Facebook Blew It on Messenger Encryption

Getty Images

Facebook says it’s going to implement end-to-end encryption into its extremely popular Messenger app. Unfortunately, the company is going about it all wrong. The encryption will be require that users opt-in to use the security measure, which bows to the the FBI’s wishes, and flies in the face of what experts consider best practices.

Encryption, done properly, obfuscates the messages you send so that only the sender and the intended recipient can read the content. This helps keeps your messages safe from hackers, mass surveillance, and other malicious actors.


Facebook Messenger is upping its security to include encryption, but its effort will fall short, as it will share the same fatal flaw that maligns Telegram and Google’s forthcoming AI-enabled Allo app, in that users will have to opt-in to the encryption. If Facebook really cared about your privacy and security, why wouldn’t it just turn on end-to-end encryption by default?

To be fair, Facebook’s new “Secret” mode in messenger will use the Signal encryption protocol, which has received universal praise from security experts and is generally considered to be the best encryption protocol. But the reason having encryption turned on by default is so important is that it protects and secures users who aren’t tech savvy and might not understand the benefits of encrypted communication.

As the ACLU’s Christopher Soghoian told Gizmodo last month, if the encryption isn’t turned on by default, it might as well not be there: “There are many Telegram users who think they are communicating in an encrypted way, when they’re not because they don’t realize that they have to turn on an additional setting,” Soghoian said. The same applies to Facebook Messenger, too.


Facebook’s sheepish move to not fully encrypt users’ messages is confusing, considering Facebook-owned Whatsapp turned on automatic end-to-end encryption for all of its users earlier this year, receiving high praise from security and privacy advocates.

Facebook should step up to the plate to protect its users and turn on end-to-end encryption by default. No additional settings, and no gimmicks.


Update 10:10 EST: Facebook’s Chief Security Officer, Alex Stamos, justified why Facebook didn’t add encryption by default. In addition to some technical challenges, it would also hinder the current user experience.


[Facebook via The New York Times]

Share This Story

About the author

William Turton

Staff Writer, Gizmodo | Send me tips: william.turton@gizmodo.com

PGP Fingerprint: 88DF AB75 FAFC 1D10 4C45 A875 CA45 ABE6 B08D 8E52PGP Key
OTR Fingerprint: 47F02E79 399AB8FA CC2A4DEF 4573B25F 18AB41D2