Meta has officially begun to roll out support for end-to-end encryption (E2EE) in Messenger for personal calls and one-to-one personal messages by default in what it called the "most significant milestone yet."
"This isn't a routine security update: we rebuilt the app from the ground up, in close consultation with privacy and safety experts," Loredana Crisan, vice president of Messenger at Meta, said in a post shared on X (formerly Twitter).
CEO Mark Zuckerberg, who announced a "privacy-focused vision for social networking" back in 2019, said the update comes "after years of work" redesigning the platform. It's worth noting that E2EE for group messaging in Messenger is still in the testing phase.
Encrypted chats were first introduced as an opt-in feature called "secret conversations" in Messenger in 2016. Meta's Instagram also has support for E2EE for messages and calls but it's "only available in some areas" and not enabled by default.
"The extra layer of security provided by end-to-end encryption means that the content of your messages and calls with friends and family are protected from the moment they leave your device to the moment they reach the receiver's device," Crisan said.
In August 2023, the social media giant said that it was on track to widely enable the feature by the end of the year but emphasized that it had to re-architect Messenger to ensure that its servers cannot process or validate messages passing through them.
To that end, it not only upgraded over 100 features to incorporate encryption, but also developed new ways for users to manage their message history between devices, like setting up a PIN, by building a new encrypted storage system called Labyrinth.
The PIN is used as a recovery method post the chat upgrade in Messenger so as to help users restore their messages should they lose, change, or add a device to their account.
"Labyrinth – a novel encrypted message storage protocol – aims to address a number of these challenges by enabling users to store their messages server-side, while also maintaining strong privacy," the company said in a whitepaper.
"It is designed to protect messages against non-members (devices and entities which are not enrolled in a user's Labyrinth mailbox), including preventing new messages from being decryptable on revoked devices which may have previously had access to earlier messages, while achieving low operational overheads and high reliability."
Meta's latest encryption announcement is likely to reignite ongoing debate involving privacy and the ability of law enforcement to conduct investigations and help obtain evidence of criminal activity. A September 2023 campaign by the U.K. government claimed that Meta's plans to encrypt its platforms would allow child abusers to "hide in the dark."
Meta's rollout of E2EE on Messenger has prompted criticism from the U.K. National Crime Agency (NCA), which called the move "hugely disappointing" and that its "role in protecting children from sexual abuse just got harder."
"As a result of Meta's design choices, the company will no longer be able to see the offending occurring on their messaging platform, and law enforcement will no longer be able to obtain this evidence from them," James Babbage, director general for threats at the NCA, said in a statement.
"This problem won't go away; if anything it will likely get worse. Offenders will still use Facebook Messenger to send illegal material, and will use the vast quantity of data shared on the platform about children to select and groom future victims."
The NCA also noted that the alternative countermeasures developed by the company rely purely on metadata and are unlikely to yield sufficient evidence to secure search warrants against people of interest. It also said the change puts the onus entirely on children's shoulders to report abuse.