApp user messages by submitting a “task” through an internal company system. Once the request is made, the engineering team is said to grant access, after which a new widget appears on the requester’s workstation. This widget reportedly allows the employee to search for and view WhatsApp messages tied to a user’s unique Meta ID. The complaint suggests this process is not subject to oversight or technical verification, and that messages can be accessed in real-time, including those thought to be deleted.

• Meta’s Response Highlights Encryption Standards: In response, Meta firmly stated that WhatsApp messages remain protected by end-to-end encryption using the Signal Protocol, which is widely regarded as one of the most secure messaging standards available. Meta emphasized that the encryption keys never leave user devices, meaning no one, including Meta, can decrypt the content of messages. The company described the lawsuit as a “frivolous work of fiction” and noted that the claims conflict with how the encryption protocol operates at a technical level.

• No Technical Evidence Included in the Complaint: Despite its detailed procedural claims, the lawsuit does not provide underlying technical documentation, source code, logs, or forensic data to support its allegations. The case is instead built around anonymous accounts from individuals described as whistleblowers, whose identities and roles at Meta are not disclosed. Without concrete technical proof, it remains unclear whether the claims reflect actual vulnerabilities, misinterpretations of internal tools, or broader concerns around moderation processes.

• Prior Reports Offer Limited Context: A 2021 investigation by ProPublica found that WhatsApp content moderators could review messages that users manually reported for abuse. In those cases, the messages were voluntarily forwarded to WhatsApp’s review team, meaning they were no longer encrypted end-to-end. The current lawsuit, however, alleges broader and more systematic internal access, which, if substantiated, would represent a different scale of exposure not previously confirmed.

• Pavel and Musk vs. Cathcart: The lawsuit prompted commentary from figures like Telegram CEO Pavel Durov and Elon Musk, who both criticized WhatsApp’s security. Musk’s post was later flagged with a Community Note clarifying differences between WhatsApp, Signal, and his own messaging platform, X Chat. WhatsApp head Will Cathcart also entered the conversation, calling the lawsuit baseless and reiterating that message content remains inaccessible to Meta.

Go Deeper -> Lawsuit Alleges That WhatsApp Has No End-to-End Encryption – PCMag