Both the founders of WhatsApp and current owner Meta state that the app uses end-to-end encryption, meaning that nobody outside the chat can access the content. A lawsuit claims that this isn’t true and that anyone inside Meta can get full access to all of the messages sent or received by any WhatsApp user.
Johns Hopkins University professor and cryptographer Matthew Green has weighed in with a blog post analyzing the claims and likely reality …
WhatsApp end-to-end encryption (E2EE)
WhatsApp founders Jan Koum and Brian Acton specifically built the messaging app around end-to-end encryption (E2EE), with governments and law enforcement expressing concerns at this at the time that they would have no access to the content.
E2EE means that only the chat participants have access to the keys needed to decrypt the content of the messages. While those messages are sent via WhatsApp servers, this happens in encrypted form and there should be no way for the company to be able to decrypt the data.
Lawsuit claims the encryption is a lie
A class action lawsuit, however, claims that this is a lie and WhatsApp does not in fact use E2EE.
Meta’s and WhatsApp’s claim that they do not have access to the substance of WhatsApp users’ communications is false. As the whistleblowers here have explained, WhatsApp and Meta store and have unlimited access to WhatsApp encrypted communications, and the process for Meta workers to obtain that access is quite simple. A worker need only send a “task” (i.e., request via Meta’s internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job.
The Meta engineering team will then grant access [and then] they can read users’ messages […] Messages appear almost as soon as they are communicated—essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted.
Those are pretty mind-blowing claims, and it would be one of the biggest privacy scandals in tech if found to be true.
Johns Hopkins University professor weighs in
Johns Hopkins University professor and cryptographer Matthew Green has written a lengthy blog post on the topic. He notes that while WhatsApp encryption is based on the Signal protocol, the actual code used is not open source and it is therefore impossible for independent researchers to verify how it is implemented.
Unfortunately WhatsApp is closed-source, which means that you cannot easily download the source code to see if encryption performed correctly, or performed at all.
However, he says that it is exceedingly unlikely the claims are true, for three reasons.
I cannot definitively tell you that this is not the case. I can, however, tell, you that if WhatsApp did this, they (1) would get caught, (2) the evidence would almost certainly be visible in WhatsApp’s application code, and (3) it would expose WhatsApp and Meta to exciting new forms of ruin […]
Even if WhatsApp’s app source code is not public, many historical versions of the compiled app are available for download. You can pull one down right now and decompile it using various tools, to see if your data or keys are being exfiltrated.
Green acknowledges that performing this analysis would be a major task but says the very fact that it can be done would make it massively stupid for Meta to lie about it. He ends by citing computer science pioneer and Unix designer Ken Thompson.
It’s been more than forty years since Ken Thompson delivered his famous talk, “Reflections on Trusting Trust“, which pointed out how there is no avoiding some level of trust. Hence the question here is not: should we trust someone. That decision is already taken. It’s: should we trust that WhatsApp is not running the biggest fraud in technology history. The decision to trust WhatsApp on this point seems perfectly reasonable to me, in the absence of any concrete evidence to the contrary. In return for making that assumption, you get to communicate with the three billion people who use WhatsApp.
It’s exactly the same situation with iMessage and FaceTime: Apple does not open-source the E2EE code used.
9to5Mac’s Take
The lawsuit contains zero evidence for the frankly astonishing claims made. For it to be true, both the founders of WhatsApp and Meta would have to be telling one of the biggest lies ever told in tech history. This is not a question of whether the company is ethical, but whether it is profoundly stupid.
The lawsuit goes much further, stating that there is an established mechanism within the company for getting access to the content of WhatsApp messages. This would mean it would have to be known by a great many people within Meta. The old saying comes to mind: “Three may keep a secret, if two of them are dead.”
Personally, I will continue to use WhatsApp perfectly comfortably – how about you?
- Official Apple Store on Amazon
- AirTag holders and accessories
- Mac Pro-style Mac mini casing
- Wireless CarPlay adapter
- NordVPN – privacy-first VPN with no logs and independent audits to verify
- Official iPhone cases: iPhone 17 | iPhone 17 Pro and Pro Max | iPhone Air
Photo by Dimitri Karastelev on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments