End-to-End Encryption (E2EE) risks on WhatsApp

Have you seen the latest message from WhatsApp about their end-to-end encryption?
It links to their Help Center, where they claim that privacy and security are “in their DNA.” Sounds reassuring…maybe too reassuring.

But what does WhatsApp’s end-to-end encryption really cover? And more importantly, what does it leave exposed?

Let’s unpack the fine print and highlight the key things users should watch for when it comes to protecting their data and privacy.

What is End-to-end encryption?

Let’s start from the beginning. End-to-end encryption is a security method that ensures messages and calls are protected from unauthorized access. This means that no-one, not even the app provider, can read your messages.

What’s Encrypted on WhatsApp?

A closer look at WhatsApp’s own documentation reveals a more nuanced truth: end-to-end encryption doesn’t mean total privacy, and it certainly doesn’t mean total protection.

According to WhatsApp’s own FAQ on encryption source, here’s what is covered by E2EE:

• Text messages
• Photos and videos
• Voice messages
• Calls
• Status updates
• Location sharing
• Documents

These contents are encrypted using the Signal Protocol, and can only be decrypted by the sender and recipient. So far, so good.

But Here’s What’s Not Encrypted

Most users assume “end-to-end encrypted” means all activity on the app is secure. But that’s far from the case. The following data is not encrypted:

1. Metadata

• Who you messaged
• When the message was sent
• How frequently you communicate
• Device information and IP address
• Your phone number
• The recipient’s phone number

This metadata can be, and often is, logged and stored on servers. While WhatsApp says they “limit” this data, it's still collected, and it’s not protected by E2EE.

Keep in mind: Metadata can paint an extremely detailed picture of your behavior, contacts, and habits, without ever needing to read the actual message content.

2. Backups

If you back up your WhatsApp messages to Google Drive or iCloud, those backups are not protected by WhatsApp’s end-to-end encryption unless you explicitly enable encrypted backups, which is off by default.

You must manually enable encrypted backups and choose a password or 64-digit key. Even then, this feature is only as secure as the cloud platform’s own protections and users often don’t realize they’re using default, unencrypted backups.

3. Payments and Transactions

WhatsApp Payments, available in certain regions, allow users to send and receive money. However:

• Transaction details (sender, recipient, amount, timestamps) are not end-to-end encrypted
• WhatsApp may share data with third-party financial institutions
• All payment activity is subject to the platform’s data sharing policies with Meta

Keep in mind: Even in a private chat, your financial activity could be visible to external services and potentially vulnerable to compromise.

4. Business Messaging

When you message a business on WhatsApp:

• Messages may be stored outside WhatsApp’s servers
• Businesses can use third-party vendors to manage and respond to messages
• These messages might be stored unencrypted by the business or vendor

Keep in mind: End-to-end encryption no longer applies once your data enters external systems or business tools.

5. Group Info and Profile Data

• Group membership (who’s in the group) is not encrypted
• Profile photo, about info, and online status are public by default
• WhatsApp groups are discoverable if added via invite links, sometimes even indexed by search engines if mishandled

Privacy doesn’t stop at encryption

End-to-end encryption is a critical tool, but it’s not a blanket guarantee of privacy. In WhatsApp’s case, encryption only applies to the message content, not the ecosystem around it.

If you're relying on WhatsApp for sensitive communication, whether personal, professional, or even financial, you need to understand what is exposed:

• Metadata tells stories without needing messages
• Backups and payments expand the attack surface
• Third parties can compromise trust, even indirectly

Understanding what isn’t encrypted is just as important as what is.

If you’re serious about data protection, dig beyond the marketing and ask: What else is being collected? Where is it stored? Who else has access?

The answers might surprise you.

Not Safe for Work

A critically important reminder is that tools such as WhatsApp and Signal are not built for business purposes, but rather for consumer use. They lack essential capabilities that are essential to keep enterprise and government data private, protected, and compliant. Try to use these sorts of tools for securing work communications and you might end up with your very own version of Signalgate.

Consumer-style encrypted communication is not just the domain of Signal and WhatsApp. Even tools that describe themselves as fit for enterprise and government may have significant deficiencies that put them more on par with consumer tools. For example, Element leaves end-to-end encryption off by default in certain group settings, which means that it’s easy to forget to turn it on, leaving communications unprotected. And Matrix is somewhat (in)famous for the level of spam that users encounter, due to a somewhat lax approach to enforcing security standards across accounts.

The lesson is if you’re looking for secure communications that will keep your organization’s sensitive data well-protected, you need a solution that is built from the ground up to directly address that goal. And it’s also why you should learn more about Wire, the industry’s most advanced and scalable secure communications platform, built for and used by the world’s leading enterprises and government agencies.