{"id":12063,"date":"2026-04-13T10:03:35","date_gmt":"2026-04-13T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/13\/whatsapps-end-to-end-encryption-by-default-claim-called-major-consumer-fraud-by-pavel-durov\/"},"modified":"2026-04-13T10:03:35","modified_gmt":"2026-04-13T10:03:35","slug":"whatsapps-end-to-end-encryption-by-default-claim-called-major-consumer-fraud-by-pavel-durov","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/13\/whatsapps-end-to-end-encryption-by-default-claim-called-major-consumer-fraud-by-pavel-durov\/","title":{"rendered":"WhatsApp\u2019s \u2018End-to-End Encryption by Default\u2019 Claim Called Major Consumer Fraud by Pavel Durov"},"content":{"rendered":"<p>    WhatsApp\u2019s \u2018End-to-End Encryption by Default\u2019 Claim Called Major Consumer Fraud by Pavel Durov<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Telegram founder Pavel Durov has accused WhatsApp of perpetrating what he calls \u201cthe biggest consumer fraud in history,\u201d alleging that the platform\u2019s widely marketed end-to-end encryption (E2EE) claims are fundamentally misleading, leaving the private messages of billions of users exposed on unencrypted cloud servers.<\/p>\n<p>In a post published on April 9, 2026, Durov asserted that approximately 95% of private messages sent on WhatsApp are ultimately stored as plain-text backups on Apple iCloud and Google Drive servers, completely outside the scope of <a href=\"https:\/\/cybersecuritynews.com\/whatsapp-denies-lawsuit-claim\/\" target=\"_blank\" rel=\"noreferrer noopener\">WhatsApp\u2019s E2EE infrastructure<\/a>.<\/p>\n<p>The claim centers on a structural loophole that security researchers and digital rights organizations have flagged for years: while messages in transit between users are encrypted end-to-end, cloud backups of those messages are not encrypted by default.<\/p>\n<p>WhatsApp does offer an opt-in encrypted backup feature, but it requires users to manually enable it within app settings and set either a strong password or a 64-digit encryption key. According to Durov, the vast majority of users never activate this feature, and even fewer use sufficiently strong passwords to protect their backups.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">WhatsApp\u2019s \u201cE2E encryption by default\u201d claim is a giant consumer fraud: ~95% of private messages on WhatsApp end up in plain-text backups on Apple\/Google servers \u2014 not E2E-encrypted. Backup encryption is optional, and few people enable it \u2014 let alone use strong passwords.<\/p>\n<p>\u2014 Pavel Durov (@durov) <a href=\"https:\/\/twitter.com\/durov\/status\/2043338467355013211?ref_src=twsrc%5Etfw\">April 12, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"why-the-backup-gap-is-a-critical-security-risk\"><strong>Pavel Durov Calls WhatsApp Encryption Claim Fraud<\/strong><\/h2>\n<p>From a technical standpoint, the problem lies in how WhatsApp\u2019s E2EE architecture terminates at the device level. When a user enables cloud backup, which is turned on by default, the decrypted message history is exported to <a href=\"https:\/\/cybersecuritynews.com\/new-sophisticated-attack-exploits-google-app-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google Drive or Apple iCloud<\/a>, where it is stored without end-to-end encryption unless the user has explicitly configured the E2EE backup option.<\/p>\n<p>As Wire\u2019s security blog notes, \u201cIf you back up your WhatsApp messages to Google Drive or iCloud, those backups are not protected by WhatsApp\u2019s end-to-end encryption unless you explicitly enable encrypted backups, which is off by default.\u201d<\/p>\n<p>This means Apple, Google, and by extension, law enforcement agencies or malicious actors with access to those platforms, can potentially read those backups.<\/p>\n<p>Durov further highlighted a compounding privacy failure: even if a user personally enables encrypted backups, their conversation partners, who may not have done the same, create their own unencrypted cloud copies of the same conversation. This renders individual E2EE backup adoption largely ineffective at scale.<\/p>\n<p>The allegations are not solely Durov\u2019s. A U.S. class-action lawsuit has been filed against Meta, alleging that WhatsApp contains a backdoor that grants Meta employees and third-party entities access to users\u2019 private messages, directly contradicting WhatsApp\u2019s public privacy assurances.<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/whatsapp-denies-lawsuit-claim\/\" target=\"_blank\" rel=\"noreferrer noopener\">Meta has dismissed these allegations as \u201cfalse and absurd,\u201d<\/a> but has not provided a detailed technical rebuttal addressing the backup architecture vulnerability.<\/p>\n<p>The Electronic Frontier Foundation (EFF) has long warned that \u201cunencrypted backups are vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees,\u201d and has consistently advised users against backing up secure messenger conversations to the cloud.<\/p>\n<p>Security professionals recommend the following immediate steps for WhatsApp users concerned about their privacy:<\/p>\n<ul class=\"wp-block-list\">\n<li>Enable E2EE backups in WhatsApp Settings \u2192 Chats \u2192 Chat Backup \u2192 End-to-end Encrypted Backup<\/li>\n<li>Use a strong, unique password \u2014 not a PIN or biometric shortcut<\/li>\n<li>Audit contact backup behavior, as conversations remain exposed if recipients have not enabled the same protection<\/li>\n<li>Consider Signal for high-sensitivity communications, as it does not support cloud backup of message history by design<\/li>\n<\/ul>\n<p>Durov claims that Telegram \u201chas never disclosed a single byte of users\u2019 messages in its 12+ year history,\u201d positioning it as the privacy-first alternative. However, security experts note that Telegram\u2019s regular chats are not end-to-end encrypted by default, either; only its \u201cSecret Chats\u201d feature uses E2EE, making it an imperfect counterexample in its own right.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/whatsapp-end-to-end-encryption-pavel-durov\/\">WhatsApp\u2019s \u2018End-to-End Encryption by Default\u2019 Claim Called Major Consumer Fraud by Pavel Durov<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/whatsapp-end-to-end-encryption-pavel-durov\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WhatsApp\u2019s \u2018End-to-End Encryption by Default\u2019 Claim Called Major Consumer Fraud by Pavel Durov Telegram founder Pavel Durov has accused WhatsApp of perpetrating what he calls \u201cthe biggest consumer fraud in history,\u201d alleging that the platform\u2019s widely marketed end-to-end encryption (E2EE) claims are fundamentally misleading, leaving the private messages of billions of users exposed on unencrypted [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-12063","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12063"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12063"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12063\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}