TL;DR: A class action lawsuit filed on January 26, 2026, alleges that Meta employees can bypass WhatsApp’s end-to-end encryption through an internal “tasking system” to read messages in near real-time, including deleted ones. Whistleblowers who worked as content moderators say they had access to supposedly encrypted chats. Johns Hopkins cryptography professor Matthew Green says the claims are “exceedingly unlikely” and would constitute “the biggest fraud in technology history.” Meta calls the lawsuit “a frivolous work of fiction.” The U.S. Department of Commerce investigated the claims but called some assertions “unsubstantiated.” The thing is: WhatsApp uses the Signal protocol but won’t open-source its implementation. So 3 billion users are trusting Meta’s word. If that makes you uncomfortable, you already know the answer.

The Lawsuit

On January 26, 2026, attorneys at Quinn Emanuel Urquhart & Sullivan and Keller Postman filed a class action in the U.S. District Court for the Northern District of California. Named plaintiffs come from five countries: Australia, Brazil, India, Mexico, and South Africa [1].

The lawsuit covers most WhatsApp users worldwide, but not Americans or Canadians. WhatsApp’s terms of service force U.S. and Canadian users into arbitration. UK and European users are excluded too; they have to file claims in their own countries or Ireland [2].

Here’s what the complaint alleges:

  • Meta has “unlimited access” to encrypted WhatsApp communications
  • Meta employees can submit a “task” request to engineers to access specific messages
  • Once approved, messages can be viewed “almost as soon as they are communicated, essentially, in real-time”
  • Access extends to all historical messages, including deleted ones
  • This access has existed “since April 2016” (the same month WhatsApp rolled out end-to-end encryption for all users)

The whistleblowers behind the claims are former content moderators who worked through third-party firms. They say they and some Meta staff had “unfettered” access to WhatsApp messages and that “content reviewers across multiple countries used similar systems” [3].

The Cryptographer Says: Probably Not

Two days after Bloomberg broke the story, Johns Hopkins cryptography professor Matthew Green published a detailed technical analysis. His verdict: the claims are “exceedingly unlikely” [4].

Green’s argument boils down to three points:

1. You’d see it in the code. WhatsApp’s encryption runs on your phone. If Meta secretly exfiltrated plaintext messages or encryption keys, that code would be in the app binary. Security researchers decompile WhatsApp regularly. Historical versions are publicly available. “If you’re going to metaphorically commit a crime, doing it in a forensically-detectable manner is very stupid,” Green wrote.

2. Someone would have caught it. WhatsApp has been scrutinized by security researchers for a decade. A backdoor affecting 3 billion users wouldn’t stay hidden through years of independent audits and reverse-engineering.

3. The scale makes it implausible. If true, it would be “the biggest fraud in technology history.” Green says: “The decision to trust WhatsApp on this point seems perfectly reasonable to me.”

But Green didn’t dismiss the underlying concern. He can’t prove WhatsApp is clean because Meta won’t open-source the code.

The Federal Investigation

The lawsuit isn’t the only pressure on Meta. Bloomberg reported on January 29 that U.S. law enforcement had been investigating the same claims [5].

Special agents with the U.S. Department of Commerce’s Bureau of Industry and Security examined allegations from former Meta contractors that they had “unfettered” access to WhatsApp messages. The inquiry was reportedly called “Operation Sourced Encryption” [5].

But the Commerce Department pushed back. A spokesperson said “some assertions made by an enforcement agent were unsubstantiated” and stated “there was no active investigation into Meta or WhatsApp for violations of export control laws” [6].

So: an investigation happened. The agency that ran it said parts of it didn’t hold up. Meta says the whole thing is baseless. The whistleblowers say the system exists. Nobody has produced smoking-gun technical evidence either way.

What We Actually Know

Strip away the allegations and the denials, and here’s what’s not disputed:

  • WhatsApp uses the Signal protocol. That’s the gold standard for end-to-end encryption. The protocol itself is open-source and has been audited extensively.
  • WhatsApp’s implementation is proprietary. Meta built its own version of the Signal protocol into WhatsApp’s closed-source app. Nobody outside Meta can verify what that code actually does.
  • Meta can read reported messages. When you report a message for abuse, WhatsApp forwards it (with context) to human reviewers at Meta. This is documented and acknowledged [7].
  • Metadata is collected. WhatsApp collects who you talk to, when, how often, your IP address, device info, and location data. Even if message contents are encrypted, the metadata isn’t [7].
  • Cloud backups can bypass encryption. Unless you specifically enable end-to-end encrypted backups (added in October 2021), your chat history stored in Google Drive or iCloud is not end-to-end encrypted. Meta can’t read those backups, but Google and Apple could comply with law enforcement requests for them.

None of this proves the lawsuit’s claims. But it does show that “end-to-end encrypted” doesn’t mean “completely private.”

The Real Problem: Trust Us, We Won’t Show You

Here’s what Proton (the company behind ProtonMail) pointed out: “When a platform is closed-source and controlled by a single company, can users ultimately trust assurances they cannot independently verify?” Their answer: “Encryption should be verifiable, not a matter of trust” [7].

Signal’s app is fully open-source. Anyone can inspect the code, compile it, and verify the encryption works as advertised. Thousands of researchers have. When Signal says your messages are encrypted, you don’t have to take their word for it. It’s also why Signal has said it would leave Europe before breaking its encryption rather than weaken what it can prove.

WhatsApp uses the same encryption protocol, but the app around it is a black box. Meta’s spokesperson Andy Stone called the lawsuit “a frivolous work of fiction” and said the claims are “categorically false and absurd” [2]. Matthew Green largely agrees with Meta on the technical merits.

But neither of them can point you to a line of code and say “look, here’s the proof.” Because the code is locked up in Menlo Park.

This is the real story. Not whether Meta is reading your messages, but that you have to trust a company with a documented history of privacy violations when they say they can’t.

What You Can Do

Switch to Signal

Signal is open-source, independently audited, and collects almost no metadata. It’s free, works on all platforms, and does everything WhatsApp does. This is the single best thing you can do for messaging privacy. Our Signal setup guide.

Enable Encrypted Backups

If you stay on WhatsApp, turn on end-to-end encrypted backups. Settings > Chats > Chat Backup > End-to-end Encrypted Backup. Without this, your chat history sits in Google Drive or iCloud without E2E protection.

Turn Off Cloud Backups Entirely

Better yet, disable cloud backups altogether. Your messages are encrypted in transit, but backups are the weak link. No backup means no copy for anyone to request.

Use Disappearing Messages

Enable disappearing messages for sensitive conversations. Settings > Privacy > Default Message Timer. Even if someone can access messages, there’s nothing to access if they’re gone. This works on both WhatsApp and Signal.

What Happens Next

The lawsuit is in its earliest stages. The plaintiffs are asking the court for class-action certification, which typically takes 12 to 24 months. If granted, the case could represent WhatsApp users worldwide [2].

Meta will fight it. Hard. The company has the resources and the legal precedent: no independent researcher has ever produced technical evidence of a WhatsApp encryption backdoor. The whistleblower claims, while alarming, remain unverified.

But the case has already done something useful: it forced a conversation about why 3 billion people are trusting a company that settled a $1.4 billion face-scanning lawsuit, was fined $1.3 billion by the EU for privacy violations, and built its entire business on harvesting user data, to tell them their messages are private.

Maybe they are. Matthew Green thinks so. But he also said the quiet part out loud: the only way to know for sure is to see the code. And Meta won’t show it to you.

References

  1. Bloomberg: Lawsuit Claims Meta Can See WhatsApp Chats in Breach of Privacy (January 25, 2026)
  2. 9to5Mac: Lawsuit Claims WhatsApp Encryption Is a Lie, Cryptography Professor Weighs In (February 3, 2026)
  3. Bitdefender: Lawsuit Claims Meta Can Access WhatsApp Messages Despite End-to-End Encryption (January 29, 2026)
  4. Matthew Green: WhatsApp Encryption, a Lawsuit, and a Lot of Noise (February 2, 2026)
  5. Bloomberg: US Has Investigated Claims That WhatsApp Chats Aren’t Private (January 29, 2026)
  6. The420: WhatsApp Privacy Under U.S. Scrutiny as Encryption Claims Face Federal Probe (January 30, 2026)
  7. Proton: What a New Lawsuit Claims About WhatsApp’s End-to-End Encryption (February 2026)