Meta delays product-wide end-to-end encryption rollout until 2023

An image which shows Messenger, Instagram, WhatsApp, and Facebook apps on a smartphone's home screen
(Image credit: Shutterstock)

Meta has announced plans to delay the global rollout of end-to-end encryption (E2EE) across its messaging applications to 2023.

The company previously said it would have E2EE across all its products by 2022 at the earliest.

Meta said it would be taking additional time to ensure the implementation across Facebook Messenger and Instagram is done correctly, protecting privacy while also mitigating the risk of online harms.

WhatsApp is currently the only app in Meta's product portfolio that enables E2EE by default, although it has previously been criticised for allowing moderators to access the contents of any messages flagged by users as potentially abusive.

“We’re taking our time to get this right and we don’t plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023,” said Antigone Davis, head of safety at Meta, the Sunday Telegraph.

“As a company that connects billions of people around the world and has built industry-leading technology, we’re determined to protect people’s private communications and keep people safe online,” she added.

E2EE has created an ongoing debate around the divide between privacy and personal safety. Meta said it's taking time to implement E2EE in a way that upholds both, but how that happens is unclear.

If E2EE is deployed in its proper form, with unique on-device encryption, it should be impossible to facilitate any third-party oversight of what is communicated through the technology without breaking its fundamental principles.

RELATED RESOURCE

Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide

FREE DOWNLOAD

"Encryption is an absolute. You either have it or you don’t. There is no 'getting it right'," said Andy Yen, founder and CEO at Proton. "The best way to protect privacy and user data is to not have the data in the first place.

"Of course we need to ensure tech is not misused, but there are many ways to combat criminal behaviour," he added. "Back doors and similar methods of undermining privacy are an ineffective way of preventing crime. If Meta cared as much about user privacy as it claims, it would have implemented end to end encryption a long time ago."

From a cyber security perspective, Jim Killock, executive director at Open Rights Group, said there is a clear argument that E2EE offers protections for the everyday consumer and calls for its removal would be welcomed by cyber criminals all over.

"There are many ways of tackling crime. Storing all communications in the clear is just one; the focus on E2EE is narrow and misleading," he told IT Pro. "What is certain is that E2EE provides security from cybercriminals and hacking.

"Government campaigning against security technologies is a gift to cybercriminals," he added.

However, repeated calls for a proposed 'backdoor' in E2EE-enabled messaging services have been made by governments across the world.

The main opposing arguments are those related to the protection of children online and safeguarding national security from terror events, for example.

Home Secretary Priti Patel labelled Facebook's encryption plans "simply not acceptable" earlier this year at an event run by the National Society for the Prevention of Cruelty to Children (NSPCC). Patel said tech companies have a duty to protect children from online harms.

"Facebook is right not to proceed with end-to-end encryption until it has a proper plan to prevent child abuse going undetected on its platforms," said Andy Burrows, head of child safety online policy at the NSPCC, to the Guardian.

"But they should only go ahead with these measures when they can demonstrate they have the technology in place that will ensure children will be at no greater risk of abuse," he added.

Coinciding with Meta's new 2023 encryption deadline is the enactment of the UK's Online Safety Bill, which will force online platforms to implement protections for users, including children, from harm and address abusive content.

The domestic legislation may stifle Meta's ability to enable E2EE across its products, but to what extent the Online Safety Bill will impede consumer privacy through encrypted messaging remains to be seen.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.