Former WhatsApp security boss in lawsuit likens Meta’s culture to a “cult”

Over the past year, Meta has blanketed TV screens around the world with commercials touting the privacy of Whatsapp, its encrypted messenger with a monthly user base of 3 billion people. “It’s private,” one ad campaign featuring the former cast of the Modern Family TV show says. “On Whatsapp, no one can see or hear your personal messages … not even us,” a different series of ads declares. “Serious risks to user data” On Monday, the former head of security for the Meta-owed messaging app filed a federal whistleblower lawsuit that tells a far different narrative. The suit, filed in US District Court for the District of Northern California, recites a litany of purported security and privacy flaws that Meta not only didn’t fix after becoming aware of them, but also kept secret, allegedly in violation of a $5 billion settlement then-Whatsapp parent company Facebook reached with the Federal Trade Commission. The complaint was filed by Attaullah Baig, who became head of WhatsApp security in 2021. Meta has denied the accusations. Shortly after assuming that role, the lawsuit said, Baig “discovered systemic cybersecurity failures that posed serious risks to user data.” During a red-team exercise designed to find and exploit security vulnerabilities so they can be fixed, Baig said he found that roughly 1,500 engineers inside the messenger division had “unrestricted access to user data, including personal information covered by the FTC Privacy Order, and could move or steal such data without detection or audit trail.” Starting in September 2021, Baig notified superiors responsible for WhatsApp that unrestricted access to so many employees likely violated the 2019 order. Among other things, he drafted a document directing the WhatsApp privacy infrastructure team to implement a data classification and handling system that would comply with the order to shore up the security of stored user data by tightening employee access to it. “This represented the first concrete step toward addressing WhatsApp’s fundamental data governance Failures,” the complaint stated. “Mr. Baig understood that Meta’s culture is like that of a cult where one cannot question any of the past work especially when it was approved by someone at a higher level than the individual who is raising the concern.” In the following years, Baig continued to press increasingly senior leaders to take action.