Why it’s taking so long to encrypt Facebook Messenger

Why it’s taking so long to encrypt Facebook Messenger

After a high-profile incident in which cited Facebook messages led to felony charges for a 17-year-old girl and her mother in a Nebraska abortion case, Meta said Thursday that it would expand encryption testing of end-to-end in Messenger later. of a planned global deployment.

This week, the company will begin automatically adding end-to-end encryption to Messenger chats for more people. In the coming weeks, the number of people who can start using end-to-end encryption in Instagram direct messages will also increase.

Meanwhile, the company has started testing a feature called “secure storage” that will allow users to restore their chat history when they install Messenger on a new device. Backups can be locked with a PIN, and the feature is designed to prevent the company or anyone else from reading your content.

The global launch is expected to be completed next year.

target said cabling that he had long planned to make these announcements, and that the fact that they came so soon after the abortion case came to light was a coincidence. However, I am less interested in the timing than in the practical challenges of making encrypted messaging the default for hundreds of millions of people. In recent conversations with Meta employees, I’ve come to understand more about what’s taking so long and how consumer apathy toward encryption has created challenges for the company as it works to create a secure messaging app that its customer base users will actually use.

It’s been three years since Mark Zuckerberg announced, amid a steady shift from public sources to private chats, that the company’s future products would include encryption and privacy. At that time, WhatsApp was already end-to-end encrypted; the next step was to bring the same level of protection to Messenger and Instagram. Doing so required apps to be rebuilt almost from scratch, and teams have run into a number of hurdles along the way.

The first is that end-to-end encryption can be tricky to use. This is often the tradeoff we make for more security, of course. But average people may be less inclined to use a messaging app that requires them to set a PIN to restore old messages, or displays information about their message security that they find confusing or off-putting.

The second related challenge is that most people don’t know what end-to-end encryption is. Or, if they’ve heard of it, they may not be able to tell it apart from other, less secure forms of encryption. Gmail, among many other platforms, encrypts messages only when a message is in transit between Google’s servers and your device. This is known as transport layer security and offers good protection to most users, but Google, or law enforcement, can still read the content of your messages.

Meta user research has shown that people worry when you tell them you’re adding end-to-end encryption, one employee told me, because they’re scared that the company has been reading their messages earlier. Users also sometimes assume that new features are added for Meta’s benefit, rather than their own; That’s one of the reasons the company labeled the stored messages feature “secure storage,” rather than “automatic backup,” to emphasize brand security.

When the company surveyed users earlier this year, only a minority identified themselves as having significant privacy concerns, they told me.

I wrote on Tuesday that companies like Meta should consider going beyond end-to-end encryption to make messages disappear by default. An employee told me this week that the company had considered doing so, but to date usage of the feature in Messenger, where it’s available as an option, has been so low that making it the default has generated little enthusiasm internally.

I’m told that, by contrast, access to old messages is a high priority for many Messenger users. Messing with that too much could send users looking for communication apps like the ones they’re used to, the kind that keep their chat history stored on a server, where law enforcement can request and read it.

A third challenge is that end-to-end encryption can be difficult to maintain even within Facebook, they told me. Messenger is built into the product in ways that can break encryption: Watch Together, for example, allows people to message each other while watching live video. But that inserts a third person into the chat, making encryption much more difficult.

There is more. Encryption won’t work unless everyone is using an updated version of Messenger; a lot of people don’t update their apps. It’s also hard to pack encryption into a sister app like Messenger Lite, which is designed to have a small file size so it can be used by users with older phones or limited data access. End-to-end encryption technology takes up many megabytes.

I mention all this so as not to excuse Meta for not implementing end-to-end encryption until now. The company has been working on the project steadily for three years, and while I wish it could move faster, I understand some of the concerns that employees have raised with me in recent days.

At the same time, I think Meta’s challenges in bringing encryption to the masses in its messaging app raise real questions about the appetite for security in these products. Activists and journalists take it for granted that they should already be using encrypted messaging apps, ideally one without server-side message storage, like Signal.

But Meta’s research shows that average people still haven’t gotten the, well, message. And it’s an open question how the events of 2022, as well as what awaits us in the years to come, can change that.

(Employees told me that Meta’s push to add encryption increased after the invasion of Ukraine earlier this year, when stories about Russian military personnel searching captives’ phones drew attention to the dangers of messaging.) permanently stored and easily accessible).

Despite all the attention the Nebraska case received, it had almost nothing to do with the annulment of Roe vs. Wade: Nebraska already banned abortion after 20 weeks, and the medical abortion at the center of this case, which took place at 28 weeks, would have been illegal under state law even if there had been Roe been confirmed.

Yes, Meta delivered the messages of the suspects when they were summoned, but it is not surprising: the company received 214,777 requests in the second half of last year, some 364,642 different accounts; produced at least some data 72.8 percent of the time. Facebook’s cooperation with law enforcement is the rule, not the exception.

In another sense, however, this has much to do with Roe. Untold numbers of women will now seek out-of-state abortion services, possibly violating state law to do so, and will need to communicate with their partners, family and friends. The coming months and years will bring many more stories like the Kansas case, drawing more and more attention to how useful technology platforms are to law enforcement in collecting evidence.

It is possible that the general apathy towards encryption of most Facebook users will survive the coming storm of privacy invasions. But it seems much more likely to me that the culture will change to require companies to collect and store less data, and do a better job of educating people on how to use their products safely.

If there’s one silver lining to all of this, it’s that the rise in abortion prosecutions could create a new mass constituency organized to defend encryption. From India to the European Union to the United States, lawmakers and regulators have been working to undermine secure messaging for many years. To date, it has been preserved thanks in part to a loose coalition of activists, academics, civil society groups, tech platforms, and journalists: in short, some of the people who trust it most.

But with Roe revoked, the number of people for whom encrypted messaging is now a necessity has grown noticeably. A cultural shift toward encryption could help preserve and expand access to secure messaging, both in the United States and around the world.

That change will take time. But there is a lot that technology platforms can do now, and we hope they will.

Leave a Comment

Your email address will not be published.