And of course, note that Pavel Durov (CEO of Telegram) and Elon Musk have both jumped on this to promote their own (considerably and objectively worse) platforms, Telegram and X Chats, while shitting on both Signal and WhatsApp.

So even if they might bring some more claims later or present some evidence, note that the snake oil salesmen have jumped on this as well.

No matter your stance on WhatsApp, I personally think WA is still using the Signal protocol or have modified it along the way to support the service's additional features, I have little reason to believe that WA isn't E2EE anymore. But that's just my opinion, I'm no security expert.

@only_ohm @Sibshops this is true, WA is closed-source, but reverse-engineering has shown that it is using the Signal protocol.

There's a 2019 black hat slide presentation from Check Point that reverse-engineered the encryption: https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse-Engineering-WhatsApp-Encryption-For-Chat-Manipulation-And-More.pdf

and a 2019 project from a university in India that also reverse-engineered whatsappp web and its E2EE to create some 'AI' chatbots using the Business API: http://www.ir.juit.ac.in:8080/jspui/handle/123456789/7764

Either way, I'd believe Meta and these technical findings over these hacks that allege this "through the assistance of courageous whistleblowers" and no other evidence.

Upon further checking, there's no ties between the law firms representing the Plaintiffs of this lawsuit and NSO group. The supposed connection between the firms and NSO was based off the recent Techlore video on the subject.

@Sibshops WhatsApp is E2EE, uses the Signal protocol, and the user's private key is not stored in the cloud, as per their 2016 whitepaper.

https://www.bitsoffreedom.nl/wp-content/uploads/WhatsApp-Security-Whitepaper.pdf

Page 4: "At registration time, a WhatsApp client transmits its public Identity
Key, public Signed Pre Key (with its signature), and a batch of public
One-Time Pre Keys to the server The WhatsApp server stores these
public keys associated with the user’s identifier. At no time does the
WhatsApp server have access to any of the client’s private keys."

Page 8: "3 No client authentication secrets are stored on the server Clients
authenticate themselves using a Curve25519 key pair, so the server
only stores a client’s public authentication key. If the server’s user
database is ever compromised, no private authentication credentials
will be revealed"

Page 9: "WhatsApp servers do not have access to the private keys of
WhatsApp users, and WhatsApp users have the option to verify
keys in order to ensure the integrity of their communication."

@newsguyusa the lawsuit provides seemingly no evidence to support this

https://techhub.social/@alextecplayz/115971857366040544

quick correction, as I'm reading into it more: Techlore may have been wrong about the connection between the law firms representing the Plaintiffs and NSO Group, I can't find any information on that

but the brief on the lawsuit is that they claim that through their "courageous whistleblowers" they allege that Meta workers send a request to an engineer and without scrutiny in most cases, will just grant the worker access to the data for that user.

This is somewhat demonstrably false as WA web has been reverse-engineered twice, once via a presentation at Black Hat US 2019 (https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse-Engineering-WhatsApp-Encryption-For-Chat-Manipulation-And-More.pdf) and for a university project (https://www.ir.juit.ac.in:8080/jspui/bitstream/123456789/7764/1/Whatsapp%20Web%20Reverse%20Engineering.pdf) to show that it's E2EE and using the Signal protocol.

they also try to represent all WA users globally except WA users in the US, Canada, EU, UK lmfao

@Durrell there's nothing in the US TOS regarding clipboard use, voice or face data extraction from images, extracting contacts from your phone, location data or keystroke patterns.

legalmiga on threads (https://threads.net/@legalmiga/post/DT11_ZmFHYZ) hasn't provided any links or sources to these claims. Sure, it can be inferred that TikTok does that just like every other big tech social media app (e.g. Facebook, Twitter), but that's not new, and they mention this at the end of her thread. But at least she's a real attorney, which is nice to see.

@Durrell note that this is the US TOS that was updated.

The EU/UK/CH TOS haven't changed since August 22, 2025, and TOS for regions outside the US, EU/UK/CH, that TOS has been updated December 1, 2025.

But also, some of this is just legal boilerplate that has been used on other platforms, INCLUDING Mastodon's TOS, such as:

"By creating, inputting, publishing, and otherwise providing Your Content on or to the Platform, you grant TikTok USDS Joint Venture a license to use Your Content that is:
- non-exclusive, irrevocable, and royalty-free (you retain the rights to use Your Content elsewhere, although we don't owe you any payments for sharing Your Content with us)
- assignable and sub-licensable, including through multiple tiers (so we can, for example, work with service providers and business partners to help distribute Your Content); and
- worldwide (so we can show your content to a global audience)."