There have been too many posts lately claiming WhatsApp's encryption is fake and Telegram is the safe alternative. The most recent wave followed Telegram's CEO calling WhatsApp “a giant fraud.” Here is the part nobody mentions in those posts: Telegram does not use end-to-end encryption by default.

The irony of Telegram's CEO attacking WhatsApp on encryption

You have to opt into “Secret Chats” on Telegram to get E2EE. Regular chats use client-server encryption, meaning Telegram's servers can read them. Group chats cannot be E2EE at all, regardless of settings. That is not a detail buried in the fine print. Telegram's own FAQ states it plainly. The CEO accusing WhatsApp of weak privacy runs a platform with weaker default privacy. That contrast is worth keeping in mind every time this debate surfaces.

That said, most people do not actually understand what WhatsApp claims, and the gap between what it claims and what people assume does matter.

What WhatsApp claims versus what people assume

What WhatsApp claims: messages are encrypted between sender and receiver in transit. Meta cannot read them on the way through.

What people assume: no one, anywhere, can ever read them.

Those are different claims. The first one is about transport security. The second one is about absolute confidentiality across every system that touches your messages, including your own phone's backup.

The protocol itself is not snake oil

WhatsApp uses the Signal Protocol, the same one Signal uses. The protocol library is open source. According to WhatsApp's own security whitepaper, it forms the foundation for all message encryption.

In 2016, researchers from the University of Oxford and McMaster University formally analysed the protocol. They published “A Formal Security Analysis of the Signal Messaging Protocol” and found no major flaws; Oxford's own announcement summarises the key results. The paper was later published in the Journal of Cryptology. Matthew Green at Johns Hopkins reviewed the debate in detail in 2026 and reached the same conclusion. The cryptography is solid.

The real trust gap

Those audits cover the protocol. WhatsApp's actual client code is closed source, so you have to trust that Meta's implementation matches the spec and that no future update silently changes that. That is a fair criticism. It is not the same as “the encryption is fake.” The distinction matters because one of those statements is accurate and the other is not.

That gap is now the subject of active litigation. The Texas Attorney General recently filed suit against Meta and WhatsApp, alleging the company operates an internal task system that can surface private message content on employee request, directly contradicting the E2EE claim. A federal class action making the same core allegations was filed in January 2026. Meta denies both. Neither case has been proven. But they illustrate exactly why the closed-source problem matters: when the client is opaque, verification depends on courts, not code.

Your chat backup is probably sitting in plain text

This is the biggest practical gap, and almost nobody talks about it. When you back up WhatsApp to Google Drive or iCloud, that backup sits in plain text on Google's or Apple's servers by default. E2EE protects messages moving through Meta's pipes. It does not protect the copy sitting in your cloud account.

Anyone with access to that cloud account, or a subpoena to Apple or Google, can read your entire chat history. WhatsApp does offer encrypted backups. Meta announced them as an opt-in feature, and they remain opt-in. You have to turn it on.

How to fix it:Settings → Chats → Chat backup → End-to-end encrypted backup. Set a password or save the 64-digit key somewhere safe. Lose it and the backup is unrecoverable. That is the point. WhatsApp's own guide walks through it.

A few other settings worth ten minutes

Two-step verification

Settings → Account → Two-step verification. Sets a PIN required to re-register your number on a new device. This is the main defence against SIM-swap attacks. Add an email on the same screen. Without it, if you forget the PIN you are locked out for seven days.

Passkeys

Settings → Account → Passkeys. Replaces SMS verification with Face ID or fingerprint on login. Phishing-resistant by design because the authentication is bound to the specific domain it was registered on. Just turn it on.

Silence unknown callers

Settings → Privacy → Calls. Routes calls from numbers not in your contacts straight to your call log without ringing. The call is still logged so you can check it later.

Advanced privacy settings

Settings → Privacy → Advanced. Three worth enabling:

• Block unknown account messages. Filters out high-volume spam senders.
• Protect IP address in calls.Stops the person you are calling from seeing your IP by relaying calls through WhatsApp's servers.
• Disable link previews. When you paste a link, your phone fetches the preview from that site, exposing your IP to its server. This toggle stops that. Note it only affects links you send, not links you receive.

The bottom line

WhatsApp is not Signal. The closed-source client requires trust in Meta that Signal does not require. That is a real and legitimate concern. But “WhatsApp encryption is fake” is not what it means, and the CEO of a platform with weaker default privacy is a poor messenger for that argument.

If you are going to use WhatsApp, at least close the doors that ship wide open. The backup and the two-step verification take five minutes combined and they actually matter.