Sign in Subscribe
Latest issue

The Encryption Probably Works. The Incentives Definitely Don’t.

The Encryption Probably Works. The Incentives Definitely Don’t.
Photo by Ronda Dorsey / Unsplash

There is a specific kind of question that only circulates once trust has already collapsed. What if the encryption is fake? Not because someone has proven it is, but because enough prior assurances turned out to be incomplete, misleading, or carefully worded in ways that only made sense later.

From a technical standpoint, the question is not especially interesting.

End-to-end encryption is not folklore. It is math, protocols, key management, and threat models that have been subject to decades of adversarial scrutiny. At the scale WhatsApp operates, a universal, covert mechanism that would allow Meta to read message content at will would be extraordinarily difficult to hide, operationally fragile, and almost impossible to keep quiet. Large systems do not keep secrets well, especially not ones that require people, process, and code to align continuously.

So yes — it is entirely plausible that WhatsApp’s encryption works exactly as described.

It is also entirely understandable that many people do not believe Meta when it says so.

That gap, between what is technically likely and what is socially believable, is where this story actually lives.

Allegedly, and then demonstrably

Precision matters, especially when trust is already thin.

Claims that WhatsApp’s encryption is compromised are, at present, allegations. They have not been proven in court. They should be treated as such, no more and no less.

But allegations do not arrive in a vacuum. They arrive in a context. And Meta has built that context meticulously, one documented failure at a time.

Cambridge Analytica is not alleged. It is settled history. Regulatory findings, fines, sworn testimony, and internal documentation established that Meta did not merely experience a data misuse incident — it repeatedly minimized, delayed, and reframed known risks until external pressure made denial impossible.

The same pattern appears elsewhere. Meta's own internal research linked Instagram usage to negative mental-health outcomes in young users. That research was conducted internally, documented clearly, and circulated to leadership. The decision not to act was not due to technical uncertainty. It was a prioritization choice.

More recent reporting around AI systems interacting inappropriately with minors follows a familiar arc: discovery, internal awareness, slow response, eventual exposure.

None of this proves the encryption is broken. That is not the point.

The point is that when a company builds a long enough record of knowing and not acting, new allegations don't need proof to land. They just need precedent.

Trust is not a cryptographic primitive

Security culture has a habit of assuming trust can be retrofitted. Prove the math, publish the protocol, point to the whitepaper, and move on.

That works in narrow systems. It fails in socio-technical ones.

Trust is not established by correctness alone. It is established by consistent good faith under pressure — voluntarily disclosing and correcting before being caught, and accepting short-term costs for long-term credibility. Meta's historical response to internal evidence of harm suggests a different reflex — one oriented toward managing reputational, legal, and financial risk rather than immediate correction.

When users hear “we cannot read your messages,” they are not parsing protocol diagrams. They are asking a simpler question: would this company tell us if the answer were inconvenient?

Given the record, many conclude the answer is no. That conclusion is not conspiratorial. It is learned.

Incentives beat ethics, every time

It is tempting to frame this as a story about bad people. A few morally compromised leaders. A rogue team. A failure of values.

That framing is comforting, and mostly wrong.

What Meta illustrates with uncomfortable clarity is how stacked incentives overpower individual ethics without requiring anyone to think of themselves as a villain. Growth is rewarded. Delay is punished. Internal dissent is costly. Alignment is safe.

Add an international workforce where employment status is often tied to immigration status, and the chilling effect becomes structural. Speaking up stops being a moral calculation and becomes a question of personal risk. Silence, in that environment, is not consent so much as self-preservation.

Upward, leadership distance creates plausible deniability. Downward, precarity suppresses dissent. In the middle, people quickly learn which concerns are welcome and which quietly end careers.

No conspiracy is required. Only alignment.

Scale as moral absolution

Every large technology company has done things it should not have done. That alone does not make Meta unique.

What makes Meta instructive is something quieter. A belief — never written as policy, but functioning as one — that scale changes the moral math.

Small companies break rules because they cannot afford lawyers. That was the original sin of Silicon Valley, and it was at least honest about what it was.

What it aged into was different. Not recklessness. Calculation. Break rules because you can afford the consequences. Treat fines as operating costs. Treat outrage as a weather pattern — something that passes.

The ethic didn't change. The budget did.

Why Meta feels different

This is where the argument often starts to sound subjective, even though it isn’t entirely.

Plenty of companies have experienced misconduct. What stands out with Meta is not that harm occurred, but how often that harm was measured, documented, and then tolerated anyway.

There is a brazenness to the internal record — a comfort with putting things into writing — that suggests a belief that consequences will be manageable. That outrage will fade. That better lawyers will suffice.

Other companies may not be more ethical. They may simply be more afraid. Fear that an internal document could one day appear on the front page of a newspaper remains one of the few effective brakes we have.

If Meta’s failure is distinctive, it may be less about values than about the absence of that fear.

When distrust becomes the attack surface

The real damage here is not that people might wrongly believe encryption is broken.

It is that institutional distrust becomes the default, and that security assurances stop functioning altogether. When users no longer believe companies, they turn to rumor, absolutism, and folk explanations. They stop distinguishing between what is alleged, what is unlikely, and what is proven, because experience has taught them that careful distinctions rarely work in their favor.

That erosion does not just harm Meta. It degrades the entire ecosystem.

And it is self-inflicted.

The uncomfortable conclusion

The most unsettling possibility is not that WhatsApp’s encryption is a lie.

It is that the encryption works — and that no longer matters.

Because a company that repeatedly demonstrates it will subordinate known harm to growth eventually loses the one thing that makes technical truth persuasive: credibility. At that point, every assurance becomes provisional. Every denial invites scrutiny. Every claim is filtered through precedent.

Not because users are irrational.

Because the incentives trained them to be suspicious.

Subscribe to PacoPacket

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe