Durov’s broadside puts chat privacy under glare

Pavel Durov, the Telegram founder, has escalated a public attack on WhatsApp, calling its claim of “end-to-end encryption by default” a “giant consumer fraud” and arguing that most private messages still become exposed through cloud backups. The charge, amplified on X amid a fresh US class action dispute over WhatsApp’s privacy promises, has reopened a wider argument about what encrypted messaging apps actually protect, what they leave exposed, and how much ordinary users understand about the difference.

WhatsApp’s position is that the core allegation is wrong. The company says personal messages and calls on the service are protected by end-to-end encryption using the Signal protocol, meaning only the sender and recipient can read them, not WhatsApp itself. Meta has dismissed claims in the lawsuit and in the broader online row as “categorically false and absurd”, arguing that the case misrepresents how the platform works.

Where Durov’s criticism lands more forcefully is on backups. WhatsApp’s own help pages make clear that cloud backups to Apple iCloud or Google Drive are not automatically covered by the same protection unless the user separately enables end-to-end encrypted backup. The company introduced that option in 2021 and says the backup can be secured either with a password or a 64-digit key that neither WhatsApp nor the backup provider can read. That means the strongest version of Durov’s argument is not that WhatsApp chats are unencrypted in transit, but that many users may still be leaving message histories exposed in cloud storage because the backup protection is optional rather than switched on by default.

Privacy advocates have made a similar point, albeit in less dramatic language. The Electronic Frontier Foundation has said chat backups can become the weak point in an otherwise secure system when they are not encrypted before upload. Apple’s law-enforcement guidance also confirms that customer content stored in iCloud can be produced in response to legally valid process, while Google states that it reviews and can respond to government requests for user information. Taken together, that does not prove WhatsApp itself can read message content, but it does underline that a backup stored with a cloud provider may fall into a different legal and technical category from a message travelling within an encrypted chat.

Even so, Durov’s attack carries its own vulnerabilities. Telegram is not a straightforward benchmark for default end-to-end protection. Its official FAQ says only “secret chats” are end-to-end encrypted. Standard cloud chats, which are the default mode used by most Telegram users, are stored across Telegram’s infrastructure and are not end-to-end encrypted in the same way. That distinction has long placed Telegram in a different privacy category from WhatsApp and Signal, despite its reputation as a secure alternative.

Telegram has also changed its posture towards authorities. Durov said in 2025 that Telegram had never disclosed a single byte of private messages, and the company’s FAQ still makes that claim about message content. But after policy changes announced in September 2024, Telegram said it could provide IP addresses and phone numbers of users who violate its rules in response to valid legal requests. That is not the same as handing over message bodies, yet it weakens the absolutist tone that often surrounds the platform’s privacy branding.

The dispute matters because privacy marketing is increasingly colliding with messy technical reality. End-to-end encryption protects message content in transit, but it does not automatically erase every other source of exposure. Metadata, backups, linked devices, account information and user behaviour all shape how private a conversation really is. WhatsApp acknowledges that it processes some account and service data even while message content remains encrypted, and it maintains a dedicated system for responding to government data requests within the law.