E2EE is mostly useful for consumer applications, where you trust the endpoint (yourself), but not the intermediary servers (some megacorp that doesn't care about you).

The situation is entirely different when you are managing very large organizations.

In those situation, you don't necessarily need the need the data to be invisible to the intermediary servers, because you might either just be able to control them yourself, secure them with NDAs, etc. And if the server is controlled by you, then you might not even want the data to be invisible to yourself. But, your primary risks may be the compromise of endpoint devices, mistakes or leaks by your users, or a lack of controls over data exchange. Also, many organizations may need to provide records of their internal communications in order to comply with legal requirements.

You might be surprised to know that enterprise offerings of many apps that otherwise support E2EE, often have a way for administrators to intentionally turn those features off.

Lack of complete e2ee is a feature for many large organizations—they still want everything encrypted, they just want a master key to be able to audit communications for compliance/investigations/insider threat identification. They also want strict control over who does what with the app, and where all of the associated data lives. Teams is just a totally different product from WhatsApp in that regard, with all sorts of functionality that will never exist in WhatsApp—tons of control over user identity and access management, integration with all sorts of other security tooling, etc.

The threat model of an organisation is almost the opposite of you as an individual.

For you, you trust yourself the most, followed by your device, and the intermediate servers are a threat. For an organisation, the servers are the most trusted entity, followed by the org-provided device, and a certain percentage of users are an active threat.

Message retention, audit logging, SSO to name a few off the top of my head.

Does WhatsApp encrypt the data on the device after it’s received and decrypted at your phone’s end (then stored indefinitely)? I thought the term of art was “encrypted at rest,” but “stored data encryption” makes sense to me too.

I was of the impression that Whatsapp’s messages (and its backups, photos, etc) kind of just hung around in plaintext once they reached the device.

Which would seem to be a problem should the device be stolen, or observed by other applications on the phone or a tethered device, or twiddled with sneaky hardware (e.g. [0]) that might use physical means to access the device’s file system.

Although as I understand it, the privacy claims are kind of window dressing anyway, and Meta has been more than willing to share plenty of WhatsApp’s data with all and sundry… even before AI-in-the-same-search-bar came along [1]

[0] https://shop.hak5.org/products/omg-cable

[1] https://www.propublica.org/article/how-facebook-undermines-p...