A newly filed class-action lawsuit in U.S. federal court(new window) alleges that WhatsApp’s promise of end-to-end encryption (E2EE) is misleading. The complaint claims that Meta employees are able to access the contents of WhatsApp messages through internal systems, despite repeated assurances that “not even WhatsApp(new window)” can read user messages.

Read the full lawsuit here:

WhatsApp-E2EE-lawsuit(new window)Download

The lawsuit, filed on Jan. 23 in the Northern District of California, makes sweeping allegations.

According to the complaint, unnamed whistleblowers allege that Meta staff can request access to WhatsApp messages through an internal tasking system. Once approved, the complaint claims, messages can be viewed in near real time and historically, without an additional decryption step.

The lawsuit argues that this alleged access contradicts WhatsApp’s public statements, marketing materials, and testimony to lawmakers asserting that message contents are accessible only to senders and recipients.

Meta denies the claims. In a statement to Bloomberg,(new window) Meta spokesperson Andy Stone said: “Any claim that people’s WhatsApp messages are not encrypted is categorically false and absurd. WhatsApp has been end-to-end encrypted using the Signal protocol for a decade. This lawsuit is a frivolous work of fiction.”

It’s important to distinguish between allegations and established facts. The complaint does not include technical evidence demonstrating a cryptographic backdoor or otherwise proving that WhatsApp’s encryption has been compromised. At this stage, the claims remain unproven.

Past reporting has shown that WhatsApp can access messages users manually report for abuse, and that it collects extensive metadata(new window). That reporting, however, does not support claims of routine or universal access to message contents.

Still, the case raises a familiar and uncomfortable question: when a platform is closed-source and controlled by a single company, can users ultimately trust assurances they cannot independently verify?

End-to-end encryption is a technical guarantee that message contents are readable only by the sender and the intended recipient, because the keys required to decrypt messages exist solely on users’ devices and are never accessible to anyone else.

As this case unfolds, it reinforces a core principle of privacy: encryption should be verifiable, not a matter of trust.