this post was submitted on 27 Jan 2026
186 points (99.5% liked)
Privacy
3568 readers
363 users here now
Icon base by Lorc under CC BY 3.0 with modifications to add a gradient
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
No, they’re being sued over whether Meta can read your messages, not whether e2e is implemented. I covered this in a different comment the other day, but these are not mutually exclusive, which is why Meta can be completely truthful about e2e encryption being on and yet the lawsuit can still be correct.
I think i get what you mean, but if they can read the messages then its not strictly speaking e2ee. By what means that happens is irrelevant, whether they have a copy of the keys or exfiltrate the data through the app.
https://en.wikipedia.org/wiki/End-to-end_encryption
Imagine a scenario where your app checks for stuff, say links to a competitor's website, prior to encrypting and sending the message. Then, if such information was found, it notifies someone. This would still be genuine end to end encryption while still snooping on messages.
Yes, it can absolutely still be E2EE: the message is encrypted and the central server does not have the key. The issue is that the clients (i.e. the "E"s) are controlled by the same entity as the central server, and we don't know exactly what the client (app) is doing. So the fact that it's E2EE is somewhat moot.
This is exhibit #1 in the case for open-source software.
PS: you obviously get this, I'm just trying to make it clearer for anyone who doesn't.
Its about their ability to read the message, not the encryption. If anyone else other than the intended recipient, be it Meta or Google or the government, can read the message, then its not "end to end" anymore.
Also even if it were about the keys, it still wouldnt be e2ee, because the app is a black box controlled by Meta so the key is in Metas hands by definition. Any piece of software that they have sole control over is "their hands" and when exfiltrating the messages from your phone they are using that key to decrypt the messages and send them to their servers.
Yeah sure, I understand all that, indeed it's pretty much exactly what I wrote. You are simply taking an expansive definition of E2EE where I am using a narrow one. As far as we know, Meta is indeed sending its messages in an encrypted state, end to end, so technically it makes the grade as E2EE. That debate is kinda boring, I was simply trying to point out that this case study illustrates the importance of FOSS. And since you are downvoting me, that's all I have to say here.
I don't think that's necessarily true. So long as all data is encrypted in transmission such that only the end points can read it, I'm pretty sure that qualifies as end-to-end encryption.
The problem is that the end points are not truly autonomous; they are subject to the whims and demands of the company that writes the software, sometimes acting under complete secrecy. If WhatsApp decides to siphon data from the end points, that can be very difficult to determine and prove. End-to-end encryption is only valuable if you can trust the end points not to snitch, but you can't fully trust closed source software for this very reason, among others.
It is though. Think of it this way. You are a spy, you are communicating with someone over Signal. Signal is e2e. The person you are talking with doesn't know you are a spy. They've verified that Signal is working and yet their secrets keep getting out. They go to law enforcement and say "they're a spy" and you say "no I'm not, it's e2e, nothing could have been getting out!".
If you can read the text on the screen, then it's past the point of e2e. e2e is just about transmission. It has nothing to do with the endpoints.
In this case Meta can utilize iOS App Groups which allows applications by the same company to access shared data. So imagine the easiest to understand scenario.
You get a message on WhatsApp. Your Operating System takes a screenshot of the message, and sends it off to the FBI. Nothing has broken e2e here. Your OS can't be trusted (in this example).
Now let's expand it:
Nothing has broken e2e here. The client can't be trusted, so no matter what you do, e2e doesn't have to be broken, since the company is untrustworthy. They can claim e2e, implement fully working auditable e2e, and still exfiltrate your data.
Of course, WhatsApp probably isn't taking screenshots. They can just save off the text after they decrypt it (even if they use the Signal protocol).
Yep. E2EE is only worth anything if you trust the client on both ends. Meta, being in control of the WhatsApp app (aka the client) thus can access the message contents even if there's full E2EE, simply by scanning it after decryption.
The word Trust and Meta appearing anywhere visible at the same time should be against the law.
I'll take my fine.
e2meta2e is not e2e