Meta is testing new end-to-end encryption (E2EE) features in Facebook Messenger, and not just because someone has heavily chastised the company for not enabling these safeguards by default.
“On Messenger and Instagram, we’re working hard to protect your personal messages and calls with end-to-end encryption by default,” Meta says (Opens in a new window). “Today, we’re announcing plans to test a new secure storage feature for backups of your end-to-end encrypted Messenger chats, as well as additional updates and tests to deliver the best Messenger and Instagram experience.”
The most notable change is the addition of encrypted backups. Messenger currently stores E2EE messages on a single device and does not allow access to them from another. (At least, theoretically.) This can be inconvenient for people who lose their primary device, but Messenger users would be at risk if the company had backed up the messages without encrypting them.
That is not a theoretical issue (Opens in a new window). Apple uses E2EE for iMessage, but many users prefer to save their message histories to iCloud. Because the backup isn’t encrypted, even though the messages rely on E2EE in transit, they can be accessed via iCloud. By limiting E2EE messages to a single device, Meta avoids this issue with Messenger.
The company is currently testing what it calls Secure Storage. If people lose access to their device, they will be able to recover their messages using the method of their choice—supplying a PIN or entering a generated code. Meta says that if users prefer, they can back up their E2EE messages to “third-party cloud services.”
“For example, you can use iCloud to store a secret key that allows access to your backups on iOS devices,” Meta explains. “While this method of key protection is safe, it is not protected by Messenger’s end-to-end encryption.” (This is effectively the company’s way of saying that it is not liable if otherwise secure Messenger chats are accessed through iCloud.)
This week, Meta will begin testing Secure Storage on Android and iOS. However, the feature is not available through Messenger’s website, desktop apps, or for “chats that are not end-to-end encrypted.”
The company will also “begin testing the ability to unsend messages, reply to Facebook Stories, and offer other ways to access your end-to-end encrypted messages and calls”; test an extension called Code Verify on Messenger’s website that “automatically verifies the authenticity of the code”; and make E2EE messages available to more Instagram users.
The most important test, however, will be making E2EE the default for some Messenger users rather than requiring people to enable these protections chat by chat. Meta adds:
“This week, we’ll begin testing default end-to-end encrypted chats between some people. If you’re in the test group, some of your most frequent chats may be automatically end-to-end encrypted, which means you won’t have to opt into the feature. You’ll still have access to your message history, but any new messages or calls with that person will be end-to-end encrypted. You can still report messages(Opens in a new window) to us if you think they violate our policies, and we’ll review them and take action as necessary.”
The best way to encourage people to protect themselves is to make the most secure option the default. This is especially important in a post-Roe country where law enforcement can and has used message histories to build cases against people who have had or sought abortions. (Meta tells Wired(Opens in a new window) that these concerns did not prompt the rollout.)
“We will continue to provide updates as we move toward the global rollout of default end-to-end encryption for personal messages and calls in 2023,” says Meta.