As part of ongoing changes aimed at both security and better user experience, there are indications that Meta owned Facebook is working on deploying the use of end-to-end encryption for all chats and they’ll all be stored on Facebook servers rather than a user’s devices. The new security and privacy feature is said to be trialling for Messenger.
Meta has started to test end-to-end encrypted (E2EE) chat as a default for Messenger chats and, as a companion to it, launched a new online E2EE storage service dubbed Secure Storage for backing up chat histories.
It’s also going to trial an unsend feature like the “delete for all” option in WhatsApp group chats.
Facebook enabled E2EE for Messenger in 2016 but users needed to turn on encryption for each chat thread. In the near future, users won’t need to enable it.
E2EE means chats are encrypted in transit and at rest, be it on the user’s device or a remote server. Currently, the content of each chat thread protected by encryption in Messenger is only stored on each user’s device. This would consume a lot of storage on a smartphone if all chats are kept on-device. So, in the future, these chats, which will all be E2EE, will by default be stored on Facebook servers in its Secure Storage service.
The move to default E2EE for Messenger itself isn’t unexpected and falls in line with Meta’s plans announced in November when it pushed back default E2EE for Messenger and Instagram from the end of 2022 until “sometime in 2023” while it weighed up user privacy versus public safety and working with law enforcement.
Messenger’s Secure Storage feature is new and will become “the default way to protect the history of your end-to-end encrypted conversations on Messenger” said Sara Su, Product Management Director, Messenger Trust said in a blogpost.
“As with end-to-end encrypted chats, secure storage means that we won’t have access to your messages, unless you choose to report them to us,” says Su.
With encrypted Messenger chats stored in Meta’s data centers and not a user’s device that means users who lose their device can still access chat histories. But it also means now all encrypted chats are stored on Meta’s servers.
E2EE will make it harder for law enforcement access to content like photos and chats, but they can still access metadata, such as location, device identifiers and account creation timestamps.
Facebook started testing Secure Storage on Android and iOS this week, but hasn’t made it available on the Messenger website, the Messenger for desktop app or chats that non E2EE protected.
To access Secure Storage backups, users need to create a PIN or generate a code that they must save in order to access the backups in future. The private key can be saved in services like Apple’s iCloud Keychain password management system in order to access the backup conversations. But as Su notes, Apple’s key storage service isn’t protected by Messenger’s E2EE.
Su notes Facebook is planning to bring end-to-end encrypted calls to the Calls Tab on Messenger will come in future.
It’s also introducing Code Verify, a browser extension for Chrome, FireFox and Microsoft Edge that automatically verifies the authenticity of the code when using the Messenger website.
“This will let you confirm the effectiveness of our end-to-end encryption security by showing that your web code hasn’t been tampered with or altered,” Su notes.
Another change resulting from default E2EE is that Messenger is losing vanish mode for disappearing messages. It will retain disappearing messages (where messages vanish after a set time) in E2EE messages. Vanish mode remains available on Instagram but aren’t E2EE.
“We will continue to provide updates as we make progress toward the global rollout of default end-to-end encryption for personal messages and calls in 2023,” said Su.