E2E encrypted messaging owned by Meta. Strong encryption, hostile metadata environment. Use Signal instead.

Caution

https://www.whatsapp.com · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — not an independent security audit

What should journalists know about WhatsApp?

WhatsApp uses the Signal protocol for end-to-end encryption. The cryptography is sound: Curve25519, AES-256, HMAC-SHA256, Double Ratchet with perfect forward secrecy. The problem is everything Meta wraps around it. Meta collects extensive metadata — who you talk to, when, how often, IP addresses, device info, location — and shares it across the Meta family of companies. In September 2025, former WhatsApp security head Attaullah Baig sued Meta alleging 1,500 engineers had unrestricted access to user metadata with no audit trail, and that Meta ignored 100,000+ daily account takeovers. A class action filed in January 2026 accuses Meta of misleading 3 billion users about the real scope of E2E encryption protections. In January 2025, WhatsApp disclosed that ~90 journalists and activists were targeted with Paragon Solutions' Graphite spyware via zero-click attacks. Citizen Lab confirmed three European journalists were hit, including Italian investigative reporter Francesco Cancellato. The US government purchased Graphite for ICE operations. Separately, Meta won a $167.3M jury verdict against NSO Group in May 2025 over the 2019 Pegasus campaign that targeted 1,400 users across 51 countries. A permanent injunction against NSO followed in October 2025. Meta AI is now embedded in WhatsApp with no option to fully disable or remove it. In the EU, Meta was fined €200M in April 2025 for DMA violations related to cross-platform data usage. WhatsApp Business accounts break E2E encryption entirely — messages to businesses become 'subject to the business's own privacy practices' and Meta can use that data for marketing. Cloud backups on Google Drive and iCloud are not E2E encrypted by default; WhatsApp added passkey-based encrypted backups in October 2025, but most users have not enabled them. The FBI can obtain WhatsApp metadata in near-real-time via pen register, every 15 minutes. Meta disclosed data in response to 78% of law enforcement requests in 2024. For journalists in the Global South where WhatsApp has 2 billion+ users and Signal penetration is low, WhatsApp is often the only practical option. But it should be treated as a compromise, never a first choice.

Best for

Communication in regions where WhatsApp is ubiquitous and sources refuse or cannot use Signal. Reaching audiences in the Global South. Better than unencrypted SMS or email.

Not for

Sensitive source communication when Signal is an option. Anything involving confidential tiplines. Communication with at-risk sources in countries with aggressive surveillance programs. The metadata exposure alone can identify source relationships.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Partial

Data is scrambled when stored on their servers

Data jurisdiction United States (Meta headquarters, Menlo Park, CA). Metadata stored on Meta's servers with no geographic restrictions on access. Message content is E2E encrypted on-device but cloud backups may sit unencrypted on Google/Apple servers unless the user manually enables encrypted backups.

Where servers are located — affects which governments can request your data

Security rating Caution

Messages are E2E encrypted using the Signal protocol, but Meta collects extensive metadata: contacts, usage patterns, IP addresses, device information, location, and interaction timestamps. Meta shares data across its family of companies (Facebook, Instagram, Threads). As of December 2025, Meta uses AI chat data to personalize ads across all its platforms. In the EU, DMA compliance requires Meta to seek consent for cross-platform data combination, but enforcement has been inconsistent — Meta was fined €200M in April 2025. WhatsApp Business messages break E2E guarantees entirely. No opt-out from Meta AI integration exists. US users have no mechanism to prevent data from being used for AI training.

How to protect yourself:

Enable encrypted backups immediately (Settings > Chats > Chat Backup > End-to-end Encrypted Backup — passkey option available since October 2025). Enable disappearing messages for all sensitive conversations. Disable cloud backup entirely if possible. Never discuss sources or sensitive reporting on WhatsApp when Signal is available. Verify security codes with contacts in person. Review linked devices regularly. Do not interact with Meta AI within WhatsApp — any AI conversation data feeds Meta's ad targeting. Avoid WhatsApp Business accounts for source communication. Be aware that even with E2E encryption, Meta knows who you talk to, when, and from where — and discloses that metadata to law enforcement in 78% of requests. In high-risk environments, use a dedicated device with a separate phone number.

Strong message encryption (Signal protocol with Curve25519, AES-256, perfect forward secrecy) undermined by Meta's metadata collection, cross-platform data sharing, lack of sealed sender, whistleblower allegations of 1,500 engineers with unaudited metadata access, documented spyware targeting of journalists (Paragon Graphite, NSO Pegasus), and forced Meta AI integration. Cloud backups unencrypted by default. 89% of journalists in democratic countries use Signal instead. WhatsApp is a fallback, not a recommendation.

Who Owns This

Owner Meta Platforms, Inc. (NASDAQ: META)

Funding Subsidiary of Meta. Acquired by Facebook in 2014 for $19B. Part of Meta's $165B+ annual revenue ecosystem.

Business model Free to users. Revenue from WhatsApp Business API, click-to-WhatsApp ads on Facebook/Instagram, and growing integration with Meta's advertising infrastructure. Ads rolling out in Status and Channels tabs, targeted using location, age, and engagement data.

Known issues

Paragon Graphite spyware (January 2025): ~90 journalists and activists targeted via zero-click attacks delivered through malicious PDFs. Citizen Lab confirmed Italian journalists Francesco Cancellato and Ciro Pellegrino among victims. Vulnerability patched in iOS 18.3.1 (CVE-2025-43200). NSO Group Pegasus (2019 campaign): 1,400 users across 51 countries targeted. Court found NSO liable December 2024; Meta awarded $167.3M in damages May 2025; permanent injunction issued October 2025. Whistleblower lawsuit (September 2025): Former security head Attaullah Baig alleged 1,500 engineers had unrestricted, unaudited access to user metadata — contacts, IP addresses, profile photos. He claims Meta ignored 100,000+ daily account takeovers and retaliated when he raised concerns. Class action (January 2026): Lawsuit accuses Meta of misleading users about the scope of E2E encryption protections; no settlement as of April 2026. WhatsApp blocked accounts of Palestinian journalists in Gaza during the 2021 ceasefire, raising concerns about platform-level censorship. Meta AI embedded without consent and cannot be fully disabled. WhatsApp Business messages exit E2E encryption — businesses can store, process, and share message content with Meta for advertising.

Pricing

Free

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.