Texas AG sues Meta alleging WhatsApp encryption claims are false

Texas Attorney General filed a lawsuit against Meta Platforms Inc. on May 22, claiming that WhatsApp does not deliver the end-to-end encryption (E2EE) it has advertised to users since at least 2016, despite assurances from Meta leadership and public statements that the platform provides users with private communications inaccessible even to Meta itself.

The core encryption claim

According to Ars Technica, Texas attorneys contend that Meta can read and does access the unencrypted contents of WhatsApp messages, contradicting the company’s decade-long public position. The complaint states that Meta’s encryption promises are false and represent consumer deception. In sworn testimony before two US Senate committees in 2018, Meta CEO Mark Zuckerberg stated the company does “not see any of the content in WhatsApp; it is fully encrypted.”

WhatsApp’s encryption relies on the Signal protocol, an open-source codebase that cryptography researchers have independently verified meets its security specifications. The lawsuit does not challenge the Signal protocol’s integrity but instead alleges Meta circumvents or misrepresents the encryption system’s functionality.

Evidence sourcing and investigative questions

The lawsuit’s factual foundation rests almost entirely on a single Bloomberg report about a January 16 email sent by a US Commerce Department Bureau of Industry and Security agent. According to Bloomberg, the email—distributed to more than a dozen federal officials—stated that “there is no limit to the type of WhatsApp message that can be viewed by Meta” and alleged both civil and criminal violations spanning multiple federal jurisdictions.

Ars Technica notes that the Texas AG’s complaint does not indicate whether the office has obtained the email directly or conducted independent interviews with the Commerce Department investigators. This reliance on secondary reporting rather than primary documentation has drawn criticism from observers who question the lawsuit’s evidentiary weight.

Meta’s response and broader context

Meta responded by calling the allegations “baseless” and pledging to defend the case in court. The company reaffirmed its privacy commitments without addressing the specifics of the Commerce Department email or the underlying investigation.

Notably, the abrupt closure of the Commerce Department probe itself raises questions about the basis for the Texas lawsuit, as Ars Technica reports. If federal investigators had concrete evidence of the alleged misconduct, the termination of their examination—described as sudden by Bloomberg—suggests either insufficient evidence, prosecutorial discretion, or external pressure to halt the investigation.

Why This Matters

This lawsuit tests whether state-level consumer protection authority can challenge Meta’s encryption claims when federal regulators closed their own parallel investigation without public findings. For WhatsApp’s 3 billion+ users, the lawsuit outcome will either validate or cast doubt on the company’s privacy assurances. If Texas prevails, it could trigger additional state actions and potentially force Meta to either prove its encryption claims or alter how it represents user privacy. Conversely, if the case fails due to insufficient evidence or burden-of-proof issues, it may signal that secondary reporting of closed federal investigations cannot alone sustain consumer deception claims. The cryptographic community is watching to determine whether the Signal protocol itself is under scrutiny or whether Meta’s data-handling practices are the actual target.