Over the past year, Meta has blanketed TV screens around the world with commercials touting the privacy of Whatsapp, its encrypted messenger with a monthly user base of 3 billion people.

“It’s private,” one ad campaign featuring the former cast of the Modern Family TV show says. “On Whatsapp, no one can see or hear your personal messages … not even us,” a different series of ads declares.

“Serious risks to user data”

On Monday, the former head of security for the Meta-owed messaging app filed a federal whistleblower lawsuit that tells a far different narrative. The suit, filed in US District Court for the District of Northern California, recites a litany of purported security and privacy flaws that Meta not only didn’t fix after becoming aware of them, but also kept secret, allegedly in violation of a $5 billion settlement then-Whatsapp parent company Facebook reached with the Federal Trade Commission. The complaint was filed by Attaullah Baig, who became head of WhatsApp security in 2021.

Meta has denied the accusations.

Shortly after assuming that role, the lawsuit said, Baig “discovered systemic cybersecurity failures that posed serious risks to user data.” During a red-team exercise designed to find and exploit security vulnerabilities so they can be fixed, Baig said he found that roughly 1,500 engineers inside the messenger division had “unrestricted access to user data, including personal information covered by the FTC Privacy Order, and could move or steal such data without detection or audit trail.”

Starting in September 2021, Baig notified superiors responsible for WhatsApp that unrestricted access to so many employees likely violated the 2019 order. Among other things, he drafted a document directing the WhatsApp privacy infrastructure team to implement a data classification and handling system that would comply with the order to shore up the security of stored user data by tightening employee access to it.

“This represented the first concrete step toward addressing WhatsApp’s fundamental data governance Failures,” the complaint stated. “Mr. Baig understood that Meta’s culture is like that of a cult where one cannot question any of the past work especially when it was approved by someone at a higher level than the individual who is raising the concern.” In the following years, Baig continued to press increasingly senior leaders to take action.

The letter outlined not only the improper access engineers had to WhatsApp user data, but a variety of other shortcomings, including a “failure to inventory user data,” as required under privacy laws in California, the European Union, and the FTC settlement, failure to locate data storage, an absence of systems for monitoring user data access, and an inability to detect data breaches that were standard for other companies.

Last year, Baig allegedly sent a “detailed letter” to Meta CEO Mark Zuckerberg and Jennifer Newstead, Meta general counsel, notifying them of what he said were violations of the FTC settlement and Security and Exchange Commission rules mandating the reporting of security vulnerabilities. The letter further alleged Meta leaders were retaliating against him and that the central Meta security team had “falsified security reports to cover up decisions not to remediate data exfiltration risks.”

The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 WhatsApp users had their accounts hacked every day. By last year, the complaint alleged, as many as 400,000 WhatsApp users were getting locked out of their accounts each day as a result of such account takeovers.

Baig also allegedly notified superiors that data scraping on the platform was a problem because WhatsApp failed to implement protections that are standard on other messaging platforms, such as Signal and Apple Messages. As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day, often for use in account impersonation scams. The complaint stated:

In particular, Mr. Baig recommended limiting users from accessing other users’ profiles unless the other user has them in their contacts, has messaged them before, or is in the same group chat with them. Mr. Baig mentioned that WhatsApp is currently leaking Covered Information on millions, if not billions, of users daily and WhatsApp is severely under reporting scraping Covered Incidents to the FTC and other regulators. Mr. Baig also cited the strong protections that iMessage and Signal offer against profile scraping compared to WhatsApp.

Meta leaders allegedly rebuffed the recommendation on the grounds that it would hamper WhatsApp user growth.

In an email, a WhatsApp representative wrote: "Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team. Security is an adversarial space and we pride ourselves in building on our strong record of protecting people’s privacy.”