Facebook Messenger joins e2e bandwagon

Today Facebook Messenger becomes the latest in a string of applications to enable end-to-end encryption functionality for its users. It joins Signal, WhatsApp, and Google’s recently announced Allo — all of which use technology by Open Whisper Systems — as well as Telegram, Zom, KakaoTalk, ChatSecure, Viber, Line,  Cyberdust, and Apple’s iMessage.

The industry-wide movement toward more secure options is a huge win for human rights. Encryption has become the most effective way to protect internet users from criminals, terrorists, oppressive regimes, and other bad actors seeking unauthorized access to personal information. David Kaye, the United Nations Special Rapporteur for Freedom of Expression, identified encryption, as well as anonymity-promoting tools, as necessary grant the space for users to exercise their rights to privacy and freedom of expression.

It’s necessary to be somewhat well-versed in each application’s implementation of end-to-end encryption to determine which service is right for you. No person has the same threat model, and there is no “one size fits all” solution. You may be looking for the service most of your friends use, or one with the most emojis. Here are a few things regarding security to keep in mind when you choose a service:

  • Services like Facebook’s Messenger and Google’s Allo do not have end-to-end encryption turned on by default, meaning you must choose to activate it for specific conversations.
  • Apple’s iMessage is encrypted by default, but the company keeps a copy of messages on its servers for people who have enabled cloud back-ups.
  • Signal has a secured desktop application available, but only for people who use Android.
  • Some technologists have questioned Telegram’s security, and it appears that the Iranian government was able to take control of user accounts at least once.

At the end of the day, steps to make encryption available and accessible for more people are hugely positive. But while it’s important to take notice of these achievements, it’s also important to push for more and better.

Access Now has pushed companies to adopt better digital security practices to protect their customers, including asking them to “enable or support use of client-to-client encryption.” We encourage companies to work on developing better security protections for metadata. Companies should also continue working to integrate these features, in email as well as messaging, in ways that are intuitive, meaningful, and usable. As we’ve said, “encryption, and particularly robust end-to-end encryp­tion by default, pro­vide these users with the best line of defense against really bad things hap­pen­ing.”

Finally, while encryption is a vital piece in the digital security puzzle, it is not the only one. Access Now also encourages companies to implement robust authentication protocols; to take proactive steps to support security research and to patch known vulnerabilities; and to adopt fair information practices, including limits on data collection and retention.

We’re hoping companies keep making progress. The security — and the human rights — of billions of internet users are at stake.