The protocol they use is open and very reliable, and it can be verified relatively easily from the outside that this is the protocol they're using.
If you enable backups in WhatsApp those backups aren't stored on Facebook's servers, but they are probably not encrypted very well, since you don't enter your own encryption key, and WhatsApp has to be able to decrypt those backups if you lose your device. So those probably aren't secure if you are directly targeted.
Also if you are directly targeted, it's not completely impossible that Facebook has a way to send you a custom "update" that simply sends all your messages to Facebook encrypted with their keys.
But in terms of mass surveillance, it seems fairly unlikely that Facebook can read WhatsApp messages, because something like that would not be hard to find for someone from the outside, especially since the protocol WhatsApp is supposed to use is completely known.
Facebook probably cares more about your meta-data (who has who in their address book) anyway than it cares about the content of your messages.
> My point is that security people need to get their priorities straight. The "threat model" section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler (see Figure 1). Basically, you're either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you'll probably be fine if you pick a good password and don't respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they're going to use a drone to replace your cellphone with a piece of uranium that's shaped like a cellphone, and when you die of tumors filled with tumors, they're going to hold a press conference and say "It wasn't us" as they wear t-shirts that say "IT WAS DEFINITELY US," and then they're going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN'T REAL. When it rains, it pours.
Except my "threat model" also includes trying to minimize the data I send to the GAFAM (and others unscrupulous private companies that could potentially profit from my personal data...)
If you enable backups in WhatsApp those backups aren't stored on Facebook's servers, but they are probably not encrypted very well, since you don't enter your own encryption key, and WhatsApp has to be able to decrypt those backups if you lose your device. So those probably aren't secure if you are directly targeted.
Also if you are directly targeted, it's not completely impossible that Facebook has a way to send you a custom "update" that simply sends all your messages to Facebook encrypted with their keys.
But in terms of mass surveillance, it seems fairly unlikely that Facebook can read WhatsApp messages, because something like that would not be hard to find for someone from the outside, especially since the protocol WhatsApp is supposed to use is completely known.
Facebook probably cares more about your meta-data (who has who in their address book) anyway than it cares about the content of your messages.