Literally owned by Facebook. No, Whatsapp is not safe.
WhatsApp is not open-source, you can’t compile the client yourself. It doesn’t matter if it’s been audited by a third party. That version could’ve easily been backdoor-free.
You have to be stupid to think WhatsApp, a Facebook company, doesn’t have access to your messages.
They ran a bunch of full page adds this summer. All it said was “no one can see your messages but you.” I immediately decided that was not true, otherwise why advertise it?
Half of messengers advertise privacy
Yeah, I don’t know who thought that was a good idea to advertise. It’d be like Betty Crocker cake boxes suddenly saying “Uranium Free!”.
Like, yes, I wouldn’t expect food to usually have added uranium too it, so why are you saying it?..
I get people may enjoy the technical aspects to WhatsApps privacy. It’s a meta app and therefore is not safe, which should be basic critical thinking.
I hate when people say this, then move to telegram and have all chats unencrypted
Nothing suggests that WhatsApp’s encryption protocol has been broken or that Meta can read the contents of your conversations.
Nothing prevents them from reading the messages prior to encryption or after decryption.
https://faq.whatsapp.com/414631957536067/
Either the report function doesn’t work like they say, or messages are stored decrypted, or they can decrypt messages at will based on a simple request from another user
Edit: fixed
When you report a user in an individual chat, WhatsApp receives up to five of the last messages they’ve sent to you.
This particular function is not at odds with E2EE. The client can either:
- Send decrypted messages to the server. This is flawed because a malicious client can fake them, setting someone up for a ban;
- Send the keys so that the server can decrypt the messages. Depending on how often keys are rotated, this might leak a couple more messages than intended.
You’re right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn’t be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can’t read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message
hhttps://
I think I have to decrypt this url before I can open it
/edit: I did it! I was able to decrypt it!
Well not nothing. Android apps are quite easy to reverse engineer so there would be a high risk of them getting caught which would be quite damaging for WhatsApp’s brand.
I wouldn’t say it’s a lot, but it isn’t nothing.
There is certainly nothing technical stopping them from doing it, but that’s true of Signal too.
Well not nothing. Android apps are quite easy to reverse engineer so there would be a high risk of them getting caught which would be quite damaging for WhatsApp’s brand.
none of their users would care. but also good luck finding a news site that cares to write about it and has some reach
There is certainly nothing technical stopping them from doing it, but that’s true of Signal too.
isn’t signal built reproducibly, without obfuscation?
Not currently, but in theory that is better, true.
I was thinking about signal, and a fun fact is that if we invite all our friends and families to signal, then practically “none” of its users would care about such an incident either
Almost everyone I know has left WhatsApp for Telegram anyway.
Telegram may not be perfect but it’s still better, wish people stopped being addicted to WhatsApp and Instagram here…
Telegram is unencrypted by default, it is by definition less secure than WA, tldr signal or simplex is better.
Telegram has an open source client, so from my perspective it is the better option. But what convinced the people around me were the amazin emoji support that Telegram has.
deleted by creator
If you’re interested in relatively safe alternatives, have a look at Signal
This does feel like a random lash out after this story, the reports of the CEO earlier this year and the reports that they were going to move out of Switzerland.
Let’s just randomly punch down at something the vast majority of our users wouldn’t trust already?
I’d understand writing something like this if they were about to launch their own messenger product. But even then, this article doesn’t offer anything new.
Proton’s official account said the company was “alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service,”
Proton’s CEO later announced that the accounts were reinstated, following another post by the company that said the company does “stand with journalists,” but that it “cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.”
Sounds reasonable to me? It’s not a good look but it sounds like they quickly re-instated the closed accounts. The article title is misleading.
The only reason they reinstated the accounts was because people blew them up on social media. If the appeals process failed them, it will definitely fail the average joe who doesn’t have the same level of influence online.
I’ve been a paying Proton user for years, and had already been looking for the exit, but this is the straw the broke the camel’s back. Using Nym for my VPN now, looking to migrate my other services soon.
Both being unsafe seems the most probably state of things.
Still, something unsafe can still be safer than every other option ¯\_(ツ)_/¯
Why choose if there are other solutions
(like tuta)that use open standardsTuta also locks you down with their lack of IMAP support. You can only use their client. At least Proton has a bridge and allows you to use your own GPG key.
I thought proton was the only one with a lack of imap, thanks for the info
Proton does PGP for you. There are countless standards compliant mail services where you could use your own email client and do your own PGP -Thunderbird is probably the easiest but It’s a trade-off.
What open standard (that are not used by proton too)? If anything proton uses GPG while tuta uses a custom system (which is why they also encrypt the subject).
That doesn’t make WhatsApp safe. Proton having it’s own issues does not invalidate what they’re sharing about WhatsApp concerns.
I agree, they’re both questionable, the absurd thing is that nobody is talking about the safer alternatives
Even their CEO did not practice safe sex when he sucked the dick of Trump without a condom.
Attaullah Baig, who ran WhatsApp’s security team between 2021 and 2025, says the app isn’t nearly as private as Meta claims. In his lawsuit, he alleges that roughly 1,500 employees have access to sensitive user information, including location, profile photos, group memberships, and contact lists.
Also unaddressed account takeovers.
Group memberships and contact lists are golden data for both Meta and snoopy governments.
I’m not a fan of them, but I don’t think you could point to any email provider that can’t or won’t provide IP addresses and recovery emails to law enforcement when compelled. You can use proton without a recovery email and over tor, which is more than most allow as well.
I only mentioned their history and did not call for a boycott. I also use proton myself, but it annoys me that they present themselves as better than they are… They are just one of the few less bad providers.
Very true.
