If a trade union held all its strategy meetings inside the employer's boardroom, with the employer's recording equipment running, and the minutes filed in a cabinet the employer holds the key to, every member of that union would understand immediately that something is wrong. Political parties in Ireland and across Europe are currently doing the equivalent of this for their internal organising. They are running it on WhatsApp. WhatsApp is owned by Meta. Meta is, structurally, part of the political-economy apparatus the parties are organising to contest. The parties have been told this is fine, or that raising the issue is "conspiracy theory," for the better part of a decade. It is not fine and it is not conspiracy theory. It is parties running opposition on the opposition's platform.

This piece is a plain explainer on what is actually going on, what serious institutions have already done about it, and what every Irish political party should already be doing instead. It is not a paranoia argument. The numbers below are from the platforms' own published transparency reports, the European Parliament's published investigations, Citizen Lab at the University of Toronto, the Irish National Cyber Security Centre, and named court judgements. None of it is hidden. Most of it has been on the public record for years.

What WhatsApp actually knows about your party

The first thing to understand is what WhatsApp does and does not protect.

WhatsApp uses the Signal Protocol to encrypt the contents of your messages end-to-end. That is real. Meta cannot read the text of what you send. If your branch chair posts "let's table the housing motion at the next meeting," the literal text of that message is not visible to Meta.

What Meta does hold, and what Meta does turn over to law-enforcement requests when those requests arrive, is the metadata. The metadata is the everything-except-the-content layer. It includes:

  • Every phone number in your group
  • Who created the group, when, with what name
  • The membership list and how it has changed over time
  • Every timestamp of every message
  • How often each member messages
  • Which members message which other members one-to-one
  • Device identifiers (so Meta knows your specific phone, not just your number)
  • IP addresses, which place you geographically
  • Profile photos and "About" text
  • Connection times (when each member is online and active)

For a political party, the metadata is the operationally sensitive data. The metadata is your social graph: it tells anyone who has it exactly who is organising with whom, on what cadence, around what events, and how the network of activists actually flows. The text of any individual message is much less important than the structure of the network the metadata reveals.

Meta is transparent, in its own transparency reports, about handing this metadata over when asked. In the first half of 2025, Meta received 374,516 government data requests globally, up 16% on the previous reporting period. The United States alone made 81,064 requests in the same period, with 77% of them under non-disclosure orders that prevent the user being told. Meta complied with the substantive majority of these requests. Irish An Garda Síochána made 762 requests to Meta in the period July 2020 to December 2021, up from 196 in the prior eighteen months, with Meta compliance running between 57% and 82%. The numbers will be higher now.

If a state actor wants to know the membership of your party WhatsApp group, the cadence of your meetings and the structure of your organising network, that information is available to them via a legal-process request to Meta. They do not need to break the encryption. They do not need to compromise a member's phone. They just need to send the request.

Who can ask Meta for that information

The list of parties with legal-process access to Meta data is longer than most people realise.

US law enforcement has it through standard subpoena, warrant and National Security Letter channels. US intelligence agencies have it through FISA section 702, which was reauthorised in April 2024 for two years under the RISAA legislation; its status following the April 2026 sunset is uncertain at time of writing but the underlying PRISM programme architecture, which has named Meta as a participating provider since 2008, has not been dismantled. The Snowden disclosures of 2013 documented PRISM as the source of approximately 91% of section-702 internet acquisition. None of this has been retracted.

The Irish State has it through standard mutual legal-assistance treaties with the United States, and through direct requests to Meta's Irish entity. An Garda Síochána has the established channel. The Defence Forces' G2 intelligence directorate has the parallel channel.

The Five Eyes intelligence-sharing arrangement (United States, United Kingdom, Canada, Australia, New Zealand) means that signals intelligence collected by any one Five Eyes member is by default shared with the other four. Irish political-party communications routed through Meta's US infrastructure are reachable through the Five Eyes architecture regardless of whether the Irish State asked.

Foreign intelligence services that successfully compromise Meta itself, or exploit a vulnerability in WhatsApp's client software, can read the same metadata. The Pegasus and Predator spyware operations described in the next section are examples of this attack surface in operation. The Bundestag's 2015 GRU compromise and the Macron 2017 hack-and-leak are examples of comparable operations against European political infrastructure.

A short list of who can plausibly read your party's WhatsApp metadata, on any given day, includes: the US intelligence community, the UK intelligence community, Irish State agencies on request, allied state agencies via mutual-assistance channels, hostile state actors via spyware or platform compromise, and the legal departments of any third party who obtains a court order. The list of who cannot read it is much shorter.

What happens when Meta decides not to host you

The other half of the platform-risk picture is that Meta can, at its sole discretion, take down your infrastructure overnight.

The headline case is the January 2021 deplatforming of Donald Trump. Twitter, Facebook, Instagram and YouTube all suspended Trump within days of the 6 January Capitol attack. Meta initially indefinite-suspended, then set a two-year ban in June 2021, then reinstated him on 9 February 2023, then removed remaining restrictions in July 2024. The point is not whether the decision was right or wrong. The point is that the decision was made by a private company about a sitting political figure's access to the communication infrastructure he depended on. The same company makes equivalent decisions, on the same authority, every day, at lower visibility.

Human Rights Watch documented more than 1,050 instances of Meta removing or suppressing pro-Palestinian content in October and November 2023 alone, with continuing patterns of suppression documented through 2024 and 2025. The Intercept reported in October 2024 that Meta's Israel policy chief Jordana Cutler personally flagged Students for Justice in Palestine posts. The pattern is documented. The result for affected organisations is the same: the infrastructure they organised on disappeared without process.

For a political party, this is not a hypothetical risk. The party's WhatsApp groups can be terminated by Meta tomorrow morning. The party's Facebook page can be suspended without explanation. The party's Instagram following can be wiped overnight. The platform has the unilateral right. The party has no contractual recourse.

Active threats — this is not hypothetical

The "raising secure-comms is conspiracy theory" framing depends on the threat being hypothetical. The threats have been on the public record for years.

Pegasus, made by the Israeli company NSO Group, is the most-documented commercial spyware operation. Citizen Lab at the University of Toronto's CatalanGate report of April 2022 identified at least 65 Pegasus targets in the Catalan independence movement, including Catalan President Pere Aragonès and his predecessors, all five pro-independence Members of the European Parliament elected in 2019, lawyers and civil society. The Spanish CNI intelligence chief Paz Esteban admitted CNI had spied on 18 of those targets with Supreme Court approval. Polish senator Krzysztof Brejza, who was campaign coordinator for the Civic Coalition in the 2019 Polish elections, had his phone hit 33 times by Pegasus during the campaign. Polish state television was later ordered to apologise for airing manipulated extracts from the stolen messages.

The European Parliament's PEGA Committee of Inquiry, sitting for fourteen months, found illegitimate Pegasus use in Poland, Hungary, Greece and Spain, with suspected use in Cyprus. Its final report was 145 pages. Citizen Lab disclosed in April 2022 that multiple suspected Pegasus infections had hit devices at the UK Prime Minister's office in 10 Downing Street and at the UK Foreign Office between 2020 and 2021.

Predator, made by the Intellexa group founded by ex-Israeli Unit 8200 officer Tal Dilian, is the leading non-NSO commercial competitor. Greek "Predatorgate" hit the leader of PASOK and Member of the European Parliament Nikos Androulakis, alongside journalists and approximately 90 politicians, journalists and officials. In February 2026, an Athens court convicted four Intellexa-linked figures (Dilian, Hamou, Bitzios and Lavranos) of involvement in the spyware operation, the first criminal convictions of spyware-company executives globally. The US Treasury sanctioned Intellexa in March and September 2024. The European Union has not sanctioned Intellexa. The EU continues to host the company, fund it via certain contracts and licence its export operations.

Russian intelligence services have a long record against European political infrastructure. The 2015 Bundestag compromise, attributed to GRU Unit 26165, exfiltrated approximately 16 gigabytes of data. The 2017 Macron campaign hack-and-leak, attributed by private cyber-forensics firms to APT28 / Fancy Bear (GRU), released tens of thousands of documents two days before the French presidential vote. The German SPD party headquarters was compromised in December 2022 and January 2023 via an Outlook zero-day, attributed by the German federal government in May 2024 to APT28.

Chinese intelligence services have a parallel record. On 25 March 2024 the US Southern District of New York unsealed an indictment of seven hackers from APT31, attributed to the Chinese Ministry of State Security via the Wuhan XRZ front company, with charges including attacks on every member of the Inter-Parliamentary Alliance on China (IPAC), 43 UK parliamentary accounts and the UK Electoral Commission's 2021-22 breach. Joint US and UK sanctions were issued the same day.

In Ireland specifically: the HSE Conti ransomware attack of May 2021, attributed to the Russia-based Wizard Spider group, demanded a $19,999,000 ransom and ultimately cost the State €102 million in confirmed recovery costs. The June 2024 European elections saw distributed denial-of-service attacks against Irish election-information and transport sites, attributed by the National Cyber Security Centre to state-aligned actors and explicitly naming Russia and China as actively probing Irish government networks. In December 2023, the pro-Iran CyberAv3ngers group cut off water to approximately 160 households in the Erris group water scheme in County Mayo for two days, by compromising the Unitronics PLC controlling the system. Russian shadow-fleet vessels have been documented mapping Irish subsea-cable landing stations: the Viktor Leonov in the Irish Exclusive Economic Zone in April 2025; a shadow-fleet convoy off the west coast in April 2026. Tánaiste Simon Harris announced a €60 million sonar acquisition in April 2026 specifically in response.

This is the threat environment the parties' internal comms are operating inside. None of it is hypothetical. All of it is on the public record.

What the parties have already been caught at

Even short of the active-threat layer, the parties have been catching themselves in WhatsApp embarrassments on a recurring basis. The catches are the surface-visible part of the metadata-leak problem; the metadata leaks no-one catches are the larger part of it.

In Ireland: a Sinn Féin Finglas / Ballymun WhatsApp group was leaked to TheJournal.ie in October 2018, containing derogatory messages about Fine Gael TD Noel Rock and a reference to President Higgins as "the leprechaun." The group was shut down. In March 2023, the Green Party's parliamentary WhatsApp messages were deleted after the party's head of communications criticised TD Neasa Hourigan in a public tweet.

In the United Kingdom: the February 2025 Mail on Sunday leak of the Labour "Trigger Me Timbers" WhatsApp group exposed racist, sexist and homophobic messages, leading to the suspension of MPs Andrew Gwynne and Oliver Ryan and eleven local councillors, including Gwynne's wife. In January 2026, a separate Labour MPs' WhatsApp group urging the government off X was leaked. The Scottish Government banned WhatsApp and other non-corporate messaging for official business in December 2024.

The lesson of these cases is not that the politicians in question said embarrassing things on WhatsApp. The lesson is that they said them where the messages were available to be leaked. Self-hosted comms with proper audit logging and retention policies would also have produced an embarrassment if the messages had been leaked, but the messages would not have been routed through an external US-based corporate platform, would not have been available via legal-process requests to that platform, and would not have been available to any future Mossad / GRU / MSS / commercial-spyware operation that compromised the platform's infrastructure. The leak surface narrows dramatically.

Even sophisticated political operators get the architecture wrong. The 2016 Hillary Clinton private email server case is the textbook example: a senior US politician, with access to the entire US intelligence community's advice, set up a personal email infrastructure that the FBI ultimately characterised as "extremely careless" handling of classified information. The cost was the election. Political parties without expert security advice are even more exposed.

The "conspiracy theory" dismissal is the standard label

When someone raises the structural-security issue inside a political party, the standard dismissal label is "conspiracy theory." This is a documented pattern across multiple cases and multiple decades.

Cambridge Analytica was "conspiracy theory" until 17 March 2018, when Christopher Wylie's revelations were published in The Observer and the New York Times. Carole Cadwalladr's prior Observer reporting, going back to May 2017, had been widely dismissed and met with lawyer threats. After March 2018, Cambridge Analytica became the scandal of the year, and the structural argument Cadwalladr had been making for months was vindicated.

Pegasus was "conspiracy theory" until Citizen Lab and Amnesty International's Security Lab confirmed the operation forensically. NSO Group and its client governments, particularly the Indian government, explicitly framed the allegations as conspiracies involving George Soros, Access Now, Apple and opposition political parties. After the Pegasus Project consortium published in July 2021, the framing flipped. The structural argument was confirmed.

The pattern is uniform. The "this is conspiracy theory" dismissal is the standard mainstream response to anyone raising structural-security concerns before the evidence becomes too explicit to dismiss. Once the evidence becomes too explicit to dismiss, the conversation moves on. The structural-security concerns then get acted on, usually too late and at significant cost. The people who raised the concerns early do not get an apology. The structure that produced the dismissal stays in place, ready to dismiss the next round of concerns with the same label.

Anyone raising secure-comms concerns inside a political party in 2026 is hearing the "conspiracy theory" label applied to a structural risk that has been confirmed forensically, on the public record, in multiple parallel cases for at least eight years. The dismissal is the older script being read aloud. The script does not change because the evidence does.

What serious institutions have already done

The good news is that the fix is not theoretical, expensive or hard. Every serious public-sector and military institution in Europe has already done it. The party leadership rooms appear to be among the last serious-institutional spaces still organising their internal comms on US commercial platforms.

The French state has run Tchap, a Matrix-based secure messenger, since April 2019. By 2026 it has over 300,000 users. In September 2025, the French Prime Minister mandated Tchap use across central government. Tchap is built by the French government's own infrastructure team on the open Matrix protocol.

The German Bundeswehr has run BwMessenger, also Matrix-based, since November 2020. It is certified by the German Federal Office for Information Security (BSI) for handling material classified up to "Restricted" since July 2021. In December 2023, the German government released BundesMessenger as the equivalent for federal, state and local administration. The Bundeswehr's published assessment is that WhatsApp, Signal and Telegram are "completely unsuitable" for the confidentiality requirements of public-sector communications. WhatsApp is not, in Bundeswehr usage, an acceptable platform.

The Belgian government rolled out BEAM, a Matrix-based messenger, in 2025. Luxembourg runs Luxchat. Sweden runs SAFOS Chatt. The French Interministerial Directorate for Digital Affairs (DINUM) joined the Matrix.org Foundation in October 2025. NATO, the European Space Agency and elements of the United Nations have all presented Matrix deployments. The US Air Force runs Mattermost (a related self-hosted alternative). The Swiss Armed Forces recommended Threema (a Swiss commercial alternative) to troops in 2022, citing US CLOUD Act protection. After a Signal phishing wave hit the Bundestag in April 2026, Bundestag president Julia Klöckner urged MPs to adopt Wire (a Swiss commercial alternative).

The list of governments and militaries that have moved off US commercial platforms for internal comms is long and growing. The list of Irish political parties that have done the same is, on public record, zero.

What this actually looks like for a small organisation

The cost of self-hosting Matrix or Rocket.Chat for a typical party-branch-sized organisation of around fifty members is approximately €15 to €50 per month for a virtual private server, plus an initial day of sysadmin time to deploy, plus a monthly upgrade cadence of an hour or two per cycle. The server requirements are modest: a 2-CPU, 4-gigabyte-RAM VPS with PostgreSQL and around 40 gigabytes of storage suffices, with storage growing 20 to 50 gigabytes per year depending on media usage.

A federated architecture for a party with multiple branches puts a homeserver in each branch, federating with a central head-office server. Each branch retains sovereignty over its own data: who is in its groups, what the messages contain, who has access. Cross-branch coordination happens through federated channels visible to the federated members but not to anyone outside. The party at central level can set policy on retention, auditing and encryption defaults without holding the data of every branch. If a branch decides to leave the party, it walks out with its data intact; if a branch's data is subpoenaed, the subpoena is served on the branch's own server, not on a US corporate platform.

This is the architecture the German federal-and-state administration runs across BwMessenger and BundesMessenger. It is the architecture the French state runs across Tchap and its planned regional extensions. It works. It does not require party-level technical staff: it requires a part-time contracted sysadmin or a sufficiently skilled volunteer per branch, plus a central technical lead for the federation policy. Total cost across a party with twenty branches is on the order of a few hundred euros per month for infrastructure, plus the sysadmin time.

For comparison: the same party spends substantially more than that on a single round of branch printing.

They have been screwing their own pooch

The plain reading of this picture is the one the title of this piece carries. Political parties trying to change the political-economy direction set by Big Tech and the broader establishment apparatus have been running their internal organising on the platforms owned by that apparatus. The platforms have the metadata. The platforms can deplatform without process. The platforms are subject to subpoena by friendly and unfriendly state actors. The platforms are routinely compromised by spyware operations that have hit named European parliamentarians, ministerial offices and party headquarters in every direction across the past decade. The fix is documented, cheap, used by every serious European public-sector and military institution, and within the operational capability of any party branch with a contracted sysadmin and a small monthly budget. The parties have not done it.

The cost of not doing it is paid in: leaks (Trigger Me Timbers, Finglas / Ballymun, the Green parliamentary group, the Labour off-X group); metadata exposure to multiple state actors including hostile ones; vulnerability to platform-discretion deplatforming; subpoena exposure under both Irish and US legal process; reliance on a hostile vendor; structural visibility into the party's organising network for anyone who acquires the metadata legally or otherwise; and the operational-trust cost of asking members to share political-affiliation information with a platform owned by a corporation the party is supposed to be contesting.

The cost is being paid every day. The party leaderships hearing the "conspiracy theory" dismissal when members raise the issue inside the branch room are hearing the script that postpones the fix and continues the cost. The "we are not important enough to be a target" line, when offered, ignores that the targeting we know about includes Catalonia (~65 named individuals), the UK PM's office, the German SPD HQ, every IPAC member globally, 43 UK MPs, the PASOK leader, the Polish Civic Coalition's campaign coordinator, the French Macron campaign and the Greek opposition. Ireland is not too small to be a target. It is a NATO-EEZ-adjacent neutral country with strategic infrastructure under documented Russian and Chinese probing, a President whose family was detained in international waters by Israeli forces three weeks ago, a State already cyber-compromised at the public-health-services level once, and a political class that has spent the last two years setting up a defence-of-neutrality fight that touches every adversary capable of running these operations. The targeting capability exists. The targeting interest exists.

The simple test for any party leadership reading this is: ask the IT lead, on a Monday morning, to produce the list of who is in the party's main WhatsApp groups, what the messaging cadence looks like, and which members talk to which other members. The IT lead cannot. Meta can. The fact that Meta can, and the party's IT lead cannot, is the operational summary of the current situation. The party that fixes this is the party that owns its own organising infrastructure. The party that does not fix it is the party that has been organising inside a building it does not own, with the landlord listening.

The fix is not in dispute. The fix is in use across European public-sector organisations every day. The conversation about whether to make the fix is the conversation that needs to happen, in every Irish political party, in plain language, with the "conspiracy theory" dismissal label retired in favour of the structural reading the public record now requires.

They have been screwing their own pooch. The fix is sitting there. Pick it up.


This piece is a structural explainer on political-party comms infrastructure. The writer is a Social Democrats branch member and does not speak for the party. The argument is offered in plain language to a wide readership, in the long-view political-literacy register this site is built around, not as a strategy submission inside any party. The fix described above is available to any political party in Ireland on the same terms.

Source notes. Meta Government Data Requests transparency report, H1 2025 (transparency.meta.com). WhatsApp transparency reports (whatsapp.com/legal/transparencyreports). Snowden disclosures on PRISM (2013), Meta as named PRISM provider since 2008. FISA Section 702 reauthorised April 2024 via RISAA for two years; sunset 20 April 2026; status uncertain at time of writing. EU-US Data Privacy Framework: General Court Latombe challenge dismissed 3 September 2025, appeal to CJEU October 2025. Irish Data Protection Commissioner enforcement: €1.2bn (May 2023, Schrems II derivative), €251m (December 2024, 2018 breach), €91m (September 2024, plaintext passwords). Garda Síochána requests to Meta: 762 between July 2020 and December 2021, with 57-82% compliance rate. Citizen Lab "CatalanGate" April 2022 (~65 Pegasus targets, including Catalan President Aragonès and all five pro-independence MEPs). Citizen Lab UK government targeting April 2022. European Parliament PEGA Committee final report June 2023. Polish Senator Krzysztof Brejza Pegasus targeting 2019 (33 hits). Greek "Predatorgate": February 2026 Athens court convictions of Intellexa-linked figures (Dilian, Hamou, Bitzios, Lavranos), first criminal convictions of spyware-company executives globally. US Treasury sanctions on Intellexa March and September 2024. APT28 / GRU Bundestag 2015 (~16 GB exfiltrated), Macron 2017 hack-and-leak, German SPD HQ December 2022 / January 2023 (German government attribution May 2024). APT31 / Chinese MSS indictment 25 March 2024 (Inter-Parliamentary Alliance on China, 43 UK MPs, UK Electoral Commission 2021-22 breach). HSE Conti ransomware May 2021, $19,999,000 ransom demanded, €102 million final recovery cost. CyberAv3ngers attack on Erris group water scheme December 2023. NCSC 2025 National Cyber Risk Assessment naming Russia and China as active probers of Irish government networks. Russian shadow-fleet vessels mapping Irish cable landing stations: Viktor Leonov April 2025, west-coast convoy April 2026; Tánaiste Harris €60 million sonar acquisition April 2026. Trump deplatforming January 2021 (Twitter, Meta, YouTube), Meta reinstatement February 2023. HRW documentation of 1,050+ pro-Palestinian content removals October-November 2023; The Intercept on Meta Israel policy lead October 2024. Irish Sinn Féin Finglas/Ballymun WhatsApp leak October 2018. Green Party parliamentary WhatsApp deletion March 2023. UK Labour "Trigger Me Timbers" leak February 2025; Labour MPs X-usage WhatsApp leak January 2026; Scottish Government WhatsApp ban December 2024. French Tchap (Matrix-based) 300,000+ users; French Prime Minister mandate September 2025. German Bundeswehr BwMessenger since November 2020, BSI-certified for VS-NfD July 2021; BundesMessenger for federal/state/local administration December 2023. Belgian government BEAM 2025. US Air Force Mattermost. Swiss Armed Forces Threema recommendation 2022. Bundestag Wire recommendation April 2026. Cambridge Analytica revelations March 2018. Pegasus Project consortium July 2021. Companion to Both Halves of the Apparatus, The Standards Were Never Meant to Be Met and The Opening Above Labour.

Overwatch Report is an independent publication. We have no financial positions in any entity mentioned.