This was something I didn’t expect to arise, Facebook Messenger now has end-to-end encryption (E2EE). I am admittedly many months late to cover this news, but nevertheless it is a good one to discuss about. In theory, Messenger adopting E2EE is a benefit for its 1B + users. In practice, it probably isn’t as great as it sounds.
What is E2EE?
Say you are messaging someone through SMS, an old protocol. SMS sends data in plain text, which means that anyone can read that data if they intercept it. This is obviously a pretty bad security and privacy problem, you don’t want outsiders to peer into your personal communications. That outsider can be anyone; malicious individuals, the telecom companies, or government agencies.
E2EE fixes this security hole by encrypting the data while in transit. Think of data being sent inside a locked box, and only you and the recipient has the keys. If anyone intercepts the data, it’s very unlikely they’ll be able to decrypt it; they would see scrambled gibberish. Someone can try to decrypt the data by brute force, but this is time consuming and is almost certainly not possible in real time. The intercepter can get metadata, such as who the recipient and sender are and when the message was sent, but not the message itself.
So the purpose of E2EE is to protect data flowing between you and intended recipients. Only the people involved should be able to access the data during transit, not even the servers that the data passes through. E2EE isn’t a perfect solution of course, once that data is decrypted on yours/a recipient’s machine, it’s vulnerable again. It’s your responsibility to protect the decrypted data once you receive it.
E2EE examples
E2EE is a commonly used layer of security for protecting data. Whenever you visit a website, the URL will likely begin with HTTPS. That means the traffic between your browser and the web server is encrypted. If this wasn’t the case, such as regular HTTP, your browser will be screaming about security issues and show bright red warnings. With plain HTTP, someone could easily steal your credentials for online accounts.
Services used by large groups of people, such as Apple’s iMessage and Whatsapp also use E2EE. VPNs, the Tor network, email servers, and many VoIP and video services also use E2EE. In a world where online privacy has been mostly eroded but is slowly growing as a concern, the presence of E2EE is a good thing.
How is this possible?
And so we arrive back at the opening statement of this article: FB Messenger also supports E2EE. Without any deeper thinking, this is a good change. Adding E2EE makes Facebook unable to read data passing through their servers, and you need to remember that over a billion people actively use this service. People using Messenger should now be able to communicate without being concerned of being snooped on by anyone.
But this is a paradox, isn’t it? We know Facebook makes money by selling your data and showing ads. So if they lock themselves out of the data of over a billion people, isn’t that a suicidal move? Facebook also owns Whatsapp, and over 2B people use that service. With E2EE being built into Whatsapp, how is Facebook still alive?
First, the E2EE in Messenger is opt-in. Unlike Whatsapp, it isn’t enabled by default; you have to manually enable it. The majority of people are technologically inept, otherwise companies like Facebook could not exist. Therefore, most users probably won’t enable E2EE, let alone knowing about its value. If you have to use Messenger, you should absolutely enable E2EE and convince others to do so. By making the feature an opt-in, the number of users that use this feature is instantly diminished.
Second, you really can’t trust the E2EE and Facebook products as a whole. Just use some logic; why would a data harvesting company allow its users to not share any data? Facebook can still harvest metadata, which E2EE is not as effective at hiding. But beyond metadata, it is safe to assume that Facebook has backdoors in their encryption which allow them to read data.
Now, just think of what the second point mentioned. Messenger uses E2EE, which is designed to prevent any outsider, including Facebook, from reading data. But if Facebook has a backdoor, then they can read the data or give it to any other outsider. So the E2EE is absolutely useless. If there are backdoors, the E2EE is as effective as trusting a cat to not eat meat while you’re not looking.
There are good reasons to suspect that Facebook implemented backdoors.
-
The software is proprietary
Facebook does not share the code that goes into their services, so we cannot prove them innocent. And unlike ‘innocent until proven guilty’, the opposite is safer and more reasonable to believe in this case. It’s very likely that if the code for services like Messenger were ever leaked, the whole thing would be completely spyware.
-
Facebook’s business model needs your data
Do you really think Facebook will simply allow over 2 billion people use their services for free without stealing their data? These services are provided for free, so the user is 100% the product. It is foolish to think that Facebook would respect user privacy and not snoop on everything they could.
-
Invasive government mandates
The Edward Snowden incident showed everything you need to know about the collaboration between government and tech companies. Governments can, at any time, order Facebook to hand over user data and the company has to oblige. This is kept secret by gag orders, so all the public hears is only about how much Facebook cares about user privacy. Governments don’t like E2EE because it makes detecting illegal activities difficult. Therefore, they believe that surveilling everyone is the only viable solution to maintain ’national security’. Governments also can order backdoors to be built into software so that they can access data whenever they wish.
Beyond the motives for implementing backdoors, the fundamental design of Messenger works against E2EE. No matter what machine you use, you’ll always see all your messaging and file history when logging into Messenger. This is possible because that data is stored on Facebook’s servers, which means that Facebook physically has your data. Someone on their end could try and brute force decrypt that data behind the scenes.
Encryption is not perfect, data will be decrypted given enough time. Encryption is adequate to keep data secured while transiting, but throw enough computing power at encrypted data and it will be compromised. The best measure to protect encrypted data is to minimize the transfer time and not make it linger anywhere, so not storing it in vulnerable locations like a cloud server. But that’s exactly what Facebook does, since everyone is so dependent on their data to be available everywhere.
Why would you ever trust Facebook?
You should always be skeptical of changes and ‘progress’ made in technology. Most of the time, these advancements have major drawbacks or are secretly designed to work against you. Messenger implementing E2EE is no exception, it sounds good as a news headline but that’s about it. Always scrutinize what tech companies say or do. Assume there are backdoors built in, and enabling E2EE will only help marginally.
E2EE is great technology, don’t get me wrong. It legitimately improves security and privacy, that’s why so many services use it. Any program you use that has E2EE should implement it properly, without any backdoors. To replace Messenger, Whatsapp, and other messaging programs, I recommend Signal; it just works, uses E2EE properly, and even minimizes metadata leakage.