Green digital code streaming down a dark screen, resembling encrypted data

TL;DR:

  • The lawsuit: Texas AG Ken Paxton sued Meta and WhatsApp on May 21, alleging the company deceives users by claiming end-to-end encryption while employees and contractors can access private messages. Filed under the Texas Deceptive Trade Practices Act with penalties of $10,000 per violation. [1][2]
  • The federal angle: A Commerce Department Bureau of Industry and Security investigator spent roughly ten months probing WhatsApp’s encryption claims. His memo concluded there was “no limit” to the messages Meta could view. The investigation was shut down and the Bureau disavowed the investigator’s conclusions. [3][4]
  • The pattern: This is the fourth major challenge to WhatsApp’s encryption claims in 2026, after a January class action citing a whistleblower, the Commerce Department probe, and revelations about Kenya-based contractors reviewing private content. [5][6]
  • Meta’s response: “WhatsApp cannot access people’s encrypted communications and any suggestion to the contrary is false.” [1]
  • What’s at stake: 3 billion WhatsApp users worldwide. And Paxton has a track record: he extracted $1.4 billion from Meta in 2024 over biometric data and $1.4 billion from Google in 2025 over location tracking. [2][3]

What Texas Is Actually Alleging

Paxton’s lawsuit, filed in Harrison County state court, makes a straightforward claim: WhatsApp tells you your messages are encrypted end-to-end, meaning nobody (not even WhatsApp) can read them. The complaint says that’s a lie. [1]

The filing alleges Meta and WhatsApp “have access to virtually all of WhatsApp users’ purportedly ‘private’ communications.” [2] Not some messages. Not metadata. Virtually all of them.

Here’s the legal nuance that matters: Texas doesn’t have to prove WhatsApp’s encryption is mathematically broken. The DTPA claim only requires showing that Meta’s marketing promises diverge from actual practices. It’s a “broken promise” case, not a cryptography case. [4]

That distinction is critical because Meta keeps responding with statements about the Signal Protocol’s open-source cryptographic design. Nobody disputes the math. The question is what happens around it: before encryption, after decryption, through backup systems, via internal access tools, and through contractor review pipelines.

The Federal Investigation That Disappeared

Before Paxton filed his suit, a federal investigator had already reached similar conclusions, and been shut down.

A Bureau of Industry and Security agent within the Commerce Department spent approximately ten months investigating WhatsApp’s encryption claims. According to Bloomberg, the investigator’s memo stated there was “no limit” to the type of WhatsApp messages Meta could view. He determined Meta “can and does” view and store WhatsApp message content. [3][4]

Then the probe ended. The Bureau publicly disavowed the investigation, characterizing the agent’s conclusions as “exceeding his authority.” [4]

No public explanation of why a ten-month investigation was terminated. No public release of the memo. No alternative findings. Just this: it’s over, and the investigator overstepped.

The Paxton lawsuit references Bloomberg’s reporting on the Commerce Department findings. Whatever the federal government decided not to pursue, Texas is now pursuing.

Four Strikes in Five Months

The Texas lawsuit isn’t happening in a vacuum. It’s the latest in an accelerating pattern of challenges to WhatsApp’s encryption claims:

January 2026: Seven plaintiffs from five countries filed a class action in California federal court (Dawson v. Meta). The complaint cited an unnamed whistleblower who alleged that Meta employees only need to send an internal “task” request to an engineer, who grants access to any user’s messages by User ID, “often without scrutiny.” [5]

February 2026: Journalists in Sweden and Kenya reported that employees of Sama, Meta’s Nairobi-based contractor, had been reviewing private content from Meta’s Ray-Ban smart glasses, including footage of people in private situations who apparently didn’t know they were being recorded. Meta terminated the Sama contract in April 2026, leaving 1,108 workers jobless. A $1.6 billion lawsuit from 185 former Sama moderators is ongoing in Kenyan courts. [6]

Early 2026: The Commerce Department investigation concluded and was shut down after finding “no limit” on message access. [3]

May 21, 2026: Texas files suit. [1]

Johns Hopkins cryptographer Matthew Green reviewed the January class action claims and called them “exceedingly unlikely” from a technical standpoint. But he made a key concession: WhatsApp won’t open-source its client-side code, so independent verification is impossible. 3 billion users take Meta’s word for it. [5]

Meta Says “False and Absurd.” That’s Not a Rebuttal.

Meta spokesperson Rachel Holland called the allegations “patently false” and “categorically false and absurd.” The company points to WhatsApp’s use of the Signal Protocol, which is open-source and independently audited. [1][4]

The problem with this defense is that nobody is questioning the Signal Protocol. The protocol handles encryption in transit: the mathematical scrambling of messages between sender and receiver. What Paxton, the class action plaintiffs, and the Commerce Department investigator are all pointing to is what happens outside the protocol: internal access tools, contractor review pipelines, cloud backup handling, and device-level access before encryption or after decryption.

Meta’s position amounts to: “The lock on the front door works perfectly.” The accusation is that they have a key to the back door.

Until WhatsApp open-sources its full client code for independent audit, this is a he-said-she-said with $10,000 per violation hanging in the balance.

Why Paxton’s Track Record Matters

Dismiss this as political theater and you’ll miss the pattern. Paxton has turned Big Tech privacy enforcement into a billion-dollar operation:

  • 2024: $1.4 billion settlement with Meta over facial recognition and biometric data collection without consent [2]
  • 2025: $1.4 billion settlement with Google over location tracking [3]
  • May 11, 2026: Sued Netflix over privacy violations [3]
  • May 21, 2026: Filed this WhatsApp encryption suit [1]

Texas has enforcement teeth. The DTPA allows $10,000 per violation. With WhatsApp’s user base in Texas, the theoretical exposure is enormous. Paxton already knows how to extract major settlements from Meta. The company paid $1.4 billion last time rather than go to trial.

What You Should Do Right Now

  • Don’t panic-delete WhatsApp. The encryption claims haven’t been proven false in court. But you should understand the risk.
  • Switch sensitive conversations to Signal. Signal is fully open-source: client code, server code, everything. Independent auditors can and do verify the entire stack. WhatsApp uses Signal’s protocol but wraps it in proprietary code you can’t inspect.
  • Disable cloud backups. WhatsApp messages backed up to Google Drive or iCloud are not encrypted by default. Even if the transit encryption works perfectly, your backup is sitting unencrypted on a cloud server.
  • Check your WhatsApp privacy settings. Go to Settings → Privacy and lock down who can see your profile photo, status, and last seen. It won’t fix the encryption question, but it reduces your metadata exposure.
  • Watch the case. If discovery forces Meta to reveal its internal access tools and review pipelines, we’ll finally get answers about what “end-to-end encrypted” actually means at WhatsApp.

The Real Question

A federal investigator spent ten months and concluded there’s “no limit” to what Meta can see. A whistleblower described an internal system where engineers hand out message access on request. Kenya-based contractors were reviewing private content. And WhatsApp still won’t release its source code for independent verification.

Maybe Meta is telling the truth and all of these people (the federal investigator, the whistleblower, the contractors, and the Attorney General of the second-largest state) are wrong.

Or maybe “end-to-end encrypted” doesn’t mean what WhatsApp told 3 billion people it means.

Texas is about to find out. Discovery will be very interesting.

Previously: A Lawsuit Says WhatsApp Encryption Is a Lie. A Cryptographer Says It’s Not. | Meta Quietly Removes End-to-End Encryption From Instagram | Meta Smart Glasses: Kenya Contractors Reviewed Intimate Footage

Sources

  1. Texas Tribune: Texas sues WhatsApp, Meta over alleged privacy violations (May 21, 2026)
  2. KSAT: WhatsApp, Meta can access Texans’ private messages, AG Ken Paxton says in lawsuit (May 21, 2026)
  3. KERA News: Texas sues Meta over ‘misleading’ WhatsApp privacy claims (May 21, 2026)
  4. National Law Review: Texas Sues WhatsApp Over Its Encryption Promises: What Consumers Need to Know (May 2026)
  5. ClassAction.org: Class action alleges Meta, third parties read and store WhatsApp messages (January 2026)
  6. IBTimes: Meta Cuts Off 1,000 Kenyan Contractors After Privacy Concerns (April 2026)