Two of the most prominent figures in tech have taken direct aim at WhatsApp’s security promises. Elon Musk, who owns the social platform X, and Telegram founder Pavel Durov have both publicly questioned whether WhatsApp’s end-to-end encryption actually keeps messages private, amplifying doubts at a moment when a federal lawsuit and a U.S. government inquiry have put Meta on the defensive. Meta has fired back hard. Spokesman Carl Woog called the legal claims “frivolous,” and the company sent a sanctions threat letter to the plaintiffs’ attorneys, a move that signals Meta views the case as baseless and wants to make an example of it.
The clash matters because WhatsApp serves roughly three billion accounts worldwide, making it the default communications tool for families, businesses, and political movements across dozens of countries. If its encryption guarantees are weaker than advertised, the consequences reach far beyond Silicon Valley rivalries.
The lawsuit and Meta’s response
At the center of the dispute is a lawsuit filed against Meta alleging that WhatsApp can read user messages despite its end-to-end encryption. The complaint has drawn skepticism from independent security researchers, who note it lacks the specific technical detail needed to explain how Meta could bypass the Signal Protocol, the open-source cryptographic framework that underpins WhatsApp’s message encryption. That protocol has undergone independent security audits, including reviews supported by the Open Technology Fund, and no public audit has found a backdoor.
Meta has not limited its defense to public statements. The sanctions threat letter sent to the plaintiffs’ legal team is an aggressive procedural move, essentially warning opposing counsel that Meta will seek financial penalties if the court finds the lawsuit was filed without adequate factual basis. Courts have not yet ruled on the merits, so the allegations remain unproven.
Separately, the U.S. Department of Commerce’s Bureau of Industry and Security began looking into the claims earlier this year, according to The Guardian. A BIS spokesperson characterized the underlying assertions as unsubstantiated, and as of May 2026, no public documents, subpoenas, or formal investigation notices have surfaced. Whether the inquiry is still active, has expanded, or has quietly closed remains unclear.
What the research actually shows
The strongest technical evidence in this debate does not come from the lawsuit or from Musk and Durov. It comes from independent academic work.
A preprint paper hosted on arXiv demonstrates that WhatsApp’s architecture exposes users to large-scale enumeration attacks, meaning researchers were able to map user metadata and network patterns across the platform’s massive user base. A second arXiv preprint analyzes WhatsApp’s adaptation of the Signal Protocol handshake and identifies potential weaknesses in properties like forward secrecy, which is supposed to ensure that compromising one encryption key does not unlock past conversations.
Neither paper claims that Meta is reading messages. What they establish is that end-to-end encryption, even when functioning correctly, protects only message content. It does not shield metadata: who contacts whom, when, how often, from which location, and through which device. For intelligence agencies, law enforcement, or data-driven advertising systems, metadata can be nearly as revealing as the messages themselves.
It is worth noting that both papers are preprints and have not completed formal peer review. Their findings are, however, based on reproducible methods described by university-affiliated researchers, and they align with longstanding concerns in the cryptography community about the gap between encrypted content and exposed metadata.
The competing interests behind the criticism
Musk and Durov are not neutral observers. Musk runs X, which includes its own direct messaging features. Durov built Telegram as a direct competitor to WhatsApp. Both have commercial reasons to undermine trust in Meta’s flagship messaging app.
That context does not automatically invalidate their concerns, but it should shape how readers weigh them. Neither Musk nor Durov has published original technical research to support their claims. Their public statements function primarily as competitive positioning, delivered to audiences already inclined to distrust Meta.
There is also an irony worth noting. Telegram does not enable end-to-end encryption by default in standard chats. Only its “Secret Chats” feature uses client-to-client encryption. Regular Telegram conversations are encrypted between the user’s device and Telegram’s servers, meaning Telegram itself can technically access message content in those exchanges. Durov criticizing WhatsApp’s encryption without acknowledging this distinction leaves out important context.
What this means for users
For the vast majority of WhatsApp’s users, the practical picture is more nuanced than either side of this fight suggests. No verified evidence has emerged showing that Meta has broken, bypassed, or deliberately weakened WhatsApp’s end-to-end encryption. The Signal Protocol remains one of the most scrutinized and respected encryption frameworks in use, and its core protections for message content appear intact.
The documented risk is metadata. WhatsApp knows who you talk to, when you talk to them, how frequently, and from where. That information sits outside the encryption envelope, and Meta’s business model depends on data collection across its family of apps. The company has not published a detailed public accounting of exactly what metadata it collects from WhatsApp interactions or how that data intersects with its advertising infrastructure.
Users who want to reduce their metadata footprint can take several steps now: limit profile visibility, prune group memberships, disable automatic contact uploads, turn on disappearing messages, and avoid linking WhatsApp to other Meta services like Facebook or Instagram. For people facing elevated risks, such as journalists, activists, or political organizers, a layered approach is more appropriate. That might mean using different messaging apps for different purposes, pairing encrypted messaging with a VPN, or relying on privacy-focused operating systems. None of these steps eliminate metadata exposure entirely, but they make the overall picture harder to assemble.
What comes next
The next phase of this story hinges on several open questions. Will the lawsuit survive early motions, or will Meta’s sanctions threat pressure the plaintiffs into withdrawing? Will the BIS inquiry produce findings, or fade from public view? And will regulators in the U.S. or Europe begin demanding that encrypted messaging platforms disclose not just how they protect message content, but what they still collect around it?
The combination of academic research, legal action, and public criticism from rival tech executives has already shifted the conversation. Encryption is no longer a simple marketing claim that platforms can make without scrutiny. For WhatsApp’s three billion users, the question is no longer just whether anyone can read their messages. It is whether everything surrounding those messages tells its own story, and who gets to read that one.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
