WHATSAPP PRIVACY

Texas AG sues Meta over claims that WhatsApp doesn’t provide end-to-end encryption

Critics note a lack of factual support in lawsuit filed by US Senate candidate.

Dan Goodin – May 22, 2026 2:13 pm | 19

Credit: Getty Images

The Texas Attorney General has sued Meta over allegations that the company’s WhatsApp messenger, used by more than 3 billion people, doesn’t provide the end-to-end encryption (E2EE) it has long claimed.

Since at least 2016, Meta (then named Facebook) has said WhatsApp provides robust end-to-end encryption, meaning that messages are encrypted on a sender’s device with keys that are available only to the receiver’s. By definition, E2EE means that no one else—including the platform itself—can read the plaintext messages.

In sworn testimony before two US Senate committees in 2018, CEO Mark Zuckerberg said Meta does “not see any of the content in WhatsApp; it is fully encrypted” and that “Facebook systems do not see the content of messages being transferred over WhatsApp.” The engine for this E2EE is the Signal protocol, an open source code base that multiple third-party experts have said lives up to its promises.

In a complaint filed Thursday, Texas AG attorneys said Meta’s claims are false and that the company can and does read the unencrypted contents of WhatsApp messages. They said they are filing the action to “prevent WhatsApp and Meta from continuing to willfully deceive [Texans] by misrepresenting that their private communications were just that—private and inaccessible even to WhatsApp and Meta—when, in fact, WhatsApp and Meta have access to all WhatsApp users’ communications in their entirety.”

“The gravity of Meta’s and WhatsApp’s violation of users’ privacy and trust cannot be overstated,” the attorneys wrote. “All users were entitled to believe their communications were private when WhatsApp and Meta unequivocally and repeatedly promised that no one—not even WhatsApp and Meta—can access their messages.”

In an email, Meta called the allegations “baseless” and vowed to fight the lawsuit in court.

He said, she said

The sole factual evidence cited for the claims is an article published last month by Bloomberg. It reported that the US Commerce Department’s Bureau of Industry and Security had abruptly closed an investigation into allegations that Meta could access encrypted WhatsApp messages shortly after one of the department’s agents sent an email outlining the probe’s preliminary findings.

According to Bloomberg, the January 16 email, sent to more than a dozen officials at other agencies, stated, “There is no limit to the type of WhatsApp message that can be viewed by Meta. The misconduct of Meta and its officers, including current and former high-level executives, involve civil and criminal violations that span several federal jurisdictions.”

Thursday’s lawsuit doesn’t indicate that the AG’s office has obtained the email itself or gathered any information from the investigators involved. Instead, it cites only the Bloomberg report for support. The complaint also noted that Meta employees receive plaintext WhatsApp messages that are reported to the company by fellow WhatsApp users. Those messages, however, are taken from the reporting party’s device only after they have been decrypted using the decryption keys available only to the reporting party.

The scarcity of factual support for the claims hasn’t been lost on technologists and encryption experts. They note that a thorough reverse engineering of WhatsApp would almost certainly reveal if it was somehow bypassing the protection provided by the Signal protocol.

A clean bill of health as of 2023

A team of researchers that performed a detailed technical analysis of WhatsApp last year gave the messenger a clean bill of health, finding that it generally works securely and as described by WhatsApp. They found one design flaw that made it possible for a Meta employee with access to the company’s infrastructure to add new members to a group chat without permission or any interaction from existing members. But even in that case, such an addition is fully visible to all other members.

Benjamin Dowling, a senior lecturer in cryptography at King’s College in London and a co-author of the study, said in an email that his team reverse-engineered the WhatsApp cryptographic protocol, meaning the code that makes it work. They found no indication that it was behaving differently from what Meta described. Dowling, however, stressed that the analysis applied only to the WhatsApp client as available in May 2023. Their findings wouldn’t necessarily apply to versions updated since then.

He said the closed source status of WhatsApp makes a definitive assessment of the code impossible. He went on to say that except for the resulting lack of code transparency and the weakness uncovered in group messaging, the Meta messenger nonetheless appeared to provide the same confidentiality promised by the Signal protocol.

Dowling wrote:

Our reverse-engineering of WhatsApp and all the evidence we are aware of points towards WhatsApp providing users with end-to-end encryption for their message contents. While our analysis did find design weaknesses in the protocol, such as a lack of user control over things like group membership, these weaknesses are unlikely to be the basis of the complaint as they would not allow global stealth reading of messages. As it stands, we are not aware of any concrete evidence that WhatsApp has broken their promise of end-to-end encryption. The contents of the complaint do not provide any evidence otherwise.

Three other cryptography experts I interviewed echoed similar doubts.

“The vast majority of this Texas AG lawsuit looks like general dung-throwing in Meta’s direction,” said Kenny Paterson, a researcher at ETH Zurich. “I’m no fan of Meta’s data harvesting practices, but that’s all egregious misdirection on a case that seems to me to be built on a very thin evidence base: essentially, one news article is referenced to support the actual accusation.”

Matthew Green, a professor at Johns Hopkins University, said, “The WhatsApp clients are all available for reverse engineering. For there to be a vulnerability like this, something very bad would have to be happening inside that app.”

Representatives in the Texas AG’s office did not respond to an email asking if its investigators had obtained any evidence laying out definitive evidence beyond the news article. As Texas Attorney General Ken Paxton heads into the final stretch of his US Senate primary runoff against incumbent John Cornyn, it’s tempting to think the lawsuit is an attempt to appeal to voters and appear to be an advocate for the people of his state.

Given Meta’s history of privacy lapses and data grabs, there are plenty of reasons not to install WhatsApp. Unless new evidence comes to light, the allegations in Thursday’s complaint aren’t among them.

Dan Goodin Senior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

19 Comments