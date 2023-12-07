In a significant milestone, Messenger has started upgrading personal conversations to use end-to-end encryption (E2EE) default. The aim is to enhance privacy and security allowing only the sender and intended recipients to access the messages while ensuring the authenticity of the sender. This effort aligns with Meta’s vision for secure messaging as outlined Mark Zuckerberg in 2019.

The journey to bring E2EE to Messenger has been a complex process, involving the rebuilding of various application protocols. The ultimate goal was to strike a balance between privacy, security, safety, and the popular features that have made Messenger a widely-used platform.

Messenger initially introduced end-to-end encrypted chats in 2016 through Secret Conversations. Since then, Meta has gained valuable insights and expertise in rolling out E2EE for a broader user base. The recent publication of a white paper, titled “Meta’s Approach to Safer Private Messaging on Messenger and Instagram Direct Messaging,” showcases the industry-leading safety systems and tools available on Messenger.

To truly understand the goals behind E2EE adoption, two key aims stand out:

1. Ensuring that only the sender and recipients can see the contents of an E2EE message, with no ability for even Meta to forge or tamper with the messages.

2. Building trust and confidence verifying the authenticity of the sender, so users can confidently communicate with their friends and loved ones.

To achieve these objectives, Meta has identified eight concepts that form the foundation of meaningful E2EE implementation:

1. Confidentiality in transit: Secure and authentic transmission of message contents between devices.

2. Confidentiality in storage: Implementing server-based encryption where encrypted messages are stored on Meta’s servers but can only be accessed using encryption keys controlled the user.

3. Control over endpoints: Users should have the ability to verify and manage the devices receiving their messages.

4. Private feature design: Creating E2EE-compatible features that function device-to-device without relying on server-side processing.

5. Logging limitations: Avoiding accidental leakage of message content in telemetry logs.

6. Application security: Addressing the challenges of security in the end-to-end encryption domain, where the provider’s ability to protect users is reduced, and the threat model expands.

7. Defining what’s being protected: Determining the boundaries of message content and setting user expectations while balancing privacy risks.

8. Third-party scrutiny: Encouraging external verification of E2EE through white paper publications, bug bounty programs, and consultations with external parties.

By embracing end-to-end encryption on Messenger and actively addressing these concepts, Meta aims to provide users with a secure, private, and trustworthy messaging experience.