Facebook says it’s going to implement end-to-end encryption into its extremely popular Messenger app. Unfortunately, the company is going about it all wrong. The encryption will be require that users opt-in to use the security measure, which bows to the the FBI’s wishes, and flies in the face of what experts consider best practices.
Encryption, done properly, obfuscates the messages you send so that only the sender and the intended recipient can read the content. This helps keeps your messages safe from hackers, mass surveillance, and other malicious actors.
Facebook Messenger is upping its security to include encryption, but its effort will fall short, as it will share the same fatal flaw that maligns Telegram and Google’s forthcoming AI-enabled Allo app, in that users will have to opt-in to the encryption. If Facebook really cared about your privacy and security, why wouldn’t it just turn on end-to-end encryption by default?
To be fair, Facebook’s new “Secret” mode in messenger will use the Signal encryption protocol, which has received universal praise from security experts and is generally considered to be the best encryption protocol. But the reason having encryption turned on by default is so important is that it protects and secures users who aren’t tech savvy and might not understand the benefits of encrypted communication.
As the ACLU’s Christopher Soghoian told Gizmodo last month, if the encryption isn’t turned on by default, it might as well not be there: “There are many Telegram users who think they are communicating in an encrypted way, when they’re not because they don’t realize that they have to turn on an additional setting,” Soghoian said. The same applies to Facebook Messenger, too.
Facebook’s sheepish move to not fully encrypt users’ messages is confusing, considering Facebook-owned Whatsapp turned on automatic end-to-end encryption for all of its users earlier this year, receiving high praise from security and privacy advocates.
Facebook should step up to the plate to protect its users and turn on end-to-end encryption by default. No additional settings, and no gimmicks.
Update 10:10 EST: Facebook’s Chief Security Officer, Alex Stamos, justified why Facebook didn’t add encryption by default. In addition to some technical challenges, it would also hinder the current user experience.