Texas Accuses Meta of Running a Three-Billion-User Encryption Scam on WhatsApp

Key Takeaways

• Texas AG Ken Paxton filed suit on May 21, 2026, against Meta and WhatsApp, alleging the companies falsely marketed WhatsApp as end-to-end encrypted while internally maintaining access to message content.
• The lawsuit alleges Meta operated a tiered "task" system allowing employees and contractors to retrieve the contents of private WhatsApp messages on demand, directly contradicting WhatsApp's core marketing promise.
• The suit seeks a permanent injunction and up to $10,000 in civil penalties per violation under the Texas Deceptive Trade Practices Act.
• This is the latest in a string of Texas AG actions against Meta, following the landmark $1.4 billion facial recognition settlement in July 2024 and an ongoing investigation into Meta's AI smart glasses.

The Gap Between WhatsApp's Promise and WhatsApp's Practice

There is something almost structurally elegant about this particular fraud, if fraud is what it turns out to be. WhatsApp built its entire brand identity around a single claim that almost every user can recite from memory: only you and the person you are talking to can read what you send. Not even WhatsApp can read your messages, according to WhatsApp. That promise is specifically why journalists, activists, and three billion people with perfectly good reasons not to trust the platforms handling their data chose this one.

Well, on May 21, 2026, Texas AG Ken Paxton filed suit against Meta and WhatsApp in a Harrison County district court, alleging that the encryption promise is false. The lawsuit claims Meta operated an internal "task" system granting tiered access to message content, allowing employees and contractors to submit requests and read the substance of private conversations, with the petition noting there was "no limit to the type of WhatsApp message that can be viewed by Meta."

The suit draws on a November 2024 SEC whistleblower complaint that prompted a Commerce Department special agent investigation, seeking a permanent injunction and up to $10,000 in civil penalties per violation under the Texas Deceptive Trade Practices Act. A parallel federal class action filed in January 2026 in California makes the same allegations based on insider accounts of the same system, which Meta called "frivolous." 

Paxton Has Meta in His Calendar

This is not Ken Paxton's first, or even second visit to Meta's door. In July 2024, Paxton secured a historic $1.4 billion settlement with Meta over its unlawful facial recognition data collection through Facebook's photo-tagging feature, the largest settlement ever obtained from an action brought by a single state.

Meta paid without admitting wrongdoing and, of course, proceeded to build a wearable camera product collecting the same category of biometric data pointed outward at strangers, which is what led to the AI smart glasses investigation Paxton opened in May 2026. And now this WhatsApp encryption lawsuit, filed the same week as the glasses probe.

Three enforcement actions in under two years, each on a different product, all landing on the same conclusion: Meta says one thing about user data, just to turn around and do something completely different with it.

Why a Company Like Meta Getting Sued Is Worth Celebrating

Meta's relationship with privacy has always been best understood as a marketing relationship rather than a principled one. For example, the company quietly removed end-to-end encrypted DMs from Instagram in May 2026 by updating a 2022 blog post, framing the removal as a response to low opt-in rates for a feature it never defaulted on and barely promoted. And now, according to Texas, it may have been selling encryption that its own employees could bypass on request.

I think the consistency of the pattern matters more than any individual action. When a company treats privacy as a claim to make rather than a constraint to honor, enforcement is the only mechanism that attaches any cost to that choice. A $1.4 billion settlement that required no admission of wrongdoing did not change the behavior, and Meta calling the parallel federal lawsuit "frivolous" is the posture of a company that believes the fee is the finish line. Whether this one lands differently depends on whether Paxton is willing to push past a settlement Meta can absorb and forget.

WhatsApp admits it collects metadata even under the Signal Protocol, including who you talk to, when, and from where. A VPN will not stop Meta's internal systems from reading your messages, but if keeping your communication patterns private matters too, Mysterium VPN (now with 82% off) is absolutely worth layering on top.