Meta has announced the introduction of end-to-end encryption on the Facebook website, and the Messenger app to enhance the privacy of user communication for one-to-one messages and voice calls across its platforms.
End-to-end encryption (E2EE) is a secure communication method that involves encrypting data on the sender’s system/device to make it unreadable to anyone intercepting it, including the service provider, reserving the ability to decrypt it only for the recipient, who holds a valid key. E2EE is used in instant messaging apps, secure email services, and social media platforms to protect user communications and instill trust.
E2EE on Messenger
End-to-end encryption was already available on Messenger, known as “Secret Conversations,” but Meta’s latest iteration, which is based on the open-source Signal protocol and a new “Labyrinth” protocol, has been optimized for use by a much wider userbase. Also, the feature was previously opt-in, whereas now it will be the default mode for all users.
The extra layer of security provided by end-to-end encryption means that the content of your messages and calls with friends and family are protected from the moment they leave your device to the moment they reach the receiver’s device. This means that nobody, including Meta, can see what’s sent or said, unless you choose to report a message to us.Meta
Meta explained that in order to maintain inter-device compatibility and the minimalist character of the Messenger client’s operation, communication data will still be stored on the company’s servers, but will be encrypted and unreadable. The clients will keep the private decrypting keys on the device, so the fetched data will only be readable locally.
Support of E2EE for group chats isn’t there yet, but Meta stated that this is currently being tested, so it should be ready sometime next year.
E2EE on Facebook
On Facebook, the E2EE mechanism that handles the generation of encryption and decryption keys, the key exchange, and the authentication of the conversation partners is included in the website code served to the user’s browser.
Meta says that to provide better confidence in what happens under the hood, it has added support for the Facebook website on the Code Verify extension. Code Verify compares the cryptographic hash of the loaded code with the expected hash provided by Meta to ensure there have been no alterations in the code, and hence, the E2EE mechanism can be trusted.
We should clarify that using Code Verify isn’t required to reap the benefits of secure communications on Facebook, as this is only a code verification tool. The massive Facebook user base communicating on the social media platform does not have to take additional action to enable E2EE.
Not everyone’s happy
The Electronic Frontier Foundation (EFF), a non-profit organization dedicated to digital freedom and data privacy, has applauded Meta’s move to “bring strong encryption to over one billion people, protecting them from dragnet surveillance of the contents of their Facebook messages.”
However, the organization noted that concerns remain around how data backups are handled and what metadata is still exchanged between clients and Meta’s servers. Specifically, EFF has some objections around the encrypted backups controlled by the Labyrinth protocol and the prioritization of usability over security. The organization urges users to disable offline backups if possible and give up data recovery across multiple devices.
Even greater objections came from the UK’s National Crime Agency (NCA), which called Meta’s decision to roll out end-to-end encryption on Facebook and Messenger “hugely disappointing.” Specifically, the NCA says this development hinders their ability to “protect children from sexual abuse and exploitation.”
NCA mentions that Meta has a plan to continue aiding its law enforcement work by feeding it with large volumes of communication metadata, which confirms EFF’s fears. However, the agency believes that this alternative identification system will not be enough to stop child abusers on the platform, saying that metadata “will rarely, if ever, produce sufficient evidence for a search warrant.”