Ex-WhatsApp cybersecurity head says Meta endangered billions of users

Posted by mdhb 9/8/2025

Ex-WhatsApp cybersecurity head says Meta endangered billions of users(www.theguardian.com)

347 points | 182 commentspage 2

sudahtigabulan 9/9/2025|

> In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.

If the company is so bad (it is), why does he want back?!

'Just pay me the salaries I "missed", and keep them coming.' The regulatory action is just "potential".

I have no sympathy for Meta, but this guy...

saagarjha 9/9/2025||

Companies are not relationships where once they're your ex they are never worth interacting with ever again. If you are doing good work and then HR pushes you out, then it is reasonable to sue the company to get them to pay you damages and then go back to doing what you were before with the protection that they won't do it again.

sudahtigabulan 9/9/2025||

The point I tried to make was not that he should be resentful about being kicked out, but that he doesn't really care that Meta is unethical and endangers billions.

Even if nothing changes (the regulatory action is optional), he's happy to contribute (he insists, in fact). Even among people who don't want him there.

mapotofu 9/9/2025||

The points you’re making are personal attacks about the whistleblower. They don’t focus on the substance of the accusations (insecurity). Instead, they focus on your idea of their career motivations and their personality.

Nevermark 9/9/2025|||

He got fired unjustly. For trying to do something good. (His position.)

Any full remedy would require his position is reinstated.

If he wins the right to be reinstated, he will be happy to negotiate a payment instead. He is made whole.

What about any of that lacks sensible motives?

sudahtigabulan 9/9/2025||

Nothing, but there's something in your comment that was not in the article:

> he will be happy to negotiate a payment instead.

This, indeed, sounds way more normal than wanting to keep working for the evil company, and in a toxic environment.

It hasn't occurred to me that one can change their mind and choose a different compensation after the court decision like that.

Nevermark 9/10/2025||

Yes, it isn't stated because that point is moot until he is awarded remedy.

You don't negotiate with what you don't have yet. But the idea that he or they would actually want to resume working together is beyond unlikely. They will be happy to pay for him to go away, if that's the only way they can legally get rid of him.

skybrian 9/9/2025||

Maybe so he can quit properly? I wonder how these lawsuits work? Maybe a lawyer would know.

coppsilgold 9/9/2025||

When it comes to e2e encryption it's important for the ends to be static (not web apps) and auditable (open source, reproducible builds) because the software running on the ends can trivially compromise anything going trough either of them. It can be as simple as a script being loaded from the server into a runtime such as Lua (closed source app). Or custom javascript delivered (web app).

When these conditions aren't met, any e2e encryption claim can be dismissed out of hand. This does not mean the service offers no value, it just means it cannot be trusted to keep anything confidential.

alex1138 9/8/2025||

I've seen some people right here on HN say that Whatsapp was an inspired acquisition and Zuck is a great product guy, knows what to buy and who to hire

Counterpoint: he's a monopolist and scummy person (https://news.ycombinator.com/item?id=1692122) who refuses to stop (https://arstechnica.com/tech-policy/2019/09/snapchat-reporte...) from the early days onwards (https://news.ycombinator.com/item?id=1169354)

https://news.ycombinator.com/item?id=15007454

mgh2 9/8/2025||

> A Meta spokesperson, Andy Stone, wrote on Threads, the company’s text-based social network: “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”

Skeletons keep piling up while PR try to dismiss them

neilv 9/8/2025|

That quote is brilliant.

Corporate communications has playbook damage control responses, and this quote seems to be suggesting that the quoted response is one of them (it's "familiar").

Whether "former employees" are sketchily operating from playbooks, who knows. Because PR playbook-sounding statements don't have a lot of credibility.

Nevermark 9/9/2025||

Innocent until proven guilty.

Or the PR team undermines their own credibility with a stock and specious fact-free non-response.

I think the point of these is to dodge the even guiltier look of “no comment”. And signal there won’t be any potentially costly cooperative engagement from their side to their shareholders.

They don’t expect to be believed.

palata 9/8/2025||

I hate Meta as much as the next person, but it feels like "endangering billions of users" is exagerating here. The complaint is pretty much that WhatsApp engineers can access metadata (NOT the content of the messages).

This said, WhatsApp is not open source, so it's impossible for users to verify how the encryption works, so users have to trust that it's properly end-to-end encrypted.

If you care about privacy (and you should), then you should use Signal instead of WhatsApp.

ryandrake 9/8/2025||

The metadata of someone's communications can be almost as damning as the content. I would guess that if the FBI could merely have a list of who their suspect contacted over an app, and when, they'd have 90% of what they wanted.

rhizome 9/9/2025|||

My understanding is that in the vast majority of investigations law enforcement will be satisfied in learning only who you're talking to, i.e. "just metadata" is fine, and dangerous.

3eb7988a1663 9/9/2025||

It seems reasonable. Even those who are sloppy with their opsec probably do not detail the entirety of the plan via digital mechanisms. Being able to identify likely collaborators is probably sufficient to infer some specifics of an activity.

palata 9/9/2025|||

> I would guess that if the FBI could merely have a list of who their suspect contacted over an app, and when

Well with WhatsApp they most definitely can, but it has never been a secret. WhatsApp always had access to the metadata (whereas Signal makes a lot of effort to reduce the metadata they have access to). In ~2016 WhatsApp integrated the Signal protocol to add end-to-end encryption, but did nothing about the metadata.

Again: if you care about privacy, use Signal.

mynameisash 9/9/2025|||

> The complaint is pretty much that WhatsApp engineers can access metadata (NOT the content of the messages).

I don't even take this statement at face value. It's trivially easy to include models on client side that can do some message classification and treat that as "metadata" that would give insight into the content of the message.

alehlopeh 9/9/2025||

Metadata includes notifications, which often include the text of the message.

palata 9/9/2025||

Pretty sure this is wrong, at least in the case of WhatsApp.

If an app sends the message content in clear through the notifications, then it is badly designed, period.

varenc 9/9/2025||

Agreed. As I recall the way notifications work on Signal/WhatsApp is the app receives some silent notification that wakes it up, then the app does its crypto thing, and then it locally triggers the notification with the decrypted content you see. In iOS land your app needs a special entitlement to work this way. It also means if you're on very heavy group chats your battery will drain faster.

If WhatsApp central servers could push a notification to your phone that contained your actual message content, it couldn't be E2EE.

alehlopeh 9/9/2025||

Fair point. For E2EE messaging apps, metadata often includes encrypted message content. As others have stated, the unencrypted metadata (eg. message recipient) can be potentially be damning enough on its own.

tamimio 9/9/2025||

I never trusted fecebook which is why I never created an account or used any of its products (old Instagram placeholder only), except last year, I made a small startup and wanted to use Instagram to promote it. Despite using the other old account to avoid potential false flagging as spam, immediately after creating it I got banned and had to submit a personal picture holding a book or whatever to verify I am real. I did that although it's not a personal account. Regardless, a few seconds after submitting the picture and verifying my number it got permanently banned. So far this is understandable, maybe it's all an automated process which is expected. However, I wanted to get in touch with support, in any form or shape, only to find out that there's none, and apparently the only way to actually fix something within fecebook is knowing someone who knows someone who works there. LOL, really big LOL!! A company that size operating like an underground syndicate is a total joke and totally untrustworthy. Bottom line: Never trust anything from fecebook, no matter what they say, do not.

ipython 9/8/2025||

I’m sure WhatsApp’s recent “secure by design” media and ad blitz is totally unrelated to these accusations …

1vuio0pswjnm7 9/9/2025||

Baig v Meta Platforms, Inc.

Complaint:

https://storage.courtlistener.com/recap/gov.uscourts.cand.45...

mentalgear 9/8/2025|

Seems just in line with all the other Meta Scandals: from providing a platform for genocide in Myanmar, harming the psychology of 100s of millions of teenagers (Instagram) to pushing extremist and fascists content while receiving big ad cash dollars for propaganda that lifts criminals and fascist politicians into the highest offices. Meta has no red lines, as long as it lines Zuckerberg's pockets.

More comments...