Durov attacks WhatsApp as Texas challenges Meta’s encryption claims

Texas Takes on Meta Over WhatsApp Encryption Claims

The Lone Star State has filed a lawsuit against Meta, alleging that WhatsApp's end-to-end encryption promises are misleading. Texas Attorney General Ken Paxton argues that WhatsApp's default backup settings store messages in plain text on Apple and Google servers, contradicting the company's marketing of complete privacy. This legal action aligns with growing scrutiny of Big Tech's security practices, especially when billions of users rely on these platforms for sensitive communications. The lawsuit demands transparency and accountability, potentially reshaping how messaging services disclose encryption limitations.

Durov's Blistering Critique of WhatsApp's Privacy Promises

Telegram CEO Pavel Durov has amplified the controversy, labeling WhatsApp's encryption claims as the "biggest consumer fraud in history" in a series of posts on X. He asserts that WhatsApp deceives billions by implying all messages are fully protected when, in reality, approximately 95% of private messages end up in cloud backups without end-to-end encryption. Durov highlights that default backup settings store conversations on iCloud or Google Drive in plain text, accessible to third parties through legal requests or security breaches.

The Backup Paradox

Durov points out a critical nuance: even when users enable encrypted backups, the other party in a conversation may not have done so, exposing the entire thread. He argues that WhatsApp's metadata collection—including who communicates with whom—further weakens privacy claims. Telegram, he contrasts, has never disclosed user message content since its launch.

Technical Reality: What End-to-End Encryption Actually Covers

End-to-end encryption ensures messages are scrambled from sender to receiver, but this protection typically ends at the device. Once a message is decrypted for display, the app can store it in unencrypted form, particularly during backups. WhatsApp's encryption does not extend to cloud storage by default, meaning messages are vulnerable if the cloud provider is compromised or served with a warrant.

Default Settings vs. User Expectations

Most users assume the green "encrypted" banner covers all aspects of their chats. However, WhatsApp's default backup settings explicitly exclude end-to-end encryption, requiring manual activation of a secure backup passphrase. This mismatch between marketing and technical implementation is at the heart of both the Texas lawsuit and Durov's criticisms.

The Legal and Regulatory Landscape Intensifies

Texas's lawsuit is part of a broader trend where regulators demand clearer disclosures about encryption. The Federal Trade Commission has also scrutinized Meta's privacy practices. If successful, the case could force Meta to alter how it markets encryption, possibly labeling backups as "not end-to-end encrypted" by default. This would have ripple effects across the messaging industry, compelling competitors like Signal and Telegram to reconsider their own transparency.

Industry Reactions and Defense Mechanisms

Elon Musk and other tech leaders have weighed in, with Musk endorsing Durov's critique. WhatsApp, for its part, maintains that its in-transit encryption is robust and that backup encryption is a separate feature clearly documented. Privacy advocates argue the real issue is that most users never enable backup encryption, leaving them exposed. Some experts note that WhatsApp's approach balances security with usability—expecting average users to manage passphrases is impractical. Yet the lawsuit suggests this balance may prioritize convenience over genuine safety.

What This Means for User Privacy Going Forward

This controversy underscores a fundamental tension in modern messaging: true end-to-end encryption is only as strong as its weakest link, often cloud backups. Both Durov's attack and Texas's legal challenge push for a reckoning where companies must plainly state what their encryption covers—and what it doesn't. For users, the takeaway is clear: default does not mean protected. As the legal battle unfolds, expect more platforms to adopt clearer labeling and perhaps default-on backup encryption.