Despite Privacy Promises, Meta, Third Parties Read and Store WhatsApp Messages, Class Action Lawsuit Alleges

A proposed class action lawsuit alleges that despite Meta Platforms’ promises of total privacy between sender and recipient, the tech giant has secretly allowed its employees, certain contractors and/or other third parties to intercept, read and store WhatsApp messages.

The 52-page privacy lawsuit contends that although Meta has pervasively marketed WhatsApp as a private, secure, end-to-end-encrypted messaging service where “[o]nly you and the person you’re talking to can read or listen to” messages, Meta employees, Irish consulting and tech firm Accenture and possibly other third parties, unbeknownst to users, can access messages via a “backdoor” in the WhatsApp source code. According to the complaint, the backdoor allows Meta and WhatsApp employees and/or third-party contractors to “circumvent the encryption in order to view users’ private messages.”

Although backdoor access is mainly used to “review messages flagged for fraud” or policy-violating conduct, the case says, Meta, WhatsApp and Accenture employees nevertheless have “broad access to users’ messages.”

The filing stresses that neither Meta nor WhatsApp asks users for consent to have the contents of their private messages "intercepted, read, stored, accessed, and/or or viewed" by outside parties. Instead, Meta purports in the WhatsApp privacy policy that the company does not retain messages in the ordinary course of providing services, and that messages are stored on a user’s device and “not typically stored on our servers.”

“Nowhere does WhatsApp disclose that it, Meta, their respective employees, Accenture contractors, and/or third parties may read, access, or view the contents of all messages users send on WhatsApp, nor that app messages sent by users are intercepted and stored,” the suit states.

Complaint cites whistleblower accounts of alleged backdoor in WhatsApp communications

After its acquisition by Meta in 2014, WhatsApp partnered with Open Whisper Systems to integrate the end-to-end encryption cryptographic protocol, called the Signal Protocol, into its platform, which is understood by users to mean the contents of their messages are “undiscoverable by non-recipients of the message,” the suit says. According to the complaint, Signal offers its own messaging platform using open source code available for public inspection, which allows for transparency and security checks.

Rather than open its source code to the public, however, the lawsuit contends that Meta instead hides its encryption source and ensures WhatsApp’s source code is not available to the public, meaning independent parties are unable to reverse engineer the platform’s code to confirm that it functions without a backdoor, "which would permit non-recipients to access users' communications."

Related Reading: Data Breach Lawsuits

The lawsuit cites recent whistleblower accounts to federal investigators that reported employees of Meta and WhatsApp and third-party contractors were able to access users’ messages despite what the company represented. As a result, the whistleblower accounts have prompted a special investigation by special agents with the U.S. Department of Commerce, the case shares.

Lawsuit says WhatsApp’s compliance with government inquiries hints at likelihood of backdoor access

The suit relays that several countries worldwide have implemented, or have shown interest in implementing, legislation that would require messaging services such as WhatsApp to provide access to users’ communications as part of criminal investigations. For instance, the suit says, countries such as India and the United Kingdom require that communication companies decrypt messages on suspicion of fraud or in the interests of national security.

WhatsApp, as a global enterprise, is subject to the laws of the countries in which it operates, and the case maintains that the “only way” it would be able to comply would be if it had the ability to access encrypted messages via a backdoor in the Signal Protocol.

The complaint mentions that, sometime in 2021 or 2022, WhatsApp enlisted hundreds of Accenture reviewers in the United States and worldwide to review and moderate the content of purportedly encrypted messages.

"...[T]hese contractors understood that certain WhatsApp/Meta employees had backdoor access to all WhatsApp user messages from which they pulled messages to provide to outside investigators in response to requests regarding criminal investigations and/or to Accenture reviewers to review for criminal investigations and/or investigations into violations of company policies," the suit reads, adding that some were tasked with looking into fraud on Facebook Marketplace.

"Upon further information and belief, once a user message was flagged for potential fraud, days of messages would be sent through the portal to be reviewed," the suit states. "Usernames and profile information was visible to the reviewers, along with the content of the messages, which could be viewed by scrolling through the dashboard on the portal."

WhatsApp violates “foundational promise” to keep users’ messages private, suit claims

Since its inception in 2009, WhatsApp has always branded and marketed its platform as a secure, private messaging service, the suit states. Per the case, WhatsApp explicitly states that “your personal messages and calls are secured with a lock” and that end-to-end encryption effectively means “no one else, not even WhatsApp” can read the messages.

WhatsApp also claims that it does not keep logs of who a user messages or calls, an assurance backed by Meta CEO Mark Zuckerberg in sworn public testimony before Congress, the lawsuit states.

Further still, once a user proceeds to account creation, they must agree to the WhatsApp Terms of Service and Privacy Policy, which emphasize the “strong privacy and security principles” that are supposedly central to the company and reiterate that messages will be encrypted, not stored on the WhatsApp servers and inaccessible to anyone but those involved in the communication, the complaint says. 

The WhatsApp privacy policy also affirms that “[o]nce your messages are delivered, they are deleted from our servers,” the case adds.

Who is covered by the WhatsApp class action lawsuit?

The WhatsApp class action lawsuit seeks to represent all WhatsApp users residing in the United States who, between April 5, 2016 and the present, sent or received communications on the WhatsApp platform.

How can I sign up for the WhatsApp lawsuit?

Typically, you don’t need to do anything to sign up for or join a class action lawsuit when it is initially filed. Should the case be resolved with a class action settlement, settlement class members will typically be notified of the deal by mail and/or email with instructions on what to do next and their options and legal rights moving forward.

If you are a WhatsApp user and want to follow this litigation, or simply want to stay in the know on class action lawsuit and class action settlement news, sign up for ClassAction.org’s free weekly newsletter.

Check out ClassAction.org’s lawsuit list for the latest top class action lawsuits.