Getty Images | Chesnot
Meta has started enabling end-to-end encryption (E2EE) by default for chats and calls on Messenger and Facebook despite protests from the FBI and other law enforcement agencies that oppose the widespread use of encryption technology. “Today I’m delighted to announce that we are rolling out default end-to-end encryption for personal messages and calls on Messenger and Facebook,” Meta VP of Messenger Loredana Crisan wrote yesterday.
In April, a consortium of 15 law enforcement agencies from around the world, including the FBI and ICE Homeland Security Investigations, urged Meta to cancel its plan to expand the use of end-to-end encryption. The consortium complained that terrorists, sex traffickers, child abusers, and other criminals will use encrypted messages to evade law enforcement.
Meta held firm, telling Ars in April that “we don’t think people want us reading their private messages” and that the plan to make end-to-end encryption the default in Facebook Messenger would be completed before the end of 2023. Meta also plans default end-to-end encryption for Instagram messages but has previously said that may not happen this year.
CEO Mark Zuckerberg said in 2019 that the company planned to “implement end-to-end encryption across all of our messaging services.” The Meta-owned WhatsApp already had end-to-end encryption enabled by default, and users could enable the security technology on Messenger.
Meta said it is using “the Signal Protocol, and our own novel Labyrinth Protocol,” and the company published two technical papers that describe its implementation. “Since 2016, Messenger has had the option for people to turn on end-to-end encryption, but we’re now changing personal chats and calls across Messenger to be end-to-end encrypted by default. This has taken years to deliver because we’ve taken our time to get this right,” Crisan wrote yesterday.
Rollout will take months
Meta said it will take months to implement across its entire user base. Meta also previously implemented E2EE on millions of accounts while testing the feature.
“Because we have over a billion users, not everyone will get default end-to-end encryption right away. It will take a number of months to complete the global roll-out. When your chats are upgraded, you will be prompted to set up a recovery method, such as a PIN, so you can restore your messages if you lose, change, or add a device,” Crisan wrote.
With end-to-end encryption enabled by default, Meta says it won’t be possible for the company to read users’ messages. However, users can report messages to the company. A Messenger help page says that when a user “report[s] an end-to-end encrypted conversation, recent messages from that conversation will be decrypted and sent securely from your device to our Help Team for review.”
“The extra layer of security provided by end-to-end encryption means that the content of your messages and calls with friends and family are protected from the moment they leave your device to the moment they reach the receiver’s device. This means that nobody, including Meta, can see what’s sent or said, unless you choose to report a message to us,” Crisan wrote.
The Electronic Frontier Foundation applauded the rollout, but noted some limitations. “For now this change will only apply to one-to-one chats and voice calls, and will be rolled out to all users over the next few months, with default encryption of group messages and Instagram messages to come later. Regardless, this rollout is a huge win for user privacy across the world,” the EFF said.
Encryption keys remain “under the user’s control”
A post written by two Meta software engineers said the company “designed a server-based solution where encrypted messages can be stored on Meta’s servers while only being readable using encryption keys under the user’s control.” The Meta engineers described the challenges of implementing the server-based approach.
“Product features in an E2EE setting typically need to be designed to function in a device-to-device manner, without ever relying on a third party having access to message content,” they wrote. “This was a significant effort for Messenger, as much of its functionality has historically relied on server-side processing, with certain features difficult or impossible to exactly match with message content being limited to the devices.”
The company says it had “to redesign the entire system so that it would work without Meta’s servers seeing the message content.”
Meta is also adding new chat features. “End-to-end encrypted conversations offer additional functionality including the ability to edit messages, higher media quality, and disappearing messages,” the company said. Messages can be edited for up to 15 minutes after they are sent, but users “can still report abuse in an edited message and Meta will be able to see the previous versions of the edited message.”
Disappearing messages, which are deleted after a set amount of time, can be enabled when you start an end-to-end encrypted chat. “Disappearing messages on Messenger are only available for end-to-end encrypted conversations, but you can still report disappearing messages if you receive something inappropriate, and we’ll notify you if we detect that someone screenshots a disappearing message,” Crisan wrote.
Source link
