Meta Set to Enable Default End-to-End Encryption on Messenger by Year End
24.8.23 Security The Hacker News
Meta has once again reaffirmed its plans to roll out support for end-to-end encryption (E2EE) by default for one-to-one friends and family chats on Messenger by the end of the year.
As part of that effort, the social media giant said it's upgrading "millions more people's chats" effective August 22, 2023, exactly seven months after it started gradually expanding the feature to more users in January 2023.
The changes are part of CEO Mark Zuckerberg's "privacy-focused vision for social networking" that was announced in 2019, although it has since encountered significant technical challenges, causing it to delay its plans by a year.
"Like many messaging services, Messenger and Instagram DMs were originally designed to function via servers," Timothy Buck, product manager for Messenger, said. "Meta's servers act as the gateway between the message sender and receiver, what we call the clients."
However, the addition of an encryption layer meant that the entire system had to be redesigned such that the servers could not process or validate the message content and, at the same time, ensure the timely delivery of the messages.
The Menlo Park-based company said it set up a new infrastructure of Hardware Security Modules (HSM) to maintain E2EE and allow users to access their message history through protections such as a PIN.
Meta further noted that it rebuilt over 100 features in Messenger, including sharing links to external sites like YouTube, without breaking encryption safeguards.
Unlike in the pre-E2EE scenario, where the server would go and retrieve information directly from YouTube and display to the user an image of the video as a preview, the Messenger app now fetches this information from the service and generates a preview, which is then encrypted as a whole and sent to the recipient.
While law enforcement agencies have sought to push back on platforms enabling encrypted messages by default since it creates new hurdles for obtaining evidence of criminal activity, E2EE is seen as a crucial deterrent against unwanted leaks or spying on personal communications.
"As we continue to increase the scale of our tests, and prepare to roll out the upgraded service, people will need to update their app to a recent build to access default E2EE," Buck said. "This is why it will take longer than we first anticipated to transition all messages to E2EE."