Is WhatsApp really private? US lawsuit alleges Meta has access to encrypted messages

The lawsuit

The plaintiffs allege that while WhatsApp publicly markets that it ensures foolproof privacy, WhatsApp and Meta in reality “store, analyse, and can access virtually all of WhatsApp users’ purportedly ‘private’ communications.”

At the heart of the lawsuit is the concept of end-to-end encryption. This is a method of securing digital communication which ensures that a message is turned into a scrambled code on the sender’s device and is only decrypted on the recipient’s device. The service provider — in this case, WhatsApp — merely delivers the message while being blind to what it is.

The lawsuit relies on information from unnamed whistleblowers. It alleges that Meta has implemented what cryptographers call a “kleptographic backdoor” – a secret method to bypass encryption. According to the complaint, Meta employees can request Meta engineers for access to private messages. Once granted access, the employee can allegedly view users’ messages through an internal widget simply by entering the user’s unique ID.

When these messages appear on the employee’s screen, the suit claims, “no separate decryption step is required”. The plaintiffs argue that this access is not limited to metadata – information about who one messaged, when and from where – but extends to the actual content of the chats, stored in real-time.

The lawsuit supports its claims by pointing to Meta’s dismal track record with privacy regulators globally. It cites the Cambridge Analytica scandal, which resulted in a record $5 billion penalty on Meta by the US Federal Trade Commission in 2019 for deceiving consumers about their ability to control personal information. In Europe, the company has faced heavy penalties under the General Data Protection Regulation, including a €1.2 billion fine in May 2023 for illegal data transfers to the US.

The complaint also highlights a 2017 fine by European regulators worth €110 million for providing misleading information during Meta’s acquisition of WhatsApp. At the time, the company had assured regulators it could not technically link Facebook and WhatsApp user accounts, only to implement that exact feature two years later. The plaintiffs argue this establishes a pattern of “misrepresent[ing] its technical capabilities” for its business.

The lawsuit invokes several US federal and state laws. The plaintiffs accuse Meta of violating the Federal Wiretap Act, a law that prohibits the intentional interception of electronic communications. They argue that by routing messages through their servers in a way that allows internal access, Meta is effectively “intercepting” them.

The suit also claims violations of the California Invasion of Privacy Act and the California Constitution, arguing that Meta intruded upon the privacy of its users. There are also claims of breach of contract and unfair competition – on the ground that users agreed to WhatsApp’s terms of service based on the promise of privacy; if that privacy does not exist, the contract is broken and the company gained an unfair business advantage by deceiving consumers.

The plaintiffs have sought a trial by jury and have asked for compensatory damages for the breach of privacy, statutory damages – which may extend to $10,000 per violation under certain US laws – and punitive damages. They have also sought injunctive relief to stop Meta from continuing these alleged practices.

Meta’s response

Responding to the lawsuit on social media platform X, Will Cathcart, the head of WhatsApp, dismissed the claims.

“This is totally false,” Cathcart wrote. “WhatsApp can’t read messages because the encryption keys are stored on your phone and we don’t have access to them.”

Cathcart attacked the credibility of the lawsuit by characterising it as a “no-merit, headline-seeking lawsuit brought by the very same firm defending NSO after their spyware attacked journalists and government officials.”

The reference is to NSO Group, the Israeli cyber-intelligence firm behind Pegasus, a military-grade spyware. In 2019, WhatsApp sued NSO, alleging that Pegasus was used to exploit a vulnerability in WhatsApp to conduct surveillance on 1,400 users, including journalists and human rights activists in India.

In December 2024, a US jury awarded WhatsApp over $168 million in damages in that case.

Relevance for India

This lawsuit in the US stands in stark contrast with WhatsApp’s legal battle in the Delhi High Court.

In 2021, the Indian government introduced the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules that, among other things, requires social media platforms to enable the identification of the “first originator” of information when ordered by a court or public authority.

WhatsApp filed a petition in the Delhi High Court challenging this rule on the ground that complying with the traceability requirement would force it to break its end-to-end encryption. It argued that re-engineering the app to trace the originator of a message would be “equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp,” undermining user privacy.

If the allegations in the US lawsuit were proven true, it would undercut WhatsApp’s defence against the Indian government’s traceability mandate in its pending challenge in the Delhi High Court.

WhatsApp had cited in its petition in the High Court the Supreme Court’s landmark Puttaswamy judgment of 2017 that held privacy to be a fundamental right and ruled that any invasion of privacy must be necessary, proportionate and backed by law. Secret surveillance by a private corporation would fail these tests.

If Meta is accessing message content without user consent — contradicting its own privacy policy — it could potentially face heavy penalties under the Digital Personal Data Protection Act, 2023 for processing personal data for unauthorised purposes.