"The claim that WhatsApp can access people's encrypted communications is patently false," Meta spokesperson Andy Stone said. He added that the bureau had already "disavowed this purported investigation, calling its own employee's allegations unsubstantiated."

I can't help but notice that in response to people's concern that Meta may be able to read people's messages, the Meta spokesperson responds that WhatsApp can't read them. A little bit of administrative juggling on Meta's end so that the team with access to the messages doesn't fall within the WhatsApp department, and both claims could be true.

Here's the original reporting, instead of another website's summary of Bloomberg's actual report:

https://www.bloomberg.com/news/articles/2026-04-28/us-ends-investigation-into-claims-whatsapp-chats-aren-t-private

https://archive.is/sGE3e

So it sounds like the agent was investigating allegations, from content moderation contractors, that Meta could access the contents of WhatsApp messages, and came to the conclusion that yes, Meta could.

There are a few possibilities here.

1. Meta does have full plain text access to all Whatsapp messages, but guards that access very closely. Although the clients seem to generate E2EE keys for each session, somehow they're leaking those keys to Meta's servers somewhere, and the closed source code sufficiently hides that so that there's no whistleblower or security researcher able to detect this definitively.
2. Meta has a secret wiretap functionality where they can compromise the E2EE keys somehow, but uses it only for narrow cases. This helps keep the functionality secret, because security researchers and other reviewers may never see the functionality in action.
3. Meta allows users to report objectionable content in the threads they're already part of. The reporting function either forwards the E2EE key itself, or all the plaintext data, that gives content moderators access to the underlying message contents. The contractor whistleblowers and the federal agent investigating these allegations simply got it wrong, and misunderstood the technical process of how the plaintext messages end up in the content moderator's possession.

Meta claims that it's #3. They acknowledge they have plaintext access to messages when a party to the thread presses the report button.

This unnamed federal agent believes it's #1, after 10 months of investigation, and sent out an email to other investigators that they should look into that possibility.

I'm skeptical of #1, simply because I don't believe that conspiracies to keep that kind of stuff secret can be maintained. It's not just that there would be technically skilled whistleblowers who have actual access to the code (not the non-technical content moderator contractors who review the content), but a weakness in such an important and widely used protocol would attract all sorts of hackers, state sponsored or otherwise.

But option #2 might explain everything we've seen so far. Full wiretap capability that is rarely used and very tightly controlled.

I'm just here to satisfy my confirmation bias, but my question all along has been this: how does Meta simultaneously satisfy their claims of both E2EE and content moderation on WhatsApp? I can't say that I've done anything even close to a deep dive on the topic, but those two things seem mutually exclusive.

The most important question to ask when evaluating end-to-end encryption: who manages the keys?

If Facebook manages all of the keys and is responsible for telling which public key belongs to who, then of course Facebook can read every message.

No. Shit.

People who say Facebook (now Meta) paid $21 billion (with a B) for WhatsApp to be charitable. Even though the original creators have distanced themselves from it after the acquisition.

Fun fact: every forum running phpBB, Invision, or vBulletin (as in, traditional Internet forums) can read your DMs in plaintext. They're unencrypted in the SQL database. However, the forum's Admin Control Panel (ACP) does not provide this functionality. All three have mods that add it in. So imagine you run a forum. You have a hidden forum where only your mods and admins can interact. No one else can even see it. You could have a whole other one that is just all the DMs. I'm not sure about social networks. But I know if you have command-line access to the SQL database, you can query a user and see everything that user has put in the database. Public messages... and private ones. So a lot of the forums started saying "Personal messages" or "Direct messages" instead of "Private messages" because they were never private.

Disbelieve anyone who says they can't see your private or personal messages.

The fact that Trump's own goon uses Signal and not WhatsApp should probably tell you all you need to know about using WhatsApp.

I never assumed that this presumed "end to end encryption" was secure in any way. The key exchange either runs over Meta servers, and they just log them, or the client software simply surrenders the key (maybe always, maybe on demand) together with the data stream that still runs over Meta servers.

Just assume anything you're writing online, on any app, any website, any social media platform... ANYTHING is being tracked now.

We learned from the FBI's disclosure of the Guthrie kidnapping video that every camera and microphone are surveilling you and feeding that data into a government database without a warrant, so why would you think your apps are doing anything different?

If you can't see the code (closed source) then treat it as they're lying and it isn't end to end encrypted

It's decided. No more arms deals on Whatsapp for this guy.

So the truth is they store messages encrypted. But what they also do is storing the private keys for those messages.

Meaning they technically do it. But it's like locking the door for someone who also has the keys.

If you still use faecesbook products, you're an idiot.

bold of you to assume meta respect data privacy, they have been all in on datamining for a while aready

Settle down. There's nothing to see here. Move along quietly and please remain calm....... /s

And here I thought the E2EE of Whatsapp was based on the one developed by Signal or at least so they say.
But I guess it's hard to inspect anything, if it's no open source software.
I'm so glad there's SIgnal and a lot of my contacts use it.
Back when it was called Textsecure it was a different story.

Anyone who thinks Facebook would give you end to end encryption is a fucking fool.

So that ad campaign that they ran saying no one but you can see your messages. That was a bit strange that they were pushing it, since no one appeared to be saying otherwise, might be a lie? I never would have guessed.