Telegram CEO Pavel Durov Launches Scathing Attack on WhatsApp Encryption
Telegram CEO Pavel Durov has unleashed a fresh wave of criticism against WhatsApp this week, branding its end-to-end encryption promise as nothing short of a "giant consumer fraud." Durov's central argument revolves around a startling statistic: approximately 95% of WhatsApp messages ultimately find themselves stored as plain-text backups on Apple iCloud or Google Drive servers. This vulnerability exists because backup encryption remains an optional feature, and the overwhelming majority of users never activate it.
The Critical Backup Vulnerability
Durov elaborated further on this security gap. Even if an individual user diligently enables encryption for their own backups, their messages remain at risk of exposure through the people they communicate with. If 90% of a user's contacts have not enabled backup encryption, then the conversations are effectively unprotected, sitting on someone else's cloud server regardless of personal security settings.
WhatsApp's Encryption: Real but Conditional
It is crucial to understand that WhatsApp's in-transit encryption, which is built upon the technically robust Signal protocol and has been operational since 2016, is indeed real. The company has consistently maintained that it cannot read messages while they travel between devices, a claim that holds true. The fundamental problem, as highlighted by Durov, is not the encryption itself but rather the destination of messages after they arrive.
When WhatsApp performs backups to iCloud or Google Drive, the encryption handoff ceases. These backups then fall under the data practices of Apple and Google, meaning these tech giants can—and do—comply with legal requests for data. Durov asserts that Apple and Google hand over backed-up WhatsApp messages to third parties thousands of times annually.
Legal Challenges and Internal Access Questions
Durov's criticism arrives within an already charged atmosphere. In January 2026, a class action lawsuit filed in San Francisco alleged that Meta employees could access WhatsApp messages in real time through an internal request system, bypassing any decryption steps. Meta has vehemently denied these claims, labeling them as "false and absurd," and no concrete technical evidence has yet been presented to substantiate the allegations. The legal proceedings continue.
The Opt-In Solution and User Awareness Gap
WhatsApp does provide an end-to-end encrypted backup feature, introduced in 2021 as an opt-in option. Users can secure their backups with a password or an encryption key. However, awareness of this critical security feature remains remarkably low among the general user base.
In essence, Durov's critique is not entirely unfounded but is selectively framed. WhatsApp's encryption functions effectively during message transit. The security gap exists at the backup layer. Closing this vulnerability requires a simple action—taking about 30 seconds to adjust settings—a step that the vast majority of users unfortunately never undertake.
