← Messaging Apps
F

WhatsApp

Fail
Meta Platforms · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.whatsapp
Manufacturer: Meta Platforms

⚠️ The bottom line

WhatsApp says no one can see your messages, but the FBI gets a list of everyone you talk to every 15 minutes. If you have iCloud backup on (most people do), they get the actual messages too. WhatsApp encrypted your messages in transit but stored them unencrypted in the cloud for five years. They fixed it, but hid the switch so deep in settings that 9 out of 10 people still have unprotected backups.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
4/4 EXTREME
Is someone spying on me?
Data Sharing
4/4 EXTREME
Who gets my data?
Security
4/4 EXTREME
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
Use Signal instead
Subpoenaed twice, could only produce two timestamps
See report →
15Contradictions
5Critical
9High
1Medium
19Sources
Findings by concern
Spying 4/4 EXTREME 4 findings
⚠️ criticalfirmware analysis vs policy claims
A missed WhatsApp call could silently install military-grade spyware on your phone without you touching anything. It happened to 1,400 people including journalists and activists in 51 countries.

What they claim: WhatsApp is a secure messaging platform that protects users from surveillance.

What we found: CVE-2019-3568 (CVSS 9.8): NSO Group Pegasus zero-click buffer overflow via missed calls. 1,400 targets in 51 countries. CVE-2025-55177 (CVSS 8.0): zero-click spyware targeting ~200 people (2025). CVE-2022-36934: video call RCE. CVE-2019-11932: GIF double-free RCE.

⚡ highapp permissions vs policy claims
WhatsApp says it collects limited information, then collects 16 categories of your data including your location, purchase history, browsing history, and every phone number in your address book.

What they claim: We collect limited information — only what's needed to operate the service.

What we found: Apple privacy label reveals 16 data categories collected: contacts, location, purchase history, financial info, email, phone number, user content, usage data, diagnostics, device ID, advertising data, search history, browsing history. Compare: Signal collects virtually nothing.

⚡ highmarketing vs third party research
Meta says Incognito Chat is completely private — "Meta can't see" what you say. But when the AI searches the web during your conversation, those search queries leave the secure box and travel through Meta's own servers. Meta says they're anonymous. Nobody has verified that. And the moment you forget to tap the Incognito button, everything you say goes straight into Meta's model training with "few limits." Privacy as a toggle that defaults to off.

What they claim: Meta claims Incognito Chat processes conversations in a "secure environment Meta can't see" using hardware-encrypted TEEs, providing "a completely private way to chat with AI"

What we found: During an Incognito Chat session, web search queries generated by Meta AI exit the TEE and travel through Meta infrastructure to external search providers. Queries are capped at 100 characters and limited to 5 per prompt, but Meta has not independently verified that these queries are unlinked from user identity. The TEE processes text only — no images, voice, or media. Regular Meta AI conversations outside Incognito mode are processed under Meta's standard privacy policy with "few limits" on how they improve models.

⚡ highmarketing vs regulatory
Meta launched "completely private" AI chat on WhatsApp the same week it removed encryption from Instagram messages — a promise it had made seven years earlier. One hand gives privacy. The other takes it away. The EFF called it a broken promise. Malwarebytes called it confusing. The company that has paid more than $7 billion in privacy fines wants you to believe this time is different.

What they claim: Meta frames Incognito Chat as a "privacy milestone" demonstrating its commitment to user privacy across its platforms

What we found: Meta launched Incognito Chat on 13 May 2026 — five days after quietly removing end-to-end encryption from Instagram DMs, reversing a commitment Meta had made publicly since 2019. The EFF called this "a broken promise." Malwarebytes published a piece titled "Meta's confusing new approach to chat privacy." One platform gets a privacy feature while another loses one the same week. Meta has paid over $7 billion in privacy penalties including $725M (Cambridge Analytica) and $1.4B (Texas biometric data).

Data Sharing 4/4 EXTREME 3 findings
⚠️ criticalpolicy claims vs regulatory findings
WhatsApp says no one can see your messages, but the FBI gets a list of everyone you talk to every 15 minutes. If you have iCloud backup on (most people do), they get the actual messages too.

What they claim: WhatsApp FAQ: 'No one outside of this chat, not even WhatsApp, can read or listen to them.'

What we found: FBI 'Lawful Access' document (Jan 2021, FOIA) reveals WhatsApp provides pen register data every 15 minutes in near-real-time. With warrants: contacts + reverse contacts. If iCloud backup enabled: full message content via Apple. Meta disclosed data in 78%+ of law enforcement requests in 2024.

⚠️ criticalpolicy claims vs regulatory findings
Facebook bought WhatsApp for $19 billion and promised regulators they'd never link the data. Two years later they started linking it. They were fined and kept doing it anyway, then made it mandatory.

What they claim: Facebook/WhatsApp promised the FTC and EU during the $19B acquisition (2014) that WhatsApp would operate standalone with no data linking.

What we found: Aug 2016: WhatsApp began sharing data with Facebook for ad targeting — auto-opt-in. EU confirmed data-matching capability existed in 2014 but was hidden. EU fined Facebook EUR 110M (2017). Jan 2021: mandatory data sharing or account deletion. EU/UK users received different terms.

⚡ highpolicy claims vs firmware analysis
WhatsApp says it doesn't share your data for ads, but connecting your accounts (which Meta pushes you to do) lets them profile you across WhatsApp, Instagram, and Facebook.

What they claim: WhatsApp doesn't share your personal data with Facebook to target ads.

What we found: Enabling Meta's Accounts Center allows cross-platform behavioral profiling across WhatsApp, Instagram, and Facebook for advertising. India: NCLAT overturned the ban on ad-related data sharing. Business chat data can be used by Meta for marketing.

Security 4/4 EXTREME 7 findings
⚠️ criticalpolicy claims vs firmware analysis
WhatsApp encrypted your messages in transit but stored them unencrypted in the cloud for five years. They fixed it, but hid the switch so deep in settings that 9 out of 10 people still have unprotected backups.

What they claim: End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent.

What we found: Cloud backups to Google Drive and iCloud were completely unencrypted from 2016-2021. The E2E backup fix (Oct 2021) is opt-in, buried in settings — ~90%+ of users have NOT enabled it (Wire analysis). On iPhone, iCloud Backup (default on) backs up WhatsApp separately and unencrypted.

⚠️ criticalmarketing vs third party research
Meta hired security auditors to prove Incognito Chat was safe. The auditors found 28 problems, 8 of them serious. The worst: a Meta employee could have injected code into the "secure" environment without leaving a trace — the system's own security check happened before the config files loaded, so the tamper wouldn't show up. Another flaw let an attacker replay old security certificates forever. All fixed before launch, but the auditors' verdict was blunt: "TEEs are not a silver bullet." The gap between "Meta can't read it" and "Meta couldn't have read it" is not zero.

What they claim: Meta positions its Private Processing infrastructure as secure, with AMD SEV-SNP processors, NVIDIA H100 Confidential Compute, and Cloudflare binary transparency ensuring "not even Meta" can access conversations

What we found: Trail of Bits' 12-engineer-week pre-launch audit found 28 issues including 8 high-severity vulnerabilities. The most critical (TOB-WAPI-13): configuration files were loaded after the cryptographic attestation measurement, meaning a malicious Meta insider could inject an environment variable like LD_PRELOAD to load arbitrary code without breaking attestation. Another finding: attestation could be replayed indefinitely without per-session nonces, allowing a compromised server to impersonate a legitimate processing node. All were patched before launch, but Trail of Bits concluded: "TEEs are not a silver bullet."

⚡ highpolicy claims vs firmware analysis
WhatsApp says encryption is always on, but when you message a business, your messages are decrypted on Meta's servers. There's no warning, and Meta says they can use that data for marketing.

What they claim: End-to-end encryption is always activated for all WhatsApp conversations.

What we found: WhatsApp Business API (Cloud API) decrypts messages during processing — Meta servers see plaintext. 200M+ businesses use WhatsApp Business, 175M+ messages daily. In Jan 2024, 650,000 sensitive messages exposed through a single API bug.

⚡ highpolicy claims vs app permissions
Your phone number is your WhatsApp identity, visible to everyone you chat with. It links your messaging to your real name, bank account, and government records.

What they claim: Phone numbers provide security and reduce spam.

What we found: Phone number required and permanently visible in all chats. Links identity to real name via SIM registration laws. Contact discovery loophole exploited by Vienna researchers to harvest metadata on 3.5B account identifiers (2025).

⚡ highapp permissions vs firmware analysis
WhatsApp's encryption protects your messages in transit. It does not protect your phone. In January 2025, WhatsApp notified 90 people across 24 countries that Paragon Solutions' spyware had targeted their devices through a zero-click exploit — no tap required. Targets included journalists and civil society members. In 2019, NSO Group's Pegasus infected 1,400 WhatsApp users including associates of murdered Washington Post columnist Jamal Khashoggi. WhatsApp sued NSO. The encryption works as advertised — but if spyware is on your phone reading the screen, encryption is irrelevant. The lock on the door is solid. The window is wide open.

What they claim: WhatsApp says end-to-end encryption means only you and the person you're communicating with can read messages.

What we found: In January 2025, WhatsApp notified approximately 90 users across 24 countries that their phones had been targeted by Paragon Solutions' spyware through a zero-click exploit — no interaction required. Targets included journalists and civil society members. In 2019, NSO Group's Pegasus spyware exploited a WhatsApp vulnerability to infect 1,400 devices, including journalists, diplomats, and associates of murdered Washington Post columnist Jamal Khashoggi. WhatsApp sued NSO Group. The encryption protects messages in transit — it doesn't protect the phone itself.

⚡ highmarketing vs third party research
WhatsApp's selling point is encryption. Meta put an AI chatbot inside it that you can't remove. The AI button sits right in your chat list. Meta says AI conversations are separate from encrypted ones. But the AI is inside the encrypted app, and you cannot tell it to leave. The privacy messenger now has an AI resident you didn't invite and can't evict.

What they claim: WhatsApp promotes end-to-end encryption as its core privacy feature

What we found: Meta embedded Meta AI directly into WhatsApp with no option to remove it. The AI button appeared in the search bar and chat interface. While Meta stated AI conversations are separate from encrypted chats, the integration means Meta's AI can be invoked within encrypted conversations — creating ambiguity about what data reaches Meta's servers. Users cannot uninstall Meta AI from WhatsApp without uninstalling WhatsApp itself.

⚡ highmarketing vs third party research
WhatsApp promises end-to-end encryption — only you and your contact can read messages. But in May 2026, researchers found WhatsApp stores your chats in plain text on your Mac and iPhone, in a shared folder that Facebook and Instagram can also access. Your "encrypted" messages are sitting unprotected on your own device, readable by Meta's other apps. The encryption protects messages in transit, then dumps them unencrypted at the destination.

What they claim: WhatsApp markets end-to-end encryption as its core privacy feature, stating "only you and the person you're communicating with can read what's sent."

What we found: In May 2026, security researchers at Mysk discovered WhatsApp stores chat databases in unencrypted plaintext within shared app group containers on macOS and iOS. These containers are shared across Meta apps (Facebook, Instagram, WhatsApp), meaning other Meta apps could theoretically access WhatsApp messages without user consent. Combined with macOS CVE-2026-28910 (App Sandbox bypass), the locally stored data is exposed.

Honesty 4/4 EXTREME 1 finding
⚫ mediumpolicy claims vs regulatory findings
Your WhatsApp privacy depends on where you live. European users get strong protections. Indian users got a court ruling allowing Meta to use their data for ads.

What they claim: WhatsApp provides consistent privacy protections globally.

What we found: EU users get GDPR/DMA protections (EUR 200M fine Apr 2025). India: NCLAT overturned data sharing ban. South Africa: missing protections vs EU/UK policy. Same app, different privacy tiers.

Latest Risks & Threats
New developments that compound existing privacy concerns. 1 active threat · 1 emerging risk.
RISK AI-first push expands data processing inside encrypted messenger ⚠️ Ai_Expansion Announced 2026-05-26
Meta's AI-first transformation extends into WhatsApp. AI-powered business interactions, AI-generated replies, and Meta AI assistant embedded directly in chats. While messages remain E2E encrypted in transit, AI features process message content on-device or via Meta servers — creating new data access points inside what users believe is a private messenger.
Sources
THREAT Meta AI Forced Into WhatsApp 🤖 Ai Launched 2024-04-18
Meta embedded its AI chatbot into WhatsApp, Instagram, and Messenger with no way to remove it. The blue circle sits in your search bar permanently. In WhatsApp — the app 2 billion people chose specifically for encrypted messaging — Meta now has an AI that reads your prompts and processes them on Meta servers. You cannot disable it. You cannot hide it. The company fined $1.3 billion by the EU for data transfers now has an AI reading conversations inside your "encrypted" messenger.
Sources
What happened to real people
Documented incidents involving Meta Platforms products and user data.
Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine. [source]
FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009. [source]
What your data is worth to governments
Meta complied with 60,000 government data requests in H2 2023. That's +675% over 10 years. Meta has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine.
Documented: FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources