“`html
Pavel Durov, the creator of Telegram, has accused WhatsApp of executing what he brands “the largest consumer deception in history,” claiming that the platform’s extensively advertised end-to-end encryption (E2EE) assertions are fundamentally deceptive, allowing the private messages of billions of individuals to be vulnerable on unencrypted cloud servers.
In a statement shared on April 9, 2026, Durov noted that nearly 95% of private communications sent via WhatsApp are ultimately held as plain-text backups on Apple iCloud and Google Drive servers, completely disregarding WhatsApp’s E2EE framework.
The assertion revolves around a structural oversight that security experts and digital rights groups have pointed out for years: although messages in transit between users are encrypted end-to-end, cloud backups of those messages are not encrypted by default.
WhatsApp does provide an opt-in encrypted backup option, but it necessitates users to manually activate it within app settings and establish either a robust password or a 64-digit encryption key. Durov states that the large majority of users fail to engage this feature, with even fewer employing sufficiently strong passwords to safeguard their backups.
Pavel Durov Labels WhatsApp Encryption Claim a Fraud
Technically speaking, the issue stems from the way WhatsApp’s E2EE framework concludes at the device level. When a user activates cloud backup, which is enabled by default, the decrypted message history is transferred to Google Drive or Apple iCloud, where it remains unprotected by end-to-end encryption unless the user has specifically set up the E2EE backup option.
As noted by Wire’s security blog, “If you back up your WhatsApp messages to Google Drive or iCloud, those backups are not safeguarded by WhatsApp’s end-to-end encryption unless you explicitly enable encrypted backups, which is off by default.”
This implies that Apple, Google, and by extension, law enforcement agencies or malicious entities with access to those platforms, can potentially access those backups.
Durov further emphasized an additional privacy flaw: even if a user activates encrypted backups, their chat partners, who may not have opted for the same, generate their own unencrypted cloud copies of the identical conversation. This makes individual E2EE backup adoption largely ineffective on a large scale.
The accusations are not solely Durov’s. A U.S. class-action lawsuit has been initiated against Meta, alleging that WhatsApp possesses a backdoor that permits Meta employees and third-party entities access to users’ private messages, directly countering WhatsApp’s public privacy promises.
Meta has rejected these claims as “false and ridiculous,” but has not provided a substantive technical rebuttal addressing the backup architecture vulnerability.
The Electronic Frontier Foundation (EFF) has long cautioned that “unencrypted backups are susceptible to governmental requests, third-party hacks, and disclosures by Apple or Google personnel,” and has consistently advised users against backing up secure messaging conversations to the cloud.
Security experts propose the following immediate actions for WhatsApp users who are concerned about their privacy:
- Activate E2EE backups in WhatsApp Settings → Chats → Chat Backup → End-to-end Encrypted Backup
- Utilize a robust, unique password — not a PIN or biometric shortcut
- Review contact backup practices, as conversations remain exposed if recipients have not enabled the same protection
- Consider Signal for highly sensitive communications, as it does not allow cloud backup of message history by design
Durov asserts that Telegram “has never disclosed a single byte of users’ messages in its 12+ year existence,” positioning it as a privacy-focused alternative. However, security analysts point out that Telegram’s regular chats are not end-to-end encrypted by default either; only its “Secret Chats” feature employs E2EE, rendering it an imperfect example in its own right.
“`