Texas AG Sues Meta Over WhatsApp Encryption Claims

Texas AG sued Meta Thursday. The lawsuit says WhatsApp's end-to-end encryption promise to over 3 billion users is a lie. But the complaint claims Meta can and does read unencrypted WhatsApp messages, so it's directly contradicting years of public assurances from CEO Mark Zuckerberg and the company formerly known as Facebook.

Texas AG Sues Meta Over Privacy Claims

The lawsuit, filed by Texas Attorney General Ken Paxton's office, targets one of the most sacred promises in modern digital communication. But it's sacred. Since at least 2016, Meta has told WhatsApp users their messages are encrypted on the sender's device with keys available only to the receiver, meaning nobody else, including the platform itself, can read plaintext messages.

In 2018, Zuckerberg himself reinforced this guarantee under oath before two US Senate committees, stating Meta doesn't see any WhatsApp content since it's fully encrypted and that Facebook systems can't see messages transferred over WhatsApp. It's fully encrypted. The Signal protocol powers this encryption, an open source code base that multiple third-party experts have confirmed lives up to its promises. But the Texas AG sues Meta anyway.

The complaint's language pulls no punches. Attorneys wrote that they are taking action to "prevent WhatsApp and Meta from continuing to willfully deceive Texans by misrepresenting that their private communications were just that, private and inaccessible even to WhatsApp and Meta, when, in fact, WhatsApp and Meta have access to all WhatsApp users' communications in their entirety." The gravity of the alleged violation, they argued, "cannot be overstated."

A Single News Article as the Foundation

Here's the awkward part. A Bloomberg article from last month, the sole factual evidence for these sweeping claims, reported that US Commerce Department's Bureau of Industry and Security abruptly closed investigation into whether Meta could access encrypted WhatsApp messages. And that closure came shortly after one of the department's agents sent an email outlining the probe's preliminary findings.

The January 16 email, reportedly sent to more than a dozen officials at other agencies, stated there is "no limit to the type of WhatsApp message that can be viewed by Meta" and that the misconduct "involve civil and criminal violations that span several federal jurisdictions." But there is a catch.

The Texas AG's lawsuit does not indicate the office obtained the email itself or gathered any information from the investigators involved. The complaint cites only the Bloomberg report. Period.

What the Complaint Actually Cites

• The Bloomberg article about the closed Commerce Department investigation
• The fact that Meta employees receive plaintext WhatsApp messages reported by users
• Those messages, however, are taken from the reporting party's device only after decryption with keys available solely to that user

The scarcity of factual support has not gone unnoticed. Technologists and encryption experts have been quick to point out that a thorough reverse engineering of WhatsApp would, in all likelihood, reveal any attempt to bypass the Signal protocol's protection.

Encryption Experts Push Back

It's impossible to assess definitively. Benjamin Dowling, a senior lecturer in cryptography at King's College London, co-authored in 2023 a detailed technical analysis of WhatsApp, and his team reverse-engineered the WhatsApp cryptographic protocol and found no indication it was behaving differently from what Meta described, but he stressed that the analysis only applied to the May 2023 client and that the closed source status makes a definitive assessment impossible.

Our reverse-engineering of WhatsApp and all the evidence we are aware of points towards WhatsApp providing users with end-to-end encryption for their message contents. While our analysis did find design weaknesses in the protocol, such as a lack of user control over things like group membership, these weaknesses are unlikely to be the basis of the complaint as they would not allow global stealth reading of messages. As it stands, we are not aware of any concrete evidence that WhatsApp has broken their promise of end-to-end encryption.

Three other cryptography experts interviewed echoed similar doubts. Kenny Paterson, a researcher at ETH Zurich, called the lawsuit "general dung-throwing in Meta's direction" and said the case appeared "built on a very thin evidence base: essentially, one news article is referenced to support the actual accusation." Matthew Green, a professor at Johns Hopkins University, noted that "the WhatsApp clients are all available for reverse engineering. For there to be a vulnerability like this, something very bad would have to be happening inside that app."

The 2023 Security Audit

• Researchers gave WhatsApp a clean bill of health for operating securely as described
• One design flaw was found: a Meta employee with infrastructure access could add new members to group chats without permission
• That addition, however, would be fully visible to all other members

So it gets interesting. Meta called the allegations "baseless" in an email and vowed to fight the lawsuit in court, but representatives in the Texas attorney general's office didn't respond to an email asking whether investigators had obtained any evidence beyond what was in the news article.

Politics Enters the Chat

Ken Paxton has a runoff. Heading into the final stretch of his US Senate primary runoff against incumbent John Cornyn, it's tempting to see the lawsuit as an appeal to voters, positioning him as a privacy advocate for Texans. But given Meta's well-documented history of privacy lapses and data grabs, there are plenty of legitimate reasons to be skeptical of the company.

But it misses something. Unless new evidence comes to light, the allegations in Thursday's complaint aren't among those reasons, and the Texas AG's case against Meta currently rests on a single news article and little else. Meta says it'll see the state in court.