Facebook missed a big opportunity with end-to-end encryption in Messenger

After testing the feature on a small set of users since July, Facebook has now enabled end-to-end encryption for all Messenger users. 

The way it’s implemented, though, not many of those users will care. 

First, a word on end-to-end encryption. Despite Facebook’s claims that your chats on Messenger are pretty secure even without it, end-to-end encryption is what you want. The presence of the feature means it’s very hard for your messages to be intercepted and read by a third party, be it a malicious hacker, internet provider or a government organization snooping around (and there’s good reason to believe they are). With end-to-end encryption, the content is encrypted on your device, delivered to the recipient’s device and decrypted there — and vice versa. 

In practice, it means that even if the police asks Facebook to hand over the contents of your chat, the company can’t do it; it simply cannot decrypt the data. 

It’s not just the what, it’s the how

It’s a good thing that Facebook is adding this feature to Messenger. The problem is in the way it’s implemented. 

The feature is not advertised anywhere. In fact, Facebook (at the time of this writing) hasn’t publicly announced it at all (except in July, when it said the feature has entered a testing phase) — the company merely shared the news that the feature is available to all users with Wired. And even after you update your Messenger to the newest version, you won’t get any sort of pop-up or message telling you there’s an important new feature there. If you haven’t read about it in the media, you likely won’t even know it’s there.

And then there are all the limitations, which will surely put off potential users. Videos and GIFs aren’t supported. Group chats aren’t supported, either. Other platforms aren’t supported — for example, you can’t send a self-destructing message on your web-based Messenger, only on an iPhone or an Android phone. 

Right off the bat, you're warned about one limitation in Facebook's Secret Conversations. There are more.

Right off the bat, you’re warned about one limitation in Facebook’s Secret Conversations. There are more.

Image: Stan Schroeder/Mashable

And even when you choose to encrypt a conversation, you have to do it for each individual chat; you need to tap on a nondescript “i” menu item (I’ll bet you never used it before), and then choose “Secret Conversation” to start an end-to-end encrypted chat. There’s another way to do it: Hit the big “+” in the lower-right corner when you start Messenger. Choose “Write Message,” tap on the tiny lock in the upper right corner, then choose a name from the list below. Are you going to remember to do that every time you start a new chat? I won’t. 

Some of these missing features may have been tough to implement; I can see how making the Secret Conversation mode seamlessly work with older messages might be challenging. And Facebook is constantly enhancing the Messenger experience with new features that may be hard to encrypt — chatbots, games and apps come to mind — which in turn makes it hard for Facebook to make end-to-end encryption the default. 

But if a user wants to switch encryption on for Messenger (and perhaps forego some of those advanced features), there should be a simpler way to do it. 

Yes, it can be done

Want to see how it’s done? Install Signal (which, by the way, is built by the folks who built the security protocols used in Messenger’s Secret Conversations) on your phone. After the initial set-up process, everything is end-to-end encrypted. Send a video or a photo, start a group chat — it’s all encrypted. If you really want to send a message via SMS — which is horribly insecure — you can hold the “send message” icon to choose that option. 

End-to-end encryption should be easy to turn on for all your chats.

That’s the way things should be, not the other way around. End-to-end encryption should be easy to turn on for all your chats, and it should be opt-out, not opt-in. Yes, tech-savvy folks will know to turn the feature on, but let’s face it — folks who care about security likely won’t use Messenger for sharing any sensitive information in the first place. This feature should be for the rest of the user base, for all those users (and that’s the vast majority) who don’t even know (or care) what end-to-end encryption is. It should just work.  

Google’s recently launched Allo received a fair amount of flak when it launched with encryption opt-in, instead of opt-out. The fact that a feature is there is not enough, many have claimed, including NSA whistleblower Edward Snowden. 

Perhaps Facebook’s implementation of end-to-end Messenger encryption is just a first step; it’s certainly possible that the company plans to improve it down the road. I’ve asked Facebook whether that’s the case, but the company merely pointed me to its July posts about the feature being tested. 

As is, most people won’t bother with a setting that needs to be turned on for each conversation and cripples their Messenger, removing the ability to send videos and GIFs. It’s a pity, because Messenger’s 900+ million users would seriously benefit from it.  

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *