Newsletters
In June 2025, global scrutiny over WhatsApp’s privacy practices has intensified. Multiple governments are voicing concerns that the platform may be vulnerable to surveillance and manipulation, particularly during times of political tension and conflict.
Although WhatsApp, owned by Meta Platforms Inc., emphasizes end-to-end encryption, several countries argue that its data handling policies and metadata access remain problematic.
Tensions escalated after Iranian authorities publicly encouraged citizens to uninstall WhatsApp, accusing it of being used for foreign surveillance during the recent Iran–Israel conflict. While no forensic proof was disclosed, officials cited risks of metadata exposure and psychological operations.
WhatsApp refuted the claims, stating its encryption protocol prevents third-party access to message content.
India and Pakistan, too, have come forward. Indian authorities accused pro-Kashmir activists in May 2025 of having their WhatsApp chats intercepted at the time of region-tension escalation.
The Pakistan cybersecurity department has reacted by putting up an alert on spyware threats against senior government officials via popular messaging services.
Although these allegations are usually linked to the wider issue of spyware such as Pegasus, the usage of WhatsApp as a key communication app has repeatedly placed the company under the spotlight.
In a different context, the U.S. House of Representatives recommended that its staff's using WhatsApp be avoided on government-issued devices in April 2025 due to murky metadata provisions. In the meantime, WhatsApp traffic has been brought under greater scrutiny in countries such as Egypt, the UAE, Saudi Arabia, and so on, when a country goes through some sort of protest or civil strife.
WhatsApp is prohibited in China in support of its internet control policy. The periodic blocking in countries such as Russia and Ethiopia highlights a general trend of governments correlating WhatsApp usage with issues of domestic security.
Despite WhatsApp’s end-to-end encryption based on the Signal Protocol, spyware programs can bypass encryption by targeting the device rather than the app. Pegasus, developed by Israel’s NSO Group, exploited a WhatsApp vulnerability in 2019, enabling zero-click infections that accessed microphones, cameras, and message logs. WhatsApp later patched the flaw, but over 1,400 users, including journalists and activists, were reportedly compromised.
In February 2025, spyware by the Graphite software with the Israeli-based company Paragon was picked up, where PDF attachments over WhatsApp infected phones.
Researchers and workers in the media were also victims in Europe and the Middle East. These events demonstrate the extent to which safe programs may be used as a vehicle to convey more extensive cyber-espionage operations.
While message content is encrypted, metadata remains accessible to WhatsApp and, potentially, to requesting governments. This includes timestamps, contact numbers, device IDs, and usage patterns. Gregory Falco of Cornell University explained, "Metadata can expose detailed insights about user behavior even without content access."
The privacy issues become more acute where the legislation on local data sovereignty in such territories is not strong. Civil society groups in some countries, such as Pakistan, Türkiye, and Indonesia, caution that the information that is held on offshore servers cannot be touched by the local courts and risks experiencing foreign spying.
In June 2025, Iran accused WhatsApp and other platforms of facilitating psychological warfare during the conflict with Israel.
Although technical details were not shared, the Iranian government’s reaction led to temporary internet shutdowns. Similarly, the Indian government has pushed for stronger oversight on foreign messaging apps, while Brazil and Indonesia are drafting regulations mandating local data storage.
Recently, Nigeria and Kenya also expressed concerns about the safety of WhatsApp after personal information of political campaigners was used in the run-up to the 2023 election. Both German and French data protection officers are now looking into Meta over its adherence to EU rules in the coming Digital Markets Act.
The point that cybersecurity analysts bring out is that surveillance is not usually aimed at regular users and that security starts with the behavior of users. Security analysts recommend that users should ensure that messaging applications and operating systems are left at the latest versions, use two-factor authentication, and not access media systems that are not under their control.
Encryption is not a foolproof method of protection when users do not practice good cyber hygiene. Signal, Threema, and Briar are some of the alternatives that are increasingly suggested when it comes to sensitive conversations, especially due to the transparency of the protocol being open source and little information gathered about the user.
Privacy Watch Europe Chief Analyst Eva Martinez stated that awareness, software hygiene, and platform choice are the key factors behind privacy on the Internet. Additionally, the users are recommended to turn off cloud backups that can contain unencrypted information, which would expose them to a minimal level in the event of data loss.
The parent company of WhatsApp, Meta, has reiterated that it has never cooperated with any governments or intelligence services. It argues that it cannot access messages since it employs end-to-end encryption and emphasizes that the users can regulate a majority of their information-sharing desires.
Nevertheless, critics state that the bulk collection of metadata and extensive cross-system tie-ins with other Meta products, including Instagram and Facebook, are structurally threatening to user privacy.
In reality, WhatsApp itself may not be a spyware app by design, but its widespread use, closed-source code, and integration with vulnerable device ecosystems make it a prime target for surveillance campaigns. Experts agree that the app’s architecture leaves potential openings that sophisticated attackers can exploit.
In the future, a mixture of education on the part of users, technological openness, and national regulation will probably dictate the future of encrypted messaging apps.
The fact that local messaging platforms are emerging in comparatively small markets, such as South Korea, France, and Germany, indicates that a lack of sovereignty and data control may be seen as an issue that can be addressed.
Concurrently, there are increasing calls on large technology companies to disclose how they collect user data and to allow the possibility of third-party audits of their platforms.
As the global digital landscape evolves, the debate over WhatsApp’s role will likely intensify. Until stronger guarantees and transparent practices are established, both users and policymakers are approaching the platform with growing caution.
3 min read
