Development
Texas AG sues Meta over claims that WhatsApp doesn't provide end-to-end encryption
May 22, 2026 Development Source: Ars Technica
Share this article
According to Bloomberg, the January 16 email, sent to more than a dozen officials at other agencies, stated, “There is no limit to the type of WhatsApp message that can be viewed by Meta. The misconduct of Meta and its officers, including current and former high-level executives, involve civil and criminal violations that span several federal jurisdictions.”
Thursday’s lawsuit doesn’t indicate that the AG’s office has obtained the email itself or gathered any information from the investigators involved. Instead, it cites only the Bloomberg report for support. The complaint also noted that Meta employees receive plaintext WhatsApp messages that are reported to the company by fellow WhatsApp users. Those messages, however, are taken from the reporting party’s device only after they have been decrypted using the decryption keys available only to the reporting party.
The scarcity of factual support for the claims hasn’t been lost on technologists and encryption experts. They note that a thorough reverse engineering of WhatsApp would almost certainly reveal if it was somehow bypassing the protection provided by the Signal protocol.
He said the closed source status of WhatsApp makes a definitive assessment of the code impossible. He went on to say that except for the resulting lack of code transparency and the weakness uncovered in group messaging, the Meta messenger nonetheless appeared to provide the same confidentiality promised by the Signal protocol.
Our reverse-engineering of WhatsApp and all the evidence we are aware of points towards WhatsApp providing users with end-to-end encryption for their message contents. While our analysis did find design weaknesses in the protocol, such as a lack of user control over things like group membership, these weaknesses are unlikely to be the basis of the complaint as they would not allow global stealth reading of messages. As it stands, we are not aware of any concrete evidence that WhatsApp has broken their promise of end-to-end encryption. The contents of the complaint do not provide any evidence otherwise.
Three other cryptography experts I interviewed echoed similar doubts.
“The vast majority of this Texas AG lawsuit looks like general dung-throwing in Meta’s direction,” said Kenny Paterson, a researcher at ETH Zurich. “I’m no fan of Meta’s data harvesting practices, but that’s all egregious misdirection on a case that seems to me to be built on a very thin evidence base: essentially, one news article is referenced to support the actual accusation.”
Matthew Green, a professor at Johns Hopkins University, said, “The WhatsApp clients are all available for reverse engineering. For there to be a vulnerability like this, something very bad would have to be happening inside that app.”
Representatives in the Texas AG’s office did not respond to an email asking if its investigators had obtained any evidence laying out definitive evidence beyond the news article. As Texas Attorney General Ken Paxton heads into the final stretch of his US Senate primary runoff against incumbent John Cornyn, it’s tempting to think the lawsuit is an attempt to appeal to voters and appear to be an advocate for the people of his state.
Given Meta’s history of privacy lapses and data grabs, there are plenty of reasons not to install WhatsApp. Unless new evidence comes to light, the allegations in Thursday’s complaint aren’t among them.