[jmilum]

it use the public key of the other user, not whatsapp. in effect, whatsapp is just acting as a key server. now they could have that users private key, but that's another matter

[sickbeard]

So in theory they could help by intercepting these keys and handing them to authorities without actually decryption the data themselves

[jmilum]

the client generates a public/private key pair and only sends the public one to the whatsapp server. the server should never be able to access the private key. but unless the source of the client is available for review, who knows?