WhatsApp has strongly denied a new class-action lawsuit accusing Meta of secretly accessing users’ end-to-end encrypted messages, labeling the claims as false and baseless.
The messaging giant reiterated that messages remain private through device-based encryption via the open-source Signal protocol.
A class-action complaint filed on January 23, 2026, in the U.S. District Court for the Northern District of California alleges Meta Platforms misleads over 2 billion WhatsApp users worldwide by promoting unbreakable end-to-end encryption (E2EE).
Plaintiffs from Australia, Brazil, India, Mexico, and South Africa claim WhatsApp stores chat contents post-delivery, analyzes them internally, and grants employee access via simple “task” requests to engineers, citing unnamed whistleblowers.
No code samples, logs, or technical proof accompany these assertions, which challenge marketing statements like Mark Zuckerberg’s 2014 claims and app prompts assuring only recipients can read messages.
The suit seeks unspecified damages and global class certification under U.S., Canadian, or European terms, potentially impacting users in 180 countries.
WhatsApp’s Firm Denial
Meta spokesperson Andy Stone dismissed the allegations as “categorically false and absurd,” emphasizing WhatsApp’s decade-long use of the audited Signal protocol prevents company access to message contents. WhatsApp stated: “Your WhatsApp messages are private. We use the open-source Signal protocol to encrypt them.
Your WhatsApp messages are private. We use the open-source Signal protocol to encrypt them.
• Encryption happens on your device
• Messages are encrypted before leaving your device
• Only the intended recipient has the keys to decrypt messages
• The…— WhatsApp (@WhatsApp) January 27, 2026
Encryption happens on your device; messages are encrypted before leaving your device. Only the intended recipient has the keys to decrypt messages. The message encryption keys are not accessible to WhatsApp or Meta. Any claims to the contrary are false.”
The company plans to seek sanctions against plaintiffs’ counsel from Quinn Emanuel Urquhart & Sullivan and others, calling the suit a “frivolous work of fiction.”
WhatsApp implements the Signal protocol, an open-source standard providing forward secrecy and post-compromise security through the Double Ratchet algorithm.
Encryption occurs client-side using Curve25519 for key exchange, AES-256 in CBC mode for payloads, and HMAC-SHA256 for integrity, ensuring servers like Meta’s handle only ciphertext.
FeatureDescriptionSecurity BenefitIdentity KeysLong-term Curve25519 public/private pairs per deviceEstablishes initial session uniqueness Prekeys & One-Time PrekeysEphemeral keys for asynchronous setupEnables key agreement without online presenceDouble RatchetSymmetric + Diffie-Hellman ratchetsProvides forward secrecy; past keys unusable if compromised Message KeysRandom per-message AES-256 keysEphemeral; derived from chain keys Group Sender KeysFan-out encryption to membersSecure multicast without central decryption i
Independent audits since 2016 confirm no backdoors, though optional cloud backups (e.g., iCloud) transmit unencrypted copies if enabled.
This lawsuit echoes ongoing debates on E2EE limitations like metadata collection and backup risks, without evidence of content breaches.
Security experts recommend encrypted backups and VPNs for metadata protection, while proprietary implementations face scrutiny versus fully open alternatives like the Signal app.
As litigation advances, it may spur greater transparency in WhatsApp’s privacy reports, but the protocol’s math-resistant design upholds claims against unsubstantiated access allegations.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post WhatsApp Denies Lawsuit Claim and Confirms Messages are Device-encrypted and Private appeared first on Cyber Security News.
