Pavel Durov, the founder of Telegram, has publicly criticized WhatsApp, accusing the platform of misleading users about its end-to-end encryption (E2EE) practices. According to Durov, the messaging giant’s claims could amount to “the biggest consumer fraud in history,” as a significant portion of user data may not be as secure as widely believed.
In a statement shared on April 9, 2026, Durov argued that nearly 95% of private messages sent through WhatsApp are ultimately stored as unencrypted backups on cloud platforms such as Apple iCloud and Google Drive. As a result, these messages fall outside the protection of WhatsApp’s core E2EE framework.
At the center of this controversy is a long-standing technical concern. While WhatsApp encrypts messages during transmission between users, cloud backups are not protected by default. Consequently, when users enable backup features which are often turned on automatically their decrypted chat histories are uploaded to external servers without full encryption unless additional settings are configured.
Although WhatsApp provides an optional encrypted backup feature, users must manually activate it and secure it with either a strong password or a 64-digit encryption key. However, Durov claims that most users do not enable this feature, and even fewer implement strong security measures. Therefore, a large volume of sensitive communication remains potentially exposed.
From a technical perspective, the issue arises because WhatsApp’s encryption architecture ends at the device level. Once messages are backed up to cloud services, they are no longer protected by the same end-to-end encryption unless explicitly secured. As security experts have noted, this creates a vulnerability where third parties including service providers or entities with access could potentially view stored data.
Moreover, Durov highlighted an additional privacy challenge. Even if one user enables encrypted backups, their contacts may not. As a result, identical conversations could still exist in unencrypted form on another user’s cloud storage, limiting the overall effectiveness of individual security measures.
The concerns extend beyond Durov’s claims. A class-action lawsuit filed in the United States alleges that Meta, WhatsApp’s parent company, may have implemented backdoor access to user messages. While Meta has dismissed these allegations as “false and absurd,” it has not provided a detailed technical clarification addressing the backup-related concerns.
Meanwhile, organizations such as the Electronic Frontier Foundation have consistently warned about the risks associated with unencrypted cloud backups. They emphasize that such data can be vulnerable to government requests, cyberattacks, or unauthorized access by insiders at cloud service providers.
In light of these developments, security professionals are urging users to take proactive steps. For example, enabling encrypted backups within WhatsApp settings, using strong and unique passwords, and reviewing contact backup behaviors can significantly improve privacy. Additionally, some experts recommend using alternatives like Signal for highly sensitive communications, as it avoids cloud backups altogether.
Finally, Durov positioned Telegram as a more privacy-focused alternative, claiming it has never disclosed user messages in over a decade. However, experts point out that Telegram’s standard chats are not end-to-end encrypted by default, as only its “Secret Chats” feature offers full E2EE. Therefore, while the debate continues, it highlights the broader need for transparency and user awareness in messaging platform security.
Recommended Cyber Technology News:
- Signature Healthcare Cyberattack Diverts Ambulances
- Apache ActiveMQ RCE Bug Found After 13 Years Risk
- Anthropic Leak Fuels GitHub Malware Distribution Campaign
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
