Texas Sues Meta and WhatsApp Over End-to-End Encryption Claims

For more than a decade, WhatsApp has built its global identity around a single, repeated promise: not even the company itself can read your messages. On Thursday, May 21, that promise became the subject of one of the most consequential consumer-protection cases ever filed against Meta. Texas Attorney General Ken Paxton sued Meta Platforms and WhatsApp LLC in a Harrison County district court, alleging the company spent years deceiving 3.3 billion users about the strength of its end-to-end encryption.

The complaint, filed under the Texas Deceptive Trade Practices Act, accuses Meta of operating an internal access pipeline that flatly contradicts what its marketing tells users. If proven, the allegations would turn one of the technology industry's most repeated privacy slogans into a textbook case of false advertising.

What the Texas complaint actually alleges

At the heart of the lawsuit is a narrow but explosive claim. According to the state, WhatsApp's public statements that only the sender and recipient can read a message are false because Meta maintains an internal system through which employees and contractors can submit requests to view the contents of user messages on demand.

The complaint refers to this mechanism as a Meta task system, a workflow that the state says effectively gives the company an ability to access plaintext messages that consumers were told did not exist. Texas argues this is not a technical edge case or a backup quirk, but a routine internal capability that users were never warned about.

Because the action is brought under the Texas Deceptive Trade Practices Act, the legal question is not whether Meta is technically capable of breaking encryption. It is whether the company's representations to Texas consumers were misleading in a material way. The state argues they plainly were.

The penalties and the relief Texas is seeking

The lawsuit seeks two main remedies. First, a permanent injunction barring Meta from accessing users' messages without their consent and from continuing to make encryption claims the state considers deceptive. Second, civil penalties of up to $10,000 per violation under the DTPA.

That number is the headline figure for a reason. With millions of WhatsApp users in Texas alone, the per-violation structure could theoretically expose Meta to liability measured in the billions. The state has not yet specified how it intends to count violations, but the framework borrows directly from prior Texas tech enforcement cases, including the $1.4 billion settlement Paxton extracted from Meta in 2024 over facial recognition data and the $1.375 billion deal with Google in 2025 over geolocation tracking.

Meta's response and the cryptography debate

Meta has flatly denied the allegations. "WhatsApp cannot access people's encrypted communications and any suggestion to the contrary is false," company spokesperson Rachel Holland said in a statement, adding that Meta will fight the suit and continue defending what she called its strong record on protecting user messages.

The cryptography community has been more cautious than either side. Johns Hopkins cryptographer Matthew Green has noted that the most plausible reading of the allegations involves areas WhatsApp already discloses lie outside its encryption guarantee, including cloud backups, business messaging, and messages users themselves report to Meta for abuse review, which are transmitted in cleartext as part of the reporting workflow.

The Electronic Frontier Foundation has long observed that WhatsApp's closed-source nature makes it difficult for outside researchers to independently confirm how the company implements its cryptography, and that competitors such as Signal collect dramatically less metadata. Telegram founder Pavel Durov, never shy about attacking a rival, called WhatsApp's encryption a fraud, though security researchers were quick to point out that Telegram's default chats are not end-to-end encrypted at all.

The whistleblowers and the closed federal probe

The Texas filing leans heavily on accounts from unnamed whistleblowers, and it does not stand alone. A federal class action filed in January 2026 in the Northern District of California made substantially similar allegations, also citing insiders describing the same internal task system.

Even more striking, the state references a federal Commerce Department investigation that was abruptly closed earlier this year. According to reporting by Bloomberg, an agency investigator wrote in an internal memo that there was no limit to the type of WhatsApp messages that could be viewed by Meta. The decision to close that probe without public findings is now itself becoming part of the political story, with privacy advocates demanding to know why the inquiry ended.

Why this case matters for the entire encryption industry

For years, encryption has occupied a strange dual role in technology marketing. It is both a deeply technical primitive and a consumer-facing brand promise, often reduced to a single line on a splash screen or in an app store listing. The Texas lawsuit attacks that intersection directly, treating phrases such as end-to-end encrypted as commercial claims subject to the same scrutiny as any other advertising statement.

If the suit advances, the implications stretch well beyond Meta. Apple, Google, Signal, Telegram, and a long list of smaller messaging services have all built marketing around encryption guarantees that depend on a precise definition of what is and is not protected. Default-off cloud backups, AI summarization features, abuse-reporting pipelines, and business messaging APIs all introduce points where plaintext can exist outside the cryptographic envelope. A win for Texas would likely force the entire industry to rewrite its privacy disclosures, with longer, more granular explanations of exactly what an encryption claim covers.

The wider encryption versus government fight

The case also lands in the middle of a long-running political tug-of-war over encrypted messaging. Law enforcement agencies in the United States and Europe have spent years pushing for backdoors or client-side scanning, arguing that strong encryption shields criminals. Tech companies and civil liberties groups have resisted, warning that any deliberate weakening of encryption endangers journalists, activists, abuse survivors, and ordinary users alike.

What makes the Texas action unusual is that it does not ask Meta to weaken its encryption. It asks the company to be honest about it. Paxton, a Republican who has aggressively used consumer-protection law to target large technology platforms, has framed the lawsuit as a matter of basic truth in advertising rather than a national-security argument. That framing may give the case unusual political durability, drawing support from both privacy advocates who want stronger guarantees and conservative voters skeptical of Big Tech.

What happens next

Harrison County is a venue with a reputation for moving quickly, and Meta will almost certainly seek to remove the case to federal court or transfer it. Discovery, if it ever opens, would be extraordinary, potentially forcing Meta to expose internal documentation about how its content access systems actually work.

For now, billions of WhatsApp users are left in an uncomfortable position. The technical questions about WhatsApp's encryption are genuinely contested, the legal questions are only beginning to be tested, and the marketing promises that defined the app for a generation are suddenly evidence in a courtroom. Whatever a Texas judge ultimately decides, the era in which a messaging service could reduce its privacy story to four words is almost certainly over.