Texas Attorney General Ken Paxton has filed a lawsuit against Meta and WhatsApp, accusing the companies of misleading users about the privacy and security of WhatsApp’s end-to-end encryption system.
The lawsuit, filed in Harrison County court, alleges that WhatsApp falsely markets its messaging platform as fully private while Meta allegedly retains access to large amounts of user communications and metadata. Texas claims the companies violated the Texas Deceptive Trade Practices Act by misleading consumers about how protected their conversations actually are.
According to the complaint, WhatsApp repeatedly assured users that “not even WhatsApp” could read private conversations due to end-to-end encryption protections. However, Texas argues Meta employees and contractors were still able to review certain user messages under some circumstances, contradicting the platform’s public privacy claims.
Attorney General Ken Paxton accused Meta of creating a false sense of security for millions of users who relied on WhatsApp for private communication. The lawsuit seeks financial penalties and a court order preventing Meta and WhatsApp from accessing Texans’ communications without explicit consent.
The legal action also references media reports about a federal investigation into WhatsApp’s encryption claims, along with allegations raised in a whistleblower complaint submitted to the U.S. Securities and Exchange Commission. Texas claims those reports suggest Meta may have retained broader access to communications than publicly acknowledged.
Meta strongly denied the allegations. Company spokesperson Andy Stone said claims that WhatsApp can access users’ encrypted communications are false and insisted the platform’s encryption remains secure. Meta stated it plans to challenge the lawsuit in court.
WhatsApp uses the Signal Protocol for end-to-end encryption, a system widely regarded by security researchers as one of the strongest consumer messaging encryption standards currently available. Under normal implementation, messages are encrypted on the sender’s device and decrypted only on the recipient’s device.
However, privacy advocates have long noted that encrypted messaging platforms can still collect significant amounts of metadata, including contact information, device identifiers, timestamps, IP addresses, and usage activity. Critics argue that while message contents may remain encrypted, surrounding user data can still provide detailed behavioral insights.
The lawsuit marks another major privacy-related legal battle between Texas and Meta. In 2024, Meta agreed to pay Texas $1.4 billion to settle claims involving unauthorized biometric data collection through facial recognition technology.