this post was submitted on 27 Jan 2026
1290 points (99.5% liked)

Technology

81373 readers
4152 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
1290
Lawsuit Alleges That WhatsApp Has No End-to-End Encryption (it.slashdot.org)
submitted 3 weeks ago by technocrit@lemmy.dbzer0.com to c/technology@lemmy.world
310 comments fedilink hide all child comments
 

As evidence, the lawsuit cites unnamed "courageous whistleblowers" who allege that WhatsApp and Meta employees can request to view a user's messages through a simple process, thus bypassing the app's end-to-end encryption. "A worker need only send a 'task' (i.e., request via Meta's internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job," the lawsuit claims. "The Meta engineering team will then grant access -- often without any scrutiny at all -- and the worker's workstation will then have a new window or widget available that can pull up any WhatsApp user's messages based on the user's User ID number, which is unique to a user but identical across all Meta products."

"Once the Meta worker has this access, they can read users' messages by opening the widget; no separate decryption step is required," the 51-page complaint adds. "The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources. Messages appear almost as soon as they are communicated -- essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted." The lawsuit does not provide any technical details to back up the rather sensational claims.

top 50 comments
sorted by: hot top controversial new old
[–] just_another_person@lemmy.world 169 points 3 weeks ago (3 children)

DUH

[–] sexy_peach@feddit.org 130 points 3 weeks ago (36 children)

No if this is proven it would be a real scandal and would bring a lot of users to better alternatives.

If it's false that's good too, since then WA has e2e encryption

[–] MrSoup@lemmy.zip 110 points 3 weeks ago (6 children)

would bring a lot of users to better alternatives.

Most users of whatsapp don't care about e2e. They hardly even know what it is.

[–] dependencyinjection@discuss.tchncs.de 45 points 3 weeks ago (1 children)

Right. This place sometimes forget that we are tiny community of techies that hate the system. Makes me see this place as a bit of a circlejerk at times.

[–] Chronographs@lemmy.zip 17 points 3 weeks ago (3 children)

Yeah the venn diagram overlap of “people who understand and care about e2ee enough to drop a messaging app for not supporting it” and “people who use whatsapp” has to be a sliver

load more comments (3 replies)
load more comments (5 replies)
[–] just_another_person@lemmy.world 17 points 3 weeks ago (8 children)

It's already a known risk, because WA uses centralized key management and servers, and always has regardless what Meta says. If you believe their bullshit, then I feel sad for you.

Also...you don't think that LAWYERS willing to go up against Meta would have rock solid proof from these whistleblowers FIRST before filing a lawsuit?

C'mon now, buddy.

load more comments (8 replies)
load more comments (34 replies)
[–] Sunspear@piefed.social 40 points 3 weeks ago

Shocked, I tell you

load more comments (1 replies)
[–] BanMe@lemmy.world 120 points 3 weeks ago (2 children)

Well if I can't trust Meta with my information, who CAN I trust

[–] chemicalprophet@slrpnk.net 61 points 3 weeks ago (4 children)

Me

[–] usernameusername@sh.itjust.works 48 points 3 weeks ago (4 children)

Oh okay. My location is 55.752121, 37.617664, my full name is Jeremy, and my password is hunter9. I trust you not to tell this to anybody

[–] rmuk@feddit.uk 42 points 3 weeks ago (5 children)

Your full name is "Jeremy"?

[–] usernameusername@sh.itjust.works 33 points 2 weeks ago (1 children)

Oh god damnit chemicalprofet why did you tell this guy i thougjt i could trust you :((

[–] bear@lemmy.blahaj.zone 17 points 2 weeks ago (1 children)

All I see is '••••••'

load more comments (1 replies)
load more comments (4 replies)
[–] Doomsider@lemmy.world 27 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Your secret is safe with us and our 36,893 affiliates.

load more comments (1 replies)
load more comments (2 replies)
load more comments (3 replies)
load more comments (1 replies)
[–] bjoern_tantau@swg-empire.de 99 points 3 weeks ago (1 children)

The biggest news is that Slashdot is still alive.

[–] wuffah@lemmy.world 85 points 3 weeks ago (2 children)

Assume the same for Telegram and pretty much any chat platform that controls your private keys.

[–] zeca@lemmy.ml 45 points 3 weeks ago (4 children)

Telegram doesnt even pretend to be end to end encrypted.

load more comments (4 replies)
load more comments (1 replies)
[–] Delilah@lemmy.blahaj.zone 76 points 3 weeks ago (1 children)

Wait, you are telling me that the company whos entire business is collecting personal information, including people who don't sign up for their services, to leverage for advertising, is keeping their platforms unsecured they can continually grab more information rather than secure it?

I for one am shocked, absolutely shocked.

[–] FlyingCircus@lemmy.world 25 points 2 weeks ago (1 children)

Yes, except they’re not leveraging your data for advertising, they’re leveraging it so they can manipulate your political views and keep you from finding solidarity with other working people.

load more comments (1 replies)
[–] skisnow@lemmy.ca 62 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

15 years ago I’d have called this a conspiracy theory given how the evidence seems to be anecdotal, but given literally every single other thing we’ve learned in recent times about how cartoonishly evil and lying the tech bros truly are, it seems entirely likely.

load more comments (1 replies)
[–] socsa@piefed.social 62 points 3 weeks ago (5 children)

It is end to end encrypted but they can just pull the decrypted message from the app. This has been assumed for years, since they said they could parse messages for advertising purposes.

load more comments (5 replies)
[–] Rusty@lemmy.ca 58 points 3 weeks ago (4 children)

If I am not adding my own private key to the app, like in Tox, I don't trust their encryption.

[–] wallabra@lemmy.eco.br 43 points 3 weeks ago* (last edited 3 weeks ago) (19 children)

Tox also isn't that great security wise. It's hard to beat Signal when it comes to security messengers. And Signal is open source so, if it did anything weird with private keys, everyone would know

load more comments (19 replies)
[–] derin@lemmy.beru.co 25 points 3 weeks ago (1 children)

What's stopping the app from keeping your private key and still not encrypting anything?

I'm not trying to be difficult here, I just don't see how anything outside of an application whose source you can check yourself can be trusted.

All applications hosted by other people require you to react positively to "just trust me bro".

load more comments (1 replies)
load more comments (2 replies)
[–] herseycokguzelolacak@lemmy.ml 56 points 2 weeks ago (13 children)

WhatsApp client is closed source. Any claims around E2EE is pointless, since it's impossible to verify.

[–] cley_faye@lemmy.world 19 points 2 weeks ago (1 children)

It's E2EE alright. Just, don't ask what "ends" we're talking about.

load more comments (1 replies)
load more comments (12 replies)
[–] PierceTheBubble@lemmy.ml 46 points 3 weeks ago* (last edited 2 weeks ago) (4 children)

E2EE isn't really relevant, when the "ends" have the functionality, to share data with Meta directly: as "reports", "customer support", "assistance" (Meta AI); where a UI element is the separation.

Edit: it turns out cloud backups aren't E2E encrypted by default... meaning: any backup data, which passes through Meta's servers, to the cloud providers (like iCloud or Google Account), is unobscured to Meta; unless E2EE is explicitly enabled. And even then, WhatsApp's privacy policy states: "if you use a data backup service integrated with our Services (like iCloud or Google Account), they will receive information you share with them, such as your WhatsApp messages." So the encryption happens on the server side, meaning: Apple and Google still have full access to the content. It doesn't matter if you, personally, refuse to use the "feature": if the other end does, your interactions will be included in their backups.

load more comments (4 replies)
[–] arcterus@piefed.blahaj.zone 43 points 3 weeks ago (10 children)

So, is it basically treating every message as a "group" message where it sends it to some system WhatsApp account and then also to your intended receiver? This is what I'm assuming based on them supposedly being able to see deleted messages. Also would let them say it's technically still "E2EE" since it's indeed E2EE to your receiver, but it's also E2EE to them as well.

[–] axx@slrpnk.net 53 points 3 weeks ago (3 children)

Ah yes, good old E2E AWA3E.

"End to end, and we are also an end".

[–] lando55@lemmy.zip 25 points 3 weeks ago

The E is for "Everyone"

load more comments (2 replies)
load more comments (9 replies)
[–] lavander@lemmy.dbzer0.com 38 points 2 weeks ago (17 children)

Call me old fashioned but I really think that for real E2EE the vendor of the encryption and the vendor of the infrastructure should be two different entities.

For example PGP/GPG on … great! Proton? Not great

Jabber/XMMP with e2ee encryption great! WhatsApp/Telegram/signal… less so (sure I take signal over the other two every day… but it’s enough to compromise a single entity for accessing the data)

load more comments (17 replies)
[–] roserose56@lemmy.zip 33 points 2 weeks ago

No surprised at all tbf.

[–] matlag@sh.itjust.works 30 points 2 weeks ago

Proposed line of defense: "With all respect, M. Judge, with all the different times we fucked our users, lied to them, tricked them, experimented on them, ignored them, we already sold private discussions on Facebook in the past, our CEO and founder most famous quote is «They trust me, dumbfucks!», the list goes on and on: no one in their sane mind would genuinely believe we were not spying on Whatsapp! They try to play dumb, they could not possibly believe we were being fair and honest THIS time?!"

[–] Jyek@sh.itjust.works 30 points 2 weeks ago (21 children)

A lot of victim blaming in this thread. Why can't you just be mad for someone who was deceived?

load more comments (21 replies)
[–] Lucidlethargy@sh.itjust.works 27 points 2 weeks ago

You gatta be real stupid to not realize that Facebook is harvesting your data.

[–] darkmogool@feddit.org 24 points 2 weeks ago

insert pikachushockedface

[–] myfunnyaccountname@lemmy.zip 19 points 2 weeks ago

What?!! No. The owner of WhatsApp would never lie to us.

[–] Treczoks@lemmy.world 17 points 3 weeks ago

Why am I not surprised? Whether there is no end-end encryption, they have a copy of every key, get the decrypted messages from the client, or can ask the client to surrender the key - it does not matter.

The point is that they never intended to leave users a secure environment. That would make the three latter agencies angry, and would bar themselves from rather interesting data on users.

load more comments
view more: next ›