WhatsApp, Encryption, and the Trouble With Reputation
Nick Heer linking to Matthew Green's analysis of the new WhatsApp encryption lawsuit:
even with Meta's scumbag reputation — it is difficult for me to believe the company is simply lying about end-to-end encryption, and Green presents compelling evidence for why this is unlikely. A vulnerability? Perhaps. But the claims in this apparently serious lawsuit go well beyond that.
A law firm has filed a class action claiming Meta can read every WhatsApp message through some internal tool any employee can access. No technical evidence. No specific flaw in the Signal protocol. Just the word of unnamed whistleblowers and a lot of dramatic language. Green, a cryptography professor at Johns Hopkins, calls it a "nothingburger." If a backdoor existed in an app used by three billion people, someone would have found it in the last decade.
The loudest voices amplifying this are Elon Musk and Pavel Durov. Both run competing messaging services. Telegram, as Green has written about before, isn't really an encrypted messaging app in any meaningful sense. So take the outrage with a pinch of salt.
What makes it stick is Meta's reputation. Cambridge Analytica, the data harvesting, Zuckerberg telling staff to "inflict pain" on Apple over privacy changes, the never-ending pursuit of engagement at any cost. When someone says Meta is lying about privacy, your gut says "sounds about right" before your brain gets a chance to look at the evidence. They've earned that distrust.
The real concern is more boring than a secret backdoor. WhatsApp's end-to-end encryption is, as far as anyone can tell, legitimately implemented. The Signal protocol is solid. But encryption only protects messages in transit. Cloud backups might not have the same protection. Meta still collects metadata: who you talk to, when, how often, from where. The encryption protects the content but not the enormous amount of data that surrounds it.
Oh, and the law firm filing this case? They're simultaneously representing NSO Group in its appeal against WhatsApp. The same NSO that was ordered to pay $167 million for deploying Pegasus spyware against WhatsApp users. A firm defending a company convicted of breaking WhatsApp's encryption is arguing that the encryption doesn't exist. Make of that what you will.
The lawsuit is almost certainly rubbish. But the discomfort people feel about Meta handling their private messages isn't irrational. It's just aimed at the wrong thing. The threat isn't a conspiracy about engineers reading your group chats through a desktop widget. It's the metadata, the backups, and the steady erosion of what "private" means when the company handling your messages makes all its money from knowing everything about you.