WhatsApp has strongly denied a brand new class-action lawsuit accusing Meta of secretly accessing customers’ end-to-end encrypted messages, labeling the claims as false and baseless.
The messaging big reiterated that messages stay personal by way of device-based encryption by way of the open-source Sign protocol.
A category-action grievance filed on January 23, 2026, within the U.S. District Court docket for the Northern District of California alleges Meta Platforms misleads over 2 billion WhatsApp customers worldwide by selling unbreakable end-to-end encryption (E2EE).
Plaintiffs from Australia, Brazil, India, Mexico, and South Africa declare WhatsApp shops chat contents post-delivery, analyzes them internally, and grants worker entry by way of easy “job” requests to engineers, citing unnamed whistleblowers.
No code samples, logs, or technical proof accompany these assertions, which problem advertising and marketing statements like Mark Zuckerberg’s 2014 claims and app prompts assuring solely recipients can learn messages.
The swimsuit seeks unspecified damages and international class certification underneath U.S., Canadian, or European phrases, doubtlessly impacting customers in 180 nations.
WhatsApp’s Agency Denial
Meta spokesperson Andy Stone dismissed the allegations as “categorically false and absurd,” emphasizing WhatsApp’s decade-long use of the audited Sign protocol prevents firm entry to message contents. WhatsApp acknowledged: “Your WhatsApp messages are personal. We use the open-source Sign protocol to encrypt them.
Your WhatsApp messages are personal. We use the open-source Sign protocol to encrypt them.• Encryption occurs in your gadget• Messages are encrypted earlier than leaving your gadget• Solely the meant recipient has the keys to decrypt messages• The…— WhatsApp (@WhatsApp) January 27, 2026
Encryption occurs in your gadget; messages are encrypted earlier than leaving your gadget. Solely the meant recipient has the keys to decrypt messages. The message encryption keys will not be accessible to WhatsApp or Meta. Any claims on the contrary are false.”
The corporate plans to hunt sanctions towards plaintiffs’ counsel from Quinn Emanuel Urquhart & Sullivan and others, calling the swimsuit a “frivolous work of fiction.”
WhatsApp implements the Sign protocol, an open-source commonplace offering ahead secrecy and post-compromise safety by way of the Double Ratchet algorithm.
Encryption happens client-side utilizing Curve25519 for key alternate, AES-256 in CBC mode for payloads, and HMAC-SHA256 for integrity, making certain servers like Meta’s deal with solely ciphertext.
FeatureDescriptionSecurity BenefitIdentity KeysLong-term Curve25519 public/personal pairs per deviceEstablishes preliminary session uniqueness Prekeys & One-Time PrekeysEphemeral keys for asynchronous setupEnables key settlement with out on-line presenceDouble RatchetSymmetric + Diffie-Hellman ratchetsProvides ahead secrecy; previous keys unusable if compromised Message KeysRandom per-message AES-256 keysEphemeral; derived from chain keys Group Sender KeysFan-out encryption to membersSecure multicast with out central decryption i
Impartial audits since 2016 verify no backdoors, although non-obligatory cloud backups (e.g., iCloud) transmit unencrypted copies if enabled.
This lawsuit echoes ongoing debates on E2EE limitations like metadata assortment and backup dangers, with out proof of content material breaches.
Safety specialists suggest encrypted backups and VPNs for metadata safety, whereas proprietary implementations face scrutiny versus totally open options just like the Sign app.
As litigation advances, it could spur larger transparency in WhatsApp’s privateness reviews, however the protocol’s math-resistant design upholds claims towards unsubstantiated entry allegations.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
