WhatsApp can access virtually all of it 3 billion users’ purportedly ‘private’ communications,” according to a lawsuit filed against Meta.

@newsguyusa

One of the most disturbing things about this is that so many governments, political parties and public bodies use Whatsapp to communicate at the highest level, including ministers, heads of government etc.

Why aren't they using something properly secure, considering the high stakes?

@newsguyusa To the surprise of no one who was aware of it being a Meta product.

@newsguyusa the lawsuit provides seemingly no evidence to support this

https://techhub.social/@alextecplayz/115971857366040544

quick correction, as I'm reading into it more: Techlore may have been wrong about the connection between the law firms representing the Plaintiffs and NSO Group, I can't find any information on that

but the brief on the lawsuit is that they claim that through their "courageous whistleblowers" they allege that Meta workers send a request to an engineer and without scrutiny in most cases, will just grant the worker access to the data for that user.

This is somewhat demonstrably false as WA web has been reverse-engineered twice, once via a presentation at Black Hat US 2019 (https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse-Engineering-WhatsApp-Encryption-For-Chat-Manipulation-And-More.pdf) and for a university project (https://www.ir.juit.ac.in:8080/jspui/bitstream/123456789/7764/1/Whatsapp%20Web%20Reverse%20Engineering.pdf) to show that it's E2EE and using the Signal protocol.

they also try to represent all WA users globally except WA users in the US, Canada, EU, UK lmfao

@newsguyusa

Watched a doco a decade or so ago in which they approached Zuck in the street with a camcorder to ask him Qs. Zuck said "Ok,but please stop recording." They said, "Ok, we've stopped".

They then narrated "But we kept recording, because that's what he does."

@newsguyusa
"WhatsApp and [...] Meta, store, analyze, and can access virtually all of WhatsApp users’ purportedly “private” communications. [...]

Meta and WhatsApp store, maintain access to, and use WhatsApp’s three billion users’ “encrypted” messages. This lawsuit seeks to expose the fundamental privacy violations and fraud Meta is perpetrating against the billions of people."

@Sibshops WhatsApp is E2EE, uses the Signal protocol, and the user's private key is not stored in the cloud, as per their 2016 whitepaper.

https://www.bitsoffreedom.nl/wp-content/uploads/WhatsApp-Security-Whitepaper.pdf

Page 4: "At registration time, a WhatsApp client transmits its public Identity
Key, public Signed Pre Key (with its signature), and a batch of public
One-Time Pre Keys to the server The WhatsApp server stores these
public keys associated with the user’s identifier. At no time does the
WhatsApp server have access to any of the client’s private keys."

Page 8: "3 No client authentication secrets are stored on the server Clients
authenticate themselves using a Curve25519 key pair, so the server
only stores a client’s public authentication key. If the server’s user
database is ever compromised, no private authentication credentials
will be revealed"

Page 9: "WhatsApp servers do not have access to the private keys of
WhatsApp users, and WhatsApp users have the option to verify
keys in order to ensure the integrity of their communication."

@alextecplayz @Sibshops

But unless and until the source code of the client app is made public, we only have the vendor's word for any of that.

@only_ohm @Sibshops this is true, WA is closed-source, but reverse-engineering has shown that it is using the Signal protocol.

There's a 2019 black hat slide presentation from Check Point that reverse-engineered the encryption: https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse-Engineering-WhatsApp-Encryption-For-Chat-Manipulation-And-More.pdf

and a 2019 project from a university in India that also reverse-engineered whatsappp web and its E2EE to create some 'AI' chatbots using the Business API: http://www.ir.juit.ac.in:8080/jspui/handle/123456789/7764

Either way, I'd believe Meta and these technical findings over these hacks that allege this "through the assistance of courageous whistleblowers" and no other evidence.

Upon further checking, there's no ties between the law firms representing the Plaintiffs of this lawsuit and NSO group. The supposed connection between the firms and NSO was based off the recent Techlore video on the subject.

@alextecplayz @newsguyusa

Love digging thru 'WhatsApp bad ' to find this comment. Took 2 minutes reading the brief to see there's no teeth in the argument. It's like they skipped that part.

1 Define End2End Encryption
2 Explain OWS helped impl. Signal protocol
3 Unencrypted metadata note
4 Signal's source is public, not WhatsApps
5 WhatsApps claim they have no access to users’ chats: false. As whistleblowers explained(?), they store & have ∞ access to encrypted comms

Where'd that come from?

@FediThing @newsguyusa OK, but WhatsApp uses Signal protocol, and if you enable e2e you should be secure. As I understand in this lawsuit there is not description of mechanism, above this that somehow Meta implemented Signal protocol in such way that they are able to break encryption. Maybe it is something like back channel to device where keys ma be requested?

@newsguyusa https://www.bloomberg.com/news/articles/2026-01-25/lawsuit-claims-meta-can-see-whatsapp-chats-in-breach-of-privacy

https://archive.is/e47Rb

Interested to see what more comes out of it. news.ycombinator pretty silent.

@newsguyusa 'cause they were E2E encrypted, right?

And of course, note that Pavel Durov (CEO of Telegram) and Elon Musk have both jumped on this to promote their own (considerably and objectively worse) platforms, Telegram and X Chats, while shitting on both Signal and WhatsApp.

So even if they might bring some more claims later or present some evidence, note that the snake oil salesmen have jumped on this as well.

No matter your stance on WhatsApp, I personally think WA is still using the Signal protocol or have modified it along the way to support the service's additional features, I have little reason to believe that WA isn't E2EE anymore. But that's just my opinion, I'm no security expert.

@newsguyusa 100% chance, 99% of those users don't care... Number of people - including ones working in tech - who refused to install Signal when I have recommend them to - because they "don't want another app" on the phone is very high, strangely quite a few have installed Telegram afterwards so most people can't be helped.