In December, Meta promised that the company was starting to roll out default end-to-end encryption (E2E) to private chats and calls on Messenger and Facebook. E2E encryption ensures that only the sender and recipient of a message have the keys to read that message – for anyone who intercepted it and even for the platform hosting the communication – the content of an E2E encrypted message is indiscernible.
Meta’s announcement came after years of pressure from advocacy groups – including Accountable Tech – led by Fight for the Future to Make Direct Messages (DMs) Safe through on-by-default E2E. It might have been a surprise that it took a large coalition campaign for Facebook to implement this critical change since in 2019 Mark Zuckerberg himself wrote, “I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever. This is the future I hope we will help bring about.” But if Big Tech has proven one thing, it’s that they’re perfectly happy to make empty promises.
Facebook, in particular, has been under scrutiny to implement this security feature since 2022, when Facebook messages became a key piece of evidence in the prosecution of an abortion case in Nebraska.
In their December announcement, Meta acknowledged that Messenger has had the option to turn on E2E since 2016, but even as an encryption enthusiast, this was news to me. So three months after Meta’s promise to roll-out E2E by default, I decided to test out the status of this critical privacy and security feature and see if maybe this is one promise the company has kept.
I should preface that I’m not a regular Facebook user. After logging in on my laptop for the first time in many, many months, I navigated to the messenger tab in the upper right side of the browser window. From there I could see some years-old chats and it took two clicks to find “Start end-to-end encrypted chat.” A new window popped up next to the old one with a label that it was end-to-end encrypted. I then opened Messenger as a separate platform in a new browser window, where I could not figure out how to turn on E2E encryption. The E2E chat I had started previously in the Facebook interface showed the same label, including a link to Meta’s Help Center, which explains how to check my keys. From the Messenger interface, I couldn’t figure out how to start an E2E chat, and the Help Center was particularly unhelpful:
So I decided to test out the Messenger app on my iPhone, which required downloading it for the first time. After logging into Messenger with my Facebook credentials, I was not prompted to create a PIN, despite the reporting in WIRED quoting Messenger’s Global Policy Director Gail Kent that users “will be asked to create secure storage and create a PIN that will then enable them to add the data and the messages onto other devices and restore if they lose their device.” While Meta is describing a security protocol I’m familiar with from my experience on Signal (a open-source and secure E2E messaging app run by a non-profit), I was unable to see it for myself.
According to The Guardian: “It will take months for end-to-end encryption to be rolled out to the more than 1 billion users on the platform. Users will receive a prompt to set up a recovery method to restore their messages once the transition is completed.”
It appears that my account is not one of those that has yet had E2E by default rolled out. Is yours? After I initially wrote this post on February 26, one of my colleagues did receive an update to Messenger on March 2, but my account is still not offering E2E by default on March 4.
On your laptop:
1. Open your browser and log-in to Facebook (we love Facebook Container on Firefox for this!)
2. In the upper right corner, click on the middle image of a chat icon (screenshot below)
3. From there select a contact to chat or start a new message.
A new message is much easier to turn on E2E – simply toggle the button:
On a phone or iPad, you can try to follow Meta’s instructions here.
While users may have the ability to turn on E2E for individual chats (which isn’t exactly straightforward), Meta’s promise to roll it out by default sets up the expectation that it should be on by now – three months later. With recent news that Meta is developing new location sharing features on Instagram, with the location data reportedly encrypted, it’s more important than even that Meta makes encryption the default.
Big Tech has a pattern of promising to deliver change in a vague timeline (much like Google’s commitment to delete abortion location history), which can confuse people into thinking their data is more private and secure than it really is. While you can take steps to ensure your data is private and secure on social media, the burden shouldn’t be on you – Big Tech should take responsibility and start living up to their promises, when they say they will.