Antigone Davis, Meta's global head of safety, wrote an op-ed in the British newspaper, the Telegraph this weekend, stating that the company formerly known as Facebook is delaying a roll out of end-to-end encryption across all its services until at least 2023.
Most of the tech giant's services do not ensure that only the user holds keys for decrypting messaging data. Those services can be subpoenaed or hit with a warrant if they want to give messaging data to public authorities.
In the wake of the Cambridge Analytica data misuse scandal, founder Mark Zuckerberg announced the company would work towards universally implementing end-to-end encryption across all its services.
Earlier this year, Facebook suggested that it would complete the roll out in 2022.
The tech giant says it won't get this done until the following year. It sounds like a can being kicked.
Davis said that the social media giant wanted to take time to make sure it could implement the technology safely and that it could give information to law enforcement to assist in child safety investigations.
There is an ongoing debate about how tech companies can continue to combat abuse and support the vital work of law enforcement if they can't access your messages. She writes that they are building strong safety measures into their plans and engaging with privacy and safety experts, civil society and governments to make sure they get this right.
Western governments, including the UK's, have been leaning hard on Facebook to delay or abandon its plan to blanket services in the strongest level of encryption altogether, ever since it made the public announcement of its intention to 'e2ee all the things' over two years ago.
The UK has been an especially vocal critic of Facebook on this front, with Home Secretary Priti Patel warning Facebook that its plan to expand e2ee would hamper efforts to combat online child abuse.
Meta's op-ed appeared in the favored newspaper of the British government.
Davis writes in the Telegraph that end-to-end encryption will be used to keep users safe while assisting public safety efforts.
She suggests that Meta/ Facebook has reviewed a number of historic cases and concluded that it would still have been able to provide critical information to the authorities.
Even if all comms on its services were end-to-end secure, how would Facebook be able to pass data on users?
Users are not aware of how Facebook/Meta joins the dots of their activity across its social empire, for example, it does not extend to tHe messaging/comms content that is covered by e2ee.
The tech giant also links accounts and account activity across its social media empire, following a controversial privacy U-turn back in 2016 If a user has an account on Facebook, they can be linked to the more formal form of socializing that typifies activity on the app.
Facebook can use its vast scale to flesh out a user's social graph and interests based on things like who they are talking to, who they are connected to, and what they've liked and done across all of its services.
As we roll out end-to-end encryption we will use a combination of non-encrypted data across our apps, account information and reports from users to keep them safe in a privacy-protected way while assisting public safety efforts. We can make vital reports to child safety authorities from this kind of work.
The European Union fined Facebook a large amount for failing to properly inform users about what it was doing with their data, including how it passes information between the two.
Facebook has not made any changes to how it processes user data despite announcing a change to the privacy policy for users in Europe.
Last month, Facebook whistle blower, Frances Haugen, raised concerns over the tech giant's application of the technology, arguing that since it's a proprietary implementation, users must take Facebook's security claims on trust.
She said that she was concerned about the expansion of e2ee because she had no idea what Facebook was going to do.
The UK parliament was warned that they don't know what it means, and if people's privacy is actually protected. There is no directory where you can find 14 year olds on the open source end-to-end encryption product that I use. It is easy to access vulnerable populations on Facebook and there are national state actors doing this.
She supports open source implementations of security technology where external experts can robustly question code and claims.
In the case of Facebook, where the implementation of e2ee is not open to anyone to verify, she suggested that regulatory oversight is needed to avoid the risk of the tech giant making misleading claims about how much privacy is available to users.
Facebook's e2e encryption raises trust and security questions.
The op-ed is intended to soothe UK policymakers that they can have their cake and eat it, and that Meta will continue engaging with outside experts and developing effective solutions to combat abuse.
We don't plan to finish the global roll out of end-to-end encryption by default across all our messaging services until sometime in 2023, says Davis, finishing with another detail-light soundbite.
The UK government will surely be delighted with the line-toeing quality of Facebook's latest public missives on a very tricky topic, but its announcement that it's delaying e2ee in order to "get this right" is only one example.
Meta will be watched by the wider community of digital rights advocates and security experts.
The UK government recently spent almost half a million of taxpayer's money on five projects to develop scanning/filtering technologies that could be applied to e2ee services to detect, report or block the creation of child sexual abuse material.
The UK is legislating for in the Online Safety Bill to push platforms to implement spyware that allows for encrypted content to be scanned on users' devices regardless of any other restrictions.
The topic of whether such baked in scanner systems essentially sum to a back door in the security of robust encryption will surely be a topic of close scrutiny and debate in the months and years ahead.
Apple proposed to add a CSAM detection system to its mobile OS, which was supposed to detect content on a user's device before it was uploaded to its iCloud storage service.
Apple claimed it had developed technology that could balance strong child safety and user privacy.
After a storm of concern from privacy and security experts, as well as those warning that such systems, once established, would inexorably face 'feature creep', Apple back.
It is not clear when the on-device scanner might be revived.
While the iPhone maker has built a reputation for being a privacy-focused company, Facebook has a reputation for being a profit-driven business. The founder of the social media giant has presided over a string of scandals attached to systematically privacy-hostile decisions, so it would be foolish to expect Facebook to hold the line in the face of political pressure to bake spyware into its products.
Its recent corporate change to Meta looks a lot more superficial than that.
Apple confirms it will be scanning the photos for child abuse images.
The UK names five projects that will get funding.