Cryptography expert dissects the WhatsApp encryption controversy

The debate over WhatsApp’s long-standing claims of end-to-end encryption has reignited following a viral lawsuit accusing Meta of secretly accessing user messages.

While the case lacks technical evidence, it has amplified public distrust and prompted a detailed rebuttal from respected cryptographer Matthew Green, who argues that the allegations are both implausible and technically unsupported.

Matthew Green, a cryptographer and professor at Johns Hopkins University, published an in-depth analysis of the encryption claims, aiming to separate verifiable facts from speculative noise. The lawsuit, filed on January 26, 2026, in a San Francisco federal court, alleged that Meta employees could access WhatsApp messages at will using internal tools, claims repeated online by figures like Elon Musk and Telegram’s Pavel Durov. However, the complaint provided no code samples, audit reports, or technical documentation, relying solely on unnamed whistleblowers and vague descriptions of an internal “task” system.

Green’s response walks readers through what such an allegation would technically require, and why it doesn’t hold up. He notes that WhatsApp’s encryption model is based on the Signal protocol, which encrypts messages on the sender’s device and decrypts them on the recipient’s device, with the encryption keys never leaving user control. For Meta to access message content, the WhatsApp client itself would need to be modified to upload either plaintext messages or encryption keys, an approach that would almost certainly be detectable through reverse engineering.

WhatsApp, one of the world’s largest messaging platforms with over three billion users, has positioned itself as a privacy-centric app since it introduced end-to-end encryption by default in 2016. That rollout was a major milestone in mass-market encrypted communication. The company has repeatedly affirmed that it cannot read message content, and in response to the lawsuit, Meta labeled the claims “absurd” and “headline-seeking fiction.”

Still, the debate shows the tension in the world of encrypted messaging and the strong link between transparency and trust. Unlike Signal, which is open-source and allows independent verification of its codebase, WhatsApp is closed-source. That means users must trust that the app performs encryption as claimed, an uncomfortable proposition for privacy advocates and security researchers.

Green acknowledges this trust gap, but also emphasizes that tampering with WhatsApp’s encryption at scale would leave forensic traces. “The allegations in the lawsuit state that this applied to nearly all users, and for every message ever sent by those users since they signed up,” Green notes. Such an extensive and ongoing backdoor would not only be highly detectable but also monumentally risky for Meta, especially under global regulatory scrutiny.

To date, no credible research has uncovered such a mechanism. While WhatsApp has faced criticism for its handling of metadata and cloud backups, these concerns are separate from the integrity of end-to-end encryption itself. For example, metadata, including who users communicate with, timestamps, and device information, remains accessible to Meta and is not protected by E2EE. Additionally, if users back up their messages to iCloud or Google Drive without enabling encrypted backups, plaintext copies of chats may be stored on those third-party platforms.

Some concerns about WhatsApp’s implementation have merit. In 2025, researchers discovered a flaw dubbed “Prekey Pogo,” which showed how attackers could abuse WhatsApp’s handling of key exchanges to track users and undermine forward secrecy. But even this sophisticated attack did not enable message decryption or imply that Meta could access messages.

Green concludes that while users have reason to be cautious about closed-source apps, the lawsuit’s central claim, that Meta has unrestricted access to WhatsApp message content, does not align with current technical evidence. He encourages those with strong privacy needs to use open-source alternatives like Signal, which offer greater transparency and verifiability.