Ethical Hacking News
The Texas Attorney General's End-End Encryption Conundrum: A Deep Dive into WhatsApp’s Security
In a lawsuit filed by the Texas AG against Meta, allegations claim that WhatsApp doesn’t provide end-to-end encryption as it claims. The case raises questions about the security and privacy features of popular messaging apps like WhatsApp.
The Texas Attorney General has filed a lawsuit against Meta, claiming that WhatsApp does not provide end-to-end encryption (E2EE) as it claims. The allegations contradict previous statements made by CEO Mark Zuckerberg, who assured users that Facebook systems do not see the content of messages being transferred over WhatsApp. A recent complaint filed by the Texas AG's office states that Meta can and does read unencrypted contents of WhatsApp messages, which contradicts the claims of E2EE. Critics argue that the scarcity of factual support for the claims hasn't been lost on technologists and encryption experts, who note that a thorough reverse engineering of WhatsApp would likely reveal if it was somehow bypassing the protection provided by the Signal protocol. A team of researchers found one design flaw in WhatsApp's group messaging feature, but stated that their findings did not indicate any breach of E2EE promises made by Meta. Cryptography experts echo similar doubts about the Texas AG's lawsuit, describing it as "general dung-throwing" and stating that a thorough assessment would require concrete evidence beyond news articles.
The recent lawsuit filed by the Texas Attorney General against Meta, the parent company of WhatsApp, has sparked a heated debate about the security and privacy features of the popular messaging app. The allegations claim that WhatsApp does not provide end-to-end encryption (E2EE) as it claims, which is a fundamental aspect of the platform's design.
At its core, E2EE is a cryptographic technique that ensures only the sender and intended recipient can read messages. This level of security is crucial for users who rely on WhatsApp to communicate with friends, family, and colleagues in sensitive or confidential matters. The Signal protocol, an open-source code base widely regarded as secure, is the backbone of WhatsApp's E2EE system.
However, a recent complaint filed by the Texas Attorney General alleges that Meta can and does read unencrypted contents of WhatsApp messages. This claim contradicts previous statements made by CEO Mark Zuckerberg, who assured users that Facebook systems do not see the content of messages being transferred over WhatsApp. The engine for this E2EE is the Signal protocol, an open-source code base that multiple third-party experts have said lives up to its promises.
In a complaint filed Thursday, Texas AG attorneys claimed Meta's claims are false and that the company can access all WhatsApp users' communications in their entirety. They stated that they are filing the action to "prevent WhatsApp and Meta from continuing to willfully deceive Texans by misrepresenting that their private communications were just that—private and inaccessible even to WhatsApp and Meta—when, in fact, WhatsApp and Meta have access to all WhatsApp users' communications in their entirety."
The complaint does not indicate that the AG's office has obtained the email itself or gathered any information from the investigators involved. Instead, it cites only the Bloomberg report for support. The complaint also noted that Meta employees receive plaintext WhatsApp messages that are reported to the company by fellow WhatsApp users. Those messages, however, are taken from the reporting party’s device only after they have been decrypted using the decryption keys available only to the reporting party.
Critics of the lawsuit argue that the scarcity of factual support for the claims hasn’t been lost on technologists and encryption experts. They note that a thorough reverse engineering of WhatsApp would almost certainly reveal if it was somehow bypassing the protection provided by the Signal protocol.
A team of researchers that performed a detailed technical analysis of WhatsApp last year gave the messenger a clean bill of health, finding that it generally works securely and as described by WhatsApp. However, they found one design flaw that made it possible for a Meta employee with access to the company’s infrastructure to add new members to a group chat without permission or any interaction from existing members.
Benjamin Dowling, a senior lecturer in cryptography at King’s College in London and a co-author of the study, stated in an email that his team reverse-engineered the WhatsApp cryptographic protocol, meaning the code that makes it work. They found no indication that it was behaving differently from what Meta described. However, Dowling stressed that the analysis applied only to the WhatsApp client as available in May 2023. Their findings wouldn’t necessarily apply to versions updated since then.
Dowling went on to say that except for the resulting lack of code transparency and the weakness uncovered in group messaging, the Meta messenger nonetheless appeared to provide the same confidentiality promised by the Signal protocol. "Our reverse-engineering of WhatsApp and all the evidence we are aware of points towards WhatsApp providing users with end-to-end encryption for their message contents. While our analysis did find design weaknesses in the protocol, such as a lack of user control over things like group membership, these weaknesses are unlikely to be the basis of the complaint as they would not allow global stealth reading of messages. As it stands, we are not aware of any concrete evidence that WhatsApp has broken their promise of end-to-end encryption. The contents of the complaint do not provide any evidence otherwise."
Three other cryptography experts I interviewed echoed similar doubts. One expert described the Texas AG’s lawsuit as "general dung-throwing in Meta’s direction." Another noted that a thorough assessment would require the WhatsApp clients to be available for reverse engineering, and that something very bad would have to be happening inside the app for it to breach its own promises.
Representatives in the Texas AG’s office did not respond to an email asking if its investigators had obtained any evidence laying out definitive evidence beyond the news article. As Texas Attorney General Ken Paxton heads into the final stretch of his US Senate primary runoff against incumbent John Cornyn, it’s tempting to think the lawsuit is an attempt to appeal to voters and appear to be an advocate for the people of his state.
The controversy surrounding WhatsApp's E2EE has sparked renewed debate about the security and privacy features of social media platforms. With millions of users worldwide relying on these services to communicate with friends, family, and colleagues, it is essential that platforms provide robust protection for user data.
Unless new evidence comes to light, the allegations in Thursday’s complaint aren’t among the reasons not to install WhatsApp. The app remains one of the most popular messaging apps globally, offering a convenient way to stay connected with loved ones while maintaining some level of security and privacy.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Texas-Attorney-Generals-End-End-Encryption-Conundrum-A-Deep-Dive-into-WhatsApps-Security-ehn.shtml
https://arstechnica.com/security/2026/05/texas-ag-sues-meta-over-claims-that-whatsapp-doesnt-provide-end-to-end-encryption/
Published: Fri May 22 15:44:48 2026 by llama3.2 3B Q4_K_M
