Texas attorney general Ken Paxton:
Attorney General Ken Paxton filed suit against Meta Platforms Inc. and WhatsApp LLC (collectively “WhatsApp”) after the company misled consumers regarding the strength and scope of its privacy protections for its messaging app, WhatsApp.
Paxton is alleging (PDF) Meta is fully lying about the end-to-end encryption promise of WhatsApp in this wild lawsuit.
Dan Goodin, Ars Technica:
The sole factual evidence cited for the claims is an article published last month by Bloomberg. It reported that the US Commerce Department’s Bureau of Industry and Security [BIS] had abruptly closed an investigation into allegations that Meta could access encrypted WhatsApp messages shortly after one of the department’s agents sent an email outlining the probe’s preliminary findings.
[…]
Thursday’s lawsuit doesn’t indicate that the AG’s office has obtained the email itself or gathered any information from the investigators involved. Instead, it cites only the Bloomberg report for support. The complaint also noted that Meta employees receive plaintext WhatsApp messages that are reported to the company by fellow WhatsApp users. Those messages, however, are taken from the reporting party’s device only after they have been decrypted using the decryption keys available only to the reporting party.
More backdoor allegations were made in another lawsuit (PDF), this one filed in March, citing a January Bloomberg article that, in turn, says this was being investigated by the U.S. Department of Commerce and noting a 2024 SEC whistleblower report. There is no explanation in the lawsuit of how such a vulnerability could exist.
Earlier this year, before either Bloomberg article was published, a group of plaintiffs hired one of the most prestigious law firms in the United States to sue Meta with similar allegations, though they provided no technical evidence either. In later filings, the plaintiffs eventually cited the same April Bloomberg piece as Paxton. In response, Meta’s attorney submitted a forceful declaration (PDF) explaining that “the [Bloomberg] article itself included a statement from a BIS spokesperson explaining that the claims against WhatsApp were ‘unsubstantiated’ and BIS was not investigating WhatsApp or Meta”, and cited a number of external public articles questioning the technical merits of the case. The plaintiffs lawyer wrote in response (PDF) that “saying an investigation was not complete is very different than saying the facts are wrong” and, in turn, points to an article on Medium by Adrian Găitan. Găitan writes:
By the end of this article, you’ll understand not just that WhatsApp’s privacy model is broken — but exactly how it’s broken, layer by layer, from the cryptographic primitives all the way up to the FBI agent pulling your metadata every 15 minutes in near-real time.
This article feels compelling in its length, technical detail, and citation of declassified documents, but I found a closer reading conspicuously differs from what its introduction — and, indeed, these lawsuits — allege. Găitan points to eight distinct vulnerabilities. Two of them are extraction methods when data is at rest, like when it is stored in an iCloud or Google Drive backup, or bugs in the app that are exploited by a spyware vendor. This is not nothing, but it is also not a problem with end-to-end encryption; it is, in fact, a reminder of its limitations. Two others are irrelevant: Meta does not claim either A.I. prompts nor business chats are end-to-end encrypted.
That leaves four possible vulnerabilities Găitan alleges in WhatsApp’s specific security. One is the company’s willingness to install a “pen register” which provides to law enforcement a near-real-time record of user chat metadata, but not the contents of chats themselves. The second is the metadata WhatsApp stores and how it can be used to triangulate connections. Another complaint Găitan has is that WhatsApp is not open source, so it is not possible to fully verify Meta’s claims of secure end-to-end encryption. Lastly, Găitan points to research claiming it is possible for WhatsApp to surreptitiously modify the participants in a group chat.
For those keeping track, that leaves basically one vulnerability — the latter group chat problem — that would satisfy the kinds of claims being made in these lawsuits: that Meta has “unrestricted access to users’ communications”; that Meta and WhatsApp “have access to all WhatsApp users’ encrypted communications in their entirety”. One could make the case — and I certainly have — that backups of supposedly secure and private messaging platforms should be similarly inaccessible for meaningful “end-to-end encryption”. One could even make a reasonable argument that all of the issues raised in Găitan’s piece as all of them degrade WhatsApp’s privacy promise.
But these lawsuits are not making those claims. They are citing a single email from a government investigator as passed through a media report, and claims from whistleblowers and others that have not been validated. I am not stumping for WhatsApp here. If Meta has been lying about its privacy to the extent these lawsuits allege, it should face serious punishment. I suppose we will learn as they play out whether these claims have merit. It is, however, shocking to me how many lawsuits have been filed in such a short time period making essentially the same allegations yet without any actual proof.