Why it’s taking so long to encrypt Facebook Messenger

Illustration by Alex Castro / The Verge

After a high-profile incident in which subpoenaed Facebook messages led to felony charges for a 17-year-old girl and her mother in a Nebraska abortion case, Meta said Thursday that it would expand testing of end-to-end encryption.

End-to-end encryption will be added to Messenger chats this week. It will increase the number of people who will be able to use end-to-end encryption on direct messages.

Messenger is testing a feature that will allow users to restore their chat history when they install the app on a new device. The feature prevents the company or anyone else from being able to read the contents of the backups.

Next year is when the global roll out is expected to be finished.

The fact that they came so soon after the abortion case came to light was a coincidence according to Meta. The challenges of making the default for hundreds of millions of people is more important than the timing. In recent conversations with Meta employees, I have come to understand that consumer apathy towards encryption has created challenges for the company as it works to create a secure messaging app that its users will actually use.

Three years have passed since Mark Zuckerberg announced that the company's products would embrace privacy and security. The next step was to bring the same level of protection to Messenger and the other social networks. Teams have encountered a number of obstacles along the way, due to the fact that the apps need to be rebuilt almost from scratch.

End-to-end encryption can be difficult to use. We make tradeoffs in order to get more security. People may be less inclined to use a messaging app that requires them to set a PIN to restore old messages or displays information about the security of their messages that they find confusing or off-putting.

Most people don't know what end-to-end encryption is. If they hear of it, they might not be able to tell the difference between it and other forms of encryption. When a message is in transit between your device and the server, you can use Gmail to protect your data. It's known as transport layer security and it offers good protection, but it doesn't mean that law enforcement can't see your messages.

One employee told me that Meta user research showed that people were concerned when they were told they were adding end-to-end encryption. One reason the company labeled stored-message feature "secure storage" rather than "automatic backups" was to emphasize security in the branding.

I'm told that only a minority of users were concerned about their privacy.

I wrote on Tuesday that Meta should consider going beyond end-to-end encryption to make messages disappear by default. One employee told me this week that the company has considered doing so, but usage of the feature in Messenger to date has been so low that making it a default has generated little enthusiasm inside.

Access to old messages is a priority for many Messenger users. Messing with that too much could cause users to scramble for communications apps like the ones they are used to, where law enforcement may be able to request and read your chat history.

The third challenge is that end-to-end encryption can be difficult to maintain. Messenger is integrated into the product so that it can be used to break ciphers. Adding a third person to the chat makes it much more difficult to cipher.

There's more to come. It won't work unless everyone uses an up-to-date version of Messenger. Messenger lite is designed to have a small file size so it can be used by users with older phones. It takes up a lot of space.

I don't excuse Meta for not rolling out end-to-end encryption up to now. The company has been working on the project for three years and I am sympathetic to some of the employees concerns.

There are real questions about the appetite for security in these products as a result of the challenges Meta has brought to the table. Activists and journalists take it for granted that they should be using a messaging app that doesn't store messages on a server.

Meta's research shows that the average person still hasn't gotten the message. It is an open question how the events of 2022, as well as whatever we are in for in the next few years, will affect that.

When stories about Russian military personnel searching captives' phones drew attention to the dangers of permanently stored, easily accessible messages, Meta pushed to add encryption.

The medical abortion at the center of the Nebraska case would have been illegal under state law if it had taken place after 20 weeks.

In the second half of last year, the company got more than 200,000 requests and produced at least some data for at least 70% of them. It's not the exception that Facebook cooperates with law enforcement.

This has a lot to do with the woman. Women will need to tell their partners, family, and friends if they are going to go out of state to get an abortion. The coming months and years will bring more stories like the Kansas case, which will draw attention to how useful tech platforms are to law enforcement in gathering evidence.

It is possible that most Facebook users will not be affected by the invasion of privacy. The culture will shift to demand that companies do a better job of educating people about how to use their products safely.

If there is a silver lining in this, it is that the rise in criminal prosecutions for abortion could create a huge new group of people who want to defend the internet. Lawmakers and regulators have been trying to undermine secure messages for a long time. Thanks to a loose coalition of activists, academics, civil society groups, tech platforms, and journalists, it has been preserved.

The number of people who need to communicate with each other in speachable ways has grown considerably. The United States and around the world could benefit from a cultural shift towards encryption.

It will take a while. Tech platforms can do a lot, and here we hope they will.