In the last week, WhatsApp It's making headlines, and not for a good reason. Personally, I've never believed that chats are end-to-end encrypted. I wonder, "If that's the case, how do they make money?" The answer seems to be that any Meta employee has access to our chats. This has been reported this week, and I will continue to insist that we try to use the RCS now available on Android and iOS.
At the same time, the company insists that No one outside the chat, not even Meta, can read the content of the messages. This tension between the official version and external accusations has made WhatsApp encryption one of the most sensitive issues in the field of data protection and digital trust for millions of European users.
What is the end-to-end encryption that WhatsApp promises?
WhatsApp has been presenting the end-to-end encryption (E2EE) as an essential part of its DNA. According to the platform itself, this system protects messages, photos, videos, voice notes, documents, calls, real-time location, and status updatesso that only the sender and receiver can access the content.
The app explains that each message is secured with a "lock" and a single key These keys are generated on the devices, not on Meta's servers. They change constantly and are managed automatically, so the user doesn't need to activate any special options to secure their chats.
To reinforce trust, WhatsApp reminds users that its encryption system relies on the signal-protocolThis protocol is widely recognized in the cybersecurity world. However, it is applied within a non-open-source app, which means that external experts can only audit in a limited way how that encryption has been implemented in practice.
How can a user tell if a chat is encrypted?
WhatsApp itself details in its Help Center that each encrypted conversation has a specific security codeThis identifier is used to verify that Calls and messages are effectively protected with E2EE between those two specific devices.
That code can be viewed in the format of QR code or as a 60-digit string Within the contact information, in the "Encryption" section. Comparing this data between chat participants verifies that both use the same keys and that the content has not been forwarded to third parties.
In practice, verification involves opening a chat, going to the contact or group information screen, and tapping on "Encryption"After a few seconds, the application displays an automatic message confirming the encryption and offers the options to scan the QR code or check the 60 digits to verify that they match between both devices.
The class-action lawsuit challenging WhatsApp's encryption
Despite this official discourse, a class action lawsuit filed in the District Court of San Francisco This has reignited suspicions about how encryption actually works. The court document maintains that Meta stores, analyzes, and can access communications that users send via WhatsApp, even though the platform is promoted as a completely private service.
The group of plaintiffs includes lawyers and organizations from Australia, Brazil, India, Mexico and South AfricaIn their allegations, they claim that both the end-to-end encryption system and the rest of the app's security tools are secure. "They wouldn't be as effective as advertised." and that the company had misled the public by communicating the level of protection available.
According to the documentation, the accusation is also based on testimonies from alleged internal whistleblowers that would have described processes through which Meta employees could access the content of certain chats, upon request in the company's internal system.
Meta and WhatsApp's response: "real" encryption and "absurd" accusations
The company's reaction has been unequivocal. Andy Stone, spokesperson for WhatsApp and MetaStone has called the lawsuit "frivolous" and asserted that the company will seek sanctions against the lawyers who filed it. In his statements to media outlets such as Bloomberg, Stone maintains that "Any claim that WhatsApp messages are not encrypted is categorically false and absurd.".
Meta maintains that neither WhatsApp employees nor those of the parent company They have a way to read users' encrypted communications, and the E2EE system based on the Signal protocol has been operating for almost a decade. It also notes that governments requesting access to the content They encounter the same technical barrier as the rest of the third parties: the encryption design would prevent the delivery of messages, even in the face of official requests.
Mark Zuckerberg, CEO of Meta, has publicly defended this model, stating that "There is no time when Meta's servers see the content" of the messages when two people chat on WhatsApp. For the company, the accusations that encryption is a facade are completely without technical basis.
Leaks and former contractors fuel the doubts
In addition to the legal pressure, there are the statements of former contractors linked to WhatsApp content moderationwho have been the subject of investigations by law enforcement in the United States. According to a report obtained by Bloomberg, these workers allegedly claimed that some Meta employees had broad access to user messages of the application.
The testimonies come from people who worked for WhatsApp through external consulting firmsand that they told a Department of Commerce investigator that their workplaces had positions with "unrestricted access" to chat rooms. This information was compiled in an internal report entitled "Operation Encrypted from Source", dated July and described as part of an ongoing investigation.
However, the very Office of Industry and Security The U.S. Department of Commerce has subsequently disavowed these claims, stating that It is not investigating WhatsApp or Meta for alleged violations of export laws and that the report prepared by one of its agents was outside its scope of competence.
Meta, for its part, has responded that "What these individuals claim is not possible" Because neither the company nor its contractors have access to the content of encrypted communications. The company insists it will continue to reject the accusations, including those brought by the law firm leading the class-action lawsuit.
Criticism from the competition: Telegram and other voices
The debate about WhatsApp encryption has also been used by direct competitors in the courier marketas the WireTelegram CEO Pavel Durov has openly questioned the security of Meta's app, stating that blind trust in its protection system is, in his opinion, "unacceptable".
Durov claims that Telegram has analyzed the WhatsApp encryption system and that in that process they would have detected potential vulnerabilitiesAccording to his account, WhatsApp has never been as secure as it is presented in Meta's official communications to its billions of users.
The Telegram founder's criticism came at a particularly delicate moment, right in the middle of class action lawsuit in the United States against Meta for allegedly accessing supposedly encrypted messages. WhatsApp has simply reaffirmed that they use the Signal protocol and that The security keys reside in the devicesnot on the servers, so the company could not read the content of the chats even if it wanted to.
The encryption experts' perspective
Amid this exchange of accusations, some cryptography specialists have tried to defuse the tension. Professor Matthew Green, cryptographer at Johns Hopkins UniversityHe noted on his blog that WhatsApp's encryption is based on the Signal protocol and that, although the Meta app is not open source, there are Technical ways to detect if the content is actually being encrypted.
Green points out that if WhatsApp were systematically reading messages, the security research community would eventually find evidence in the application's behavior or in traffic analysis. Even so, it emphasizes that not being able to review all the code makes independent verification that the encryption is applied as the company claims extremely difficult.
At the same time, various privacy advocacy groups, such as those promoting initiatives like "Encrypt It Already"They are pressuring major companies to extend end-to-end encryption to more services and use it by default. Specifically regarding WhatsApp, these groups are demanding that Encrypted E2EE backups are enabled by default and do not depend on the user configuring them manually.
What about backups: the weak point of the system
One of the most relevant, and perhaps least known, nuances is the difference between the encryption of the messages in transit and the protection of cloud backupsWhile WhatsApp chats and calls are encrypted, backups are stored on Google Drive or iCloud. It has not always been protected with E2EE default.
WhatsApp has offered the option to activate for some time now. end-to-end encrypted backupsso that neither the app itself nor cloud providers can access its content. But this feature requires the user to create a password or a 64-digit key And if it is forgotten or lost, there is no way to recover the saved data.
That's why some people and companies prefer Do not enable E2EE encryption in backupsThey argue that this makes it easier to restore chats when changing phones, use cross-platform migration tools, or comply with certain archiving and auditing obligations, at the cost of relying solely on the security of the cloud provider.
Why do some users disable backup encryption?
The decision to forgo E2EE encryption in backups is often based on practical reasons. If someone enables that system and then Forget your password or misplace your 64-digit keyThe backup becomes unrecoverable. WhatsApp does not store these keys, so it cannot help restore them.
In the business world, disabling backup encryption can be seen as a way to secure access to chat histories For legal or regulatory compliance purposes, especially in sectors subject to stringent documentation requirements. In this context, the priority becomes the guaranteed recovery of data, even if it means assuming a greater risk in terms of confidentiality.
There are also users who, after suffering errors or blockages When restoring an end-to-end encrypted backup, many users opt to revert to a standard cloud backup system. Third-party tools that allow users to migrate or extract WhatsApp data between platforms typically only work with unencrypted backups, which pushes many to temporarily disable that additional level of security.
Risks and legal context in Europe and Spain
Disabling end-to-end encryption in backups means, in practice, that information is protected only by the measures of companies like Google or AppleIf someone accesses the cloud account—for example, through phishing or credential theft— could obtain the WhatsApp backup file and analyze its contents if it is not encrypted.
From a legal point of view, the European framework, with the General Regulation of Data Protection (RGPD) As a reference, it encourages the use of robust security measures, including encryption, to protect personal data. For businesses using WhatsApp for professional purposes in Spain or other EU countries, store chat histories without additional encryption It may raise compliance concerns if sensitive customer data is handled.
Furthermore, encryption affects the relationship with the security forces and bodiesIf backups are end-to-end encrypted and only the user has the key, neither the cloud provider nor WhatsApp can hand over the content in the event of a court order. If they are not, tech companies could be forced to facilitate access to those backups when ordered by the courts.
This balance between privacy, public safety, and legal obligations is especially delicate in Europe, where proposals are regularly debated to limit or circumvent encryption in certain circumstances. In that context, the case of WhatsApp is being closely scrutinized, given its enormous importance in the daily communication of millions of users in Spain.
How to check and manage encryption in the app
On a daily basis, the user can perform some simple checks to better understand what is protected and howIn each individual or group conversation, it is possible to access the chat information by clicking on the section "Encryption" and verify the security code using a QR code or the 60-digit string. This confirms that the exchange between those two devices is being end-to-end encrypted.
Regarding backups, you can access the backup section from the app settings—on both Android and iPhone. "Chat Backup" and see if the option of "end-to-end encrypted backup" It is activated. If it is, a password or the 64-digit key will be required to deactivate or modify it; otherwise, the user can configure this protection by following the wizard offered by WhatsApp.
Even with all these features, the current debate reminds us that encryption is not a purely technical matter, but also a matter of trust in how companies implement and honor their own promisesAmid lawsuits in the United States, leaks from former contractors, criticism from competitors, and the watchful eye of European regulators, the future of WhatsApp encryption and its status as a truly private tool will remain a key issue for users, security experts, and authorities in Spain and throughout Europe.
