- A class-action lawsuit in California accuses Meta of being able to read private WhatsApp messages despite end-to-end encryption.
- Elon Musk and Pavel Durov have called WhatsApp's encryption a fraud and question whether privacy is truly guaranteed.
- Meta categorically denies all accusations and defends the use of the Signal protocol, claiming that no one else can read the messages.
- The debate centers on potential internal access, the role of metadata, and the lack of open source compared to platforms like Signal.
The apparent solidity of WhatsApp end-to-end encryption It's under scrutiny once again. A new class-action lawsuit in the United States and public criticism from two of the most prominent figures in the tech sector have reignited the debate about whether Meta's messaging app truly protects what it promises to protect: private conversations.
Amid this controversy, Elon Musk and Pavel Durov They have taken the opportunity to harshly criticize WhatsApp, even describing its encryption system as "the biggest consumer fraud in history." Meanwhile, Meta defends itself by asserting that the accusations are "categorically false and absurd" and that no one, not even the company itself, can read messages protected by its encryption.
The lawsuit that challenges the protection of WhatsApp chats
The origin of the latest earthquake surrounding app privacy lies in a class action lawsuit filed in the Federal Court of the Northern District of CaliforniaThe document alleges that, from April 2016 to the present, Meta employees and external personnel have had access to messages that users believed were completely protected by end-to-end encryption.
Among those who filed the complaint are, among others, Brian Y. Shirazi and Nida SamsonThe complaint accuses the company of allowing internal access to private conversations without informing users. According to the complaint, this practice directly violates several privacy and data protection laws, as there was no explicit consent for this alleged processing of information.
Demand is not limited to the US market: it includes users from countries such as India, Brazil, Mexico, Australia and South AfricaThis aggravates the potential scope of the case. Although the proceedings are taking place in US courts, the focus on Meta's practices ultimately affects, by extension, the perception of WhatsApp's privacy in Europe and Spain as well.
One of the most sensitive points in the legal document concerns the company's public discourse. For years, the app has repeatedly stated that “Not even WhatsApp” can read the messages thanks to end-to-end encryption. The plaintiffs call these claims misleading, alleging that the platform's infrastructure would, in practice, allow some level of internal access to the content.
According to the lawsuit, Meta employees and Accenture consulting firm workers would have access to an internal review portal from which they could see messages, usernames and profile information with a scope that would go far beyond the cases of moderation or content review that the company publicly acknowledges.
Meta defends itself: Signal protocol and “absurd” accusations
Meta has reacted quickly to these allegations. The company maintains that the accusations are “categorically false and absurd” And remember that WhatsApp has been using the Signal protocol for a decade, considered one of the strongest end-to-end encryption standards on the market.
The company insists that Encryption keys are stored only on users' devicesso that neither Meta nor third parties would have access to them. This approach is the basis of the promise that only the sender and receiver can read the content of a conversation, excluding any other party, including the platform itself.
WhatsApp acknowledges that it reviews messages in very specific contexts, such as when a user reports a chat or when their automated systems detect potentially abusive or illegal activity. In those cases, the person involved authorizes the sending of part of the content for analysis by the moderation teams, something the company presents as compatible with encryption.
The class action lawsuit, however, goes a step further: it argues that internal access would not be limited to these reporting scenarios, but that there would be a “kleptographic backdoor”A so-called cryptographic backdoor, designed to be undetectable from the outside. This concept, highly controversial in the field of cryptography, refers to mechanisms that would allow messages to be decrypted without visibly breaking the encryption system.
Meta flatly denies the existence of that backdoor, but the debate is complicated by a relevant technical detail: WhatsApp's source code is not open source.Unlike Signal, where the community of experts can audit the software, WhatsApp lacks an independent external verification process to objectively check whether the internal workings accurately reflect the company's claims.
In parallel to the lawsuit, the United States Department of Commerce has maintained an open investigation since 2025 called “Operation Sourced Encryption”The investigation, led by the Bureau of Industrial Safety, originated from a whistleblower complaint filed with the SEC in 2024. The agents themselves reportedly described the initial findings as "unsubstantiated," leaving the case in limbo: an ongoing investigation, but no definitive public conclusions have been reached.
Musk and Durov: WhatsApp encryption as “consumer fraud”
The legal battle has been the perfect context for Elon Musk and Pavel Durov They are reigniting their long-standing criticisms of Meta's messaging service. Both are direct competitors of WhatsApp—Musk with X and its messaging feature, and Durov with Telegram—and have long publicly questioned the app's privacy guarantees.
The founder of Telegram was particularly explicit when posting on X that “WhatsApp encryption may be the biggest consumer fraud in history”He accused the platform of deceiving billions of people about the actual level of protection for their conversations. In the same message, he asserted that WhatsApp reads users' messages and shares them with third parties, framing this as a structural practice rather than an isolated exception.
“Despite his claims, he reads users’ messages and shares them with third parties,” Durov stated, promising that Telegram “will never do that”His speech, centered on the idea that his service is more respectful of privacy, also serves as a marketing tool against one of his major rivals.
Elon Musk, for his part, limited himself to a more direct but equally forceful message: “WhatsApp cannot be trusted”The businessman took the opportunity to promote X Chat as an alternative, emphasizing that Meta's alleged lack of transparency in data management would justify users seeking other channels for their private communications.
A poisoned debate: commercial rivalry and contradictions
The exchange of statements comes in a context in which instant messaging It's a strategic business for major tech companies. With over 2.000 billion active users worldwide, WhatsApp is a central piece in the Meta ecosystem, while Telegram and X compete to chip away at its market share.
The fact that the harshest criticism comes from two direct competitors This is no small detail. Musk and Durov both benefit from any erosion of trust in WhatsApp, and this commercial rivalry looms large over their messages. Their warnings could stem from genuine privacy concerns or be part of a strategy to win over disaffected users.
In the case of Telegram, Durov's narrative as a champion of privacy also clashes with some technical realities. The application itself No end-to-end encryption by default All conversations: only so-called "secret chats" have E2EE, while standard chats are stored on Telegram's servers to allow synchronization between devices.
This architecture raises its own questions, especially considering that Telegram has faced pressure from governments such as Russia'swho have demanded access to certain user data. Although the company has historically defended its resistance to these demands, the fact that many conversations are not end-to-end encrypted by default complicates its position in the debate.
The result is a scenario in which Each platform tries to present itself as the safest optionWhile focusing on the supposed shortcomings of the rest, users encounter mixed messages, serious accusations, and categorical responses that are often not accompanied by conclusive technical evidence or independent audits.
Can encryption be considered fraud if it protects the content but not the metadata?
Beyond what is decided in the courts, an important part of the debate revolves around an aspect that often goes unnoticed: the difference between encrypted content and metadataAlthough messages may be protected by E2EE, information about who is talking to whom, at what time, from what device or from what location is subject to other rules.
In the case of WhatsApp, those Metadata is key to Meta's business modelAlthough the company claims it does not use message content for commercial purposes, the structure of relationships between contacts and usage patterns is extremely valuable for segmenting profiles and refining advertising on other platforms within the group, such as Facebook or Instagram.
Neither Musk nor Durov usually dwell too much on this nuance when they point to the "fraud" of encryption. They focus on the possibility of reading messages, but The large volume of exploitable data is found in the metadata layer., regarding which transparency policies are more diffuse and less understandable for the average user.
For European citizens, including those in Spain, this point is especially relevant due to the impact of General Regulation of Data Protection (RGPD)Any metadata processing that allows for the comprehensive profiling of users must comply with strict requirements regarding information, legal basis, and data minimization. Although the current case is being litigated in the United States, it opens the door for European regulators to take a closer look at how this data is managed in the region.
Thus, the question of whether "WhatsApp encryption is a fraud" can be interpreted in several ways: from whether it is technically possible to break it without leaving a trace, to whether the sense of privacy that the platform sells corresponds to the reality of everything it collects and processes around conversations.
With a class-action lawsuit still awaiting a final ruling, an official investigation without public conclusions, and two tech giants using the controversy to attack their rival, the current state of the debate leaves users in an awkward position: entrusting their digital lives to services whose security is debated with tweets and legal statements. The robustness of the Signal protocol, Meta's categorical denials, the lack of open audits, and the exploitation of metadata all coexist on the same playing field where, for now, the only certainty is that the conversation about whether or not WhatsApp's encryption is a fraud is far from over.
