Nothing suggests that WhatsApp’s encryption protocol has been broken or that Meta can read the contents of your conversations.
Nothing prevents them from reading the messages prior to encryption or after decryption.
this post was submitted on 14 Sep 2025
118 points (98.4% liked)
Privacy
3359 readers
192 users here now
Icon base by Lorc under CC BY 3.0 with modifications to add a gradient
founded 2 years ago
MODERATORS
Well not nothing. Android apps are quite easy to reverse engineer so there would be a high risk of them getting caught which would be quite damaging for WhatsApp's brand.
I wouldn't say it's a lot, but it isn't nothing.
There is certainly nothing technical stopping them from doing it, but that's true of Signal too.
Well not nothing. Android apps are quite easy to reverse engineer so there would be a high risk of them getting caught which would be quite damaging for WhatsApp's brand.
none of their users would care. but also good luck finding a news site that cares to write about it and has some reach
There is certainly nothing technical stopping them from doing it, but that's true of Signal too.
isn't signal built reproducibly, without obfuscation?
Not currently, but in theory that is better, true.
I was thinking about signal, and a fun fact is that if we invite all our friends and families to signal, then practically "none" of its users would care about such an incident either
https://faq.whatsapp.com/414631957536067/
Either the report function doesn't work like they say, or messages are stored decrypted, or they can decrypt messages at will based on a simple request from another user
Edit: fixed
hhttps://
I think I have to decrypt this url before I can open it
/edit: I did it! I was able to decrypt it!
When you report a user in an individual chat, WhatsApp receives up to five of the last messages they’ve sent to you.
This particular function is not at odds with E2EE. The client can either:
- Send decrypted messages to the server. This is flawed because a malicious client can fake them, setting someone up for a ban;
- Send the keys so that the server can decrypt the messages. Depending on how often keys are rotated, this might leak a couple more messages than intended.
You're right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn't be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can't read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message
You have to be stupid to think WhatsApp, a Facebook company, doesn't have access to your messages.
They ran a bunch of full page adds this summer. All it said was "no one can see your messages but you." I immediately decided that was not true, otherwise why advertise it?
Yeah, I don't know who thought that was a good idea to advertise. It'd be like Betty Crocker cake boxes suddenly saying "Uranium Free!".
Like, yes, I wouldn't expect food to usually have added uranium too it, so why are you saying it?...
The only time I remember feeling genuine panic at a software update was years ago when my laptop suddenly decided it urgently had to restart. It took longer than I'd expected to boot up again and it kept showing the message 'All your files are exactly where you left them'.
I have no idea how or why but that really felt like a threat 🤣 of course when it finally turned on I was scouring all my folders trying to remember what I had where to see what they'd accidentally deleted. I felt stupid for being so suspicious then went online and 'all your files are exactly where you left them' was already turning into a meme. It made people angry as hell.
And thinking about it, if someone is unlocking their front door and you interrupt them to say 'excuse me, sorry, just wanted to say: all the stuff in your bedroom is exactly how you left it,' they probably would not feel reassured.
It is not a reassuring thing to hear. Anyway, fuck meta.
Half of messengers advertise privacy
I get people may enjoy the technical aspects to WhatsApps privacy. It's a meta app and therefore is not safe, which should be basic critical thinking.
WhatsApp is not open-source, you can't compile the client yourself. It doesn't matter if it's been audited by a third party. That version could've easily been backdoor-free.
Attaullah Baig, who ran WhatsApp’s security team between 2021 and 2025, says the app isn’t nearly as private as Meta claims. In his lawsuit, he alleges that roughly 1,500 employees have access to sensitive user information, including location, profile photos, group memberships, and contact lists.
Also unaddressed account takeovers.
Group memberships and contact lists are golden data for both Meta and snoopy governments.
Literally owned by Facebook. No, Whatsapp is not safe.
I’m not a fan of them, but I don’t think you could point to any email provider that can’t or won’t provide IP addresses and recovery emails to law enforcement when compelled. You can use proton without a recovery email and over tor, which is more than most allow as well.
I only mentioned their history and did not call for a boycott. I also use proton myself, but it annoys me that they present themselves as better than they are... They are just one of the few less bad providers.
Very true.