Question about Whatsapp

I have a question about Whatsapp. Of course we know that it’s owned by Facebook and that they get all the metadata (who talks to whom) and your address book’s phone numbers. But the messages themselves are end-to-end encrypted.

Question 1: Given that WA is closed source, is there any way to prove whether it’s actually end to end encrypted? I mean from a business logic, it should be, because if a whistleblower comes out it would be quite the scandal, and also because of stuff like Facebook telling the UK government that they’ll quit the UK market if the E2EE ban comes. But is there any technical way of proving it?

Question 2: Are the chat backups (Google Drive, iCloud) end to end encrypted by default? I know they used to be unencrypted (just “encrypted at rest” with Google/Apple having the keys) and then I think they wanted to add the possibility of E2EE but not sure if that really happened and if so, if it is optional or default?

Because if (1) can be confirmed and (2) is E2EE by default, then actually Whatsapp isn’t that bad of a product, as long as you only care about your messages and not the metadata. It would make Whatsapp better than SMS or unencrypted Telegram/Viber/Facebook Messenger chats at least.

1 Like
  1. You can MITM the device and monitor the data WhatsApp is sending back and forth. WhatsApp have also published a whitepaper on their end-to-end encryption.

  2. I’m not sure if encrypted backups is on by default, but they do give you the option to turn it on when you first register for WhatsApp.

1: As far as I know there’s no way to confirm unless its auditing their source code, and even if its encrypted, since its saved indefinitely it the encryption could be broken at some point in the future.

2: No idea

I believe WhatsApp’s encryption is flawed. There are 1000 content moderators employed for whatsapp. So, how can they access E2EE messages? This news is from 2021, and I am sure the numbers increased this year.

Hm then there is the inherent risk that you conversation partner can still leak the messages via Google/Apple clouds (only really relevant if your threat is the government in which case I guess you wouldn’t use Whatsapp anyway?)

When a WhatsApp user reports a comment in a chat, they are sending the decrypted message from their phone to WhatsApp’s moderation team. Not saying this is a privacy-respecting feature, but it’s hardly evidence of any flaw in WhatsApp’s e2ee.


100%. It’s the same as the recipient of your message emailing a screenshot to Facebook. It only works if someone in the chat choose to reveal the contents, with is a risk with this feature or without it.