Why it takes so long to encrypt Facebook Messenger

After a high-profile incident in which subpoenaed Facebook posts led to felony charges for a 17-year-old girl and her mother in a Nebraska abortion case, Meta said Thursday he would expand testing end-to-end encryption in Messenger. of a planned global deployment.

This week, the company will automatically start adding end-to-end encryption in Messenger chats for more people. In the coming weeks, it will also increase the number of people who can start using end-to-end encryption of direct messages on Instagram.

Meanwhile, the company has started testing a feature called “secure storage” that will allow users to restore their chat history when they install Messenger on a new device. Backups can be locked with a PIN, and the feature is designed to prevent the company or anyone else from being able to read their content.

The global rollout is expected to be completed next year.

Meta said Wired that he had long planned to make these announcements, and that the fact that they came so soon after the abortion story came to light was coincidental. I’m less interested in the timing, however, than in the practical challenges of making encrypted messaging the default for hundreds of millions of people. In recent conversations with Meta employees, I have come to better understand what is taking so long – and how consumer apathy towards encryption has created challenges for the company as it works to create a secure messaging app that its user base will actually use.

It’s been three years since Mark Zuckerberg announced, amid a continued shift from public streams to private chats, that in the future the company’s products would encompass encryption and privacy. At the time, WhatsApp was already end-to-end encrypted; the next step was to bring the same level of protection to Messenger and Instagram. To do this, apps had to be rebuilt almost from scratch – and teams encountered a number of hurdles along the way.

The first is that end-to-end encryption can be a pain to use. This is often the trade-off we make in exchange for more security, of course. But average people may be less inclined to use a messaging app that requires them to set a PIN to restore old messages, or displays information about their message security that they find confusing or off-putting.

The second related challenge is that most people don’t know what end-to-end encryption is. Or, if they hear about it, they might not be able to tell it apart from other, less secure forms of encryption. Gmail, among many other platforms, encrypts messages only while a message is in transit between Google’s servers and your device. This is known as transport layer security and provides most users with good protection, but Google – or law enforcement – can still read the content of your messages.

Meta user research has shown that people worry when you tell them you’re adding end-to-end encryption, one employee told me, because it scares them that the company might have read their messages. previously. Users also sometimes assume that new features are added for Meta’s benefit, rather than theirs – this is one of the reasons the company referred to the stored message feature as “secure storage” rather than “automatic backups”, in order to emphasize brand safety.

When their company surveyed users earlier this year, only a minority identified as being very concerned about their privacy, I was told.

On Tuesday, I wrote that companies like Meta should consider moving beyond end-to-end encryption to make messages disappear by default. An employee told me this week that the company had considered doing this, but usage of the feature in Messenger to date – where it’s available as an option – has been so low that making a default has generated little enthusiasm internally.

On the contrary, I am told, access to old messages is a priority for many Messenger users. Playing with it too much could lead users to rush to communication apps like the ones they’re used to – the kind that keep your chat history stored on a server, where law enforcement may be able to request it. and read it.

A third challenge is that end-to-end encryption can be difficult to maintain even within Facebook, I’m told. Messenger is built into the product in a way that can break encryption – Watch Together, for example, lets people message each other while watching live video. But this inserts a third person into the chat, which makes encryption much more difficult.

There is more. Encryption will only work if everyone is using an up-to-date version of Messenger; many people don’t update their apps. It’s also difficult to build encryption into a sister app like Messenger Lite, which is designed to have a small file size so it can be used by users with older phones or limited data access. End-to-end encryption technology takes a lot of megabytes.

I bring all this up not to excuse Meta for not deploying end-to-end encryption thus far. The company has been working steadily on the project for three years, and while I wish it had moved faster, I appreciate some of the concerns that employees have brought to my attention over the past few days.

At the same time, I think Meta’s challenges in bringing encryption to the masses in its messaging app raises real questions about the security appetite of these products. Activists and journalists take it for granted that they should already be using encrypted messaging apps, ideally one without server-side message storage, like Signal.

But Meta research shows that average people still haven’t gotten the message — well, the message. And it’s an open question how the events of 2022, as well as everything that lies ahead in the next few years, might change that.

(Employees told me that Meta’s push to add encryption accelerated after the invasion of Ukraine earlier this year, when stories of Russian servicemen searching captives’ phones caught the eye. on the dangers of permanently stored and easily accessible messages.)

For all the attention the Nebraska affair garnered, it had almost nothing to do with the overthrow of Roe vs. Wade: Nebraska has already banned abortion after 20 weeks, and the medical abortion at the heart of this case – which took place at 28 weeks – would have been illegal under state law even if roe deer been confirmed.

Yes, Meta delivered the suspects’ messages after being subpoenaed, but that’s not surprising either: the company received 214,777 requests in the second half of last year, or about 364,642 accounts. different ; it produced at least some data 72.8% of the time. Facebook cooperating with law enforcement is the rule, not the exception.

In another way, however, it has everything to do with roe deer. Countless women will now seek out-of-state abortion care, perhaps breaking state law to do so, and they will need to talk about it with their partners, family, and friends. The coming months and years will bring many more stories like the Kansas case, each time bringing new attention to the usefulness of technology platforms for law enforcement in gathering evidence.

It’s possible that the general apathy toward encryption among most Facebook users will survive the next storm of privacy breaches. But it seems to me much more likely that the culture will shift to demand that companies collect and store less data and do a better job of educating people on how to use their products safely.

If there’s a silver lining in all of this, it’s that increased criminal prosecutions for abortion could create a massive new constituency organized to defend encryption. From India to the European Union to the United States, lawmakers and regulators have worked for many years to undermine secure messaging. To this day, it has been preserved in part thanks to a loose coalition of activists, academics, civil society groups, tech platforms and journalists: in short, some of the people who depend on it the most.

But with roe deer reversed, the number of people for whom encrypted messaging is now a necessity has increased dramatically. A cultural shift toward encryption could help preserve and expand access to secure messaging, both in the United States and around the world.

This change will take time. But technology platforms can do a lot of things now, and we hope they will.

Leave a Reply

Your email address will not be published. Required fields are marked *