In March of last year, Mark Zuckerberg made a dramatic pledge: Facebook would apply end-to-end encryption to user communications across all of its platforms by default. The move would grant strong new protections to well over a billion users. It's also not happening anytime soon.
What Zuckerberg didn't spell out at the time is just how difficult that transition would be to pull off, and not just in terms of political hurdles from encryption-averse law enforcement or a shift in Facebook's business model. Encrypting Facebook Messenger alone represents a Herculean technical challenge. According to one of the Facebook engineers leading the effort, a version of Messenger that's fully end-to-end encrypted by default remains years away.
"I’ll be honest right now and say we’re still in a place of having more questions than answers," said Jon Millican, Facebook's software engineer for Messenger privacy, in a talk today at the Real World Crypto conference in New York. "While we have made progress in the planning, it turns out that adding end-to-end encryption to an existing system is incredibly challenging and involves fundamentally rethinking almost everything."
Millican's presentation at the conference, in fact, wasn't about how Facebook plans to pull off the transition to default encryption for Messenger, which currently offers the feature only through its Secret Conversations mode. Instead, it seemed aimed at explaining the many hurdles to making that transition, and asking the cryptography community for ideas about how to solve them.
Millican readily admitted that means Facebook users shouldn't expect to see a default encryption rollout for several years. That also likely means the company's planned integration of WhatsApp, Facebook, and Instagram messaging will take at least as long, given that all three would likely need to be end-to-end encrypted to avoid undermining the existing default protections in WhatsApp. Still, a Facebook spokesperson says the company expects to see some progress on interoperable messaging this year.
"We publicly announced the plan years in advance of being able to actually ship it," Millican said of Messenger's encryption rollout in an interview with WIRED ahead of his conference talk, while declining to say when exactly Facebook expects the rollout to be complete. "There are no imminent changes coming here. This is going to be a long process. We’re dedicated to getting this right rather than doing it quickly."
Facebook Messenger's bounty of features—video calls, group messaging, GIFs, stickers, payments, and more—almost all currently depend on a Facebook server being able to access the contents of messages. In an end-to-end encrypted setup, only the people at the ends of a conversation would possess the keys on their devices to decrypt messages, requiring that more of Messenger's mechanics be moved to apps and browsers. Facebook's servers would act only as blind routers, passing messages on without being able to read them—which also keeps them safer from government agencies or other snoops.
Millican argues that getting to that point will require rebuilding every feature of Facebook Messenger from the ground up. "We’re looking at a full-stack rethink and re-architecture of the entire product," he says. "We’re not just adding end-to-end encryption to a product, we’re building an end-to-end encrypted product."
Facebook has, of course, already carried out the sort of billion-user transition to default encrypted messaging that it now says is so difficult. In 2016, Facebook-owned WhatsApp enabled default end-to-end encryption for all its billion-plus users. But Millican points out that transition also took years, despite the WhatsApp of 2016 having been much simpler than Facebook Messenger in 2020. He points to key differences in the two apps; WhatsApp doesn't support multiple devices, beyond a desktop program that essentially routes messages via the user's phone. And it doesn't back up messages to a server so that they're available when you reinstall the app. Messenger does both.
Apple may present another model of how to achieve the sort of massive end-to-end encrypted network Facebook has committed to create: It's managed to build rich features and end-to-end encryption by default into iMessage. But it doesn't have the sort of full-featured, independent web interface that Facebook Messenger offers, which presents other challenges, since it's designed to allow users to send messages from any device. (WhatsApp's web interface, like its desktop app, only works when it's linked with a user's phone.)
But Facebook's critics may nonetheless see other motives in the company's slow progress on encryption. The company has come under enormous pressure from global governments not to encrypt its users' communications, as it would block law enforcement and intelligence agencies from accessing those messages. In October, US, UK, and Australian officials jointly signed an open letter to Mark Zuckerberg asking that Facebook not proceed with its plan to vastly expand its messaging encryption—or to build in a method for law enforcement to somehow obtain and decrypt the contents of encrypted messages. Zuckerberg publicly refused.
Giving up the ability to collect data from messages also represents a potential motive for Facebook to slow-roll its encryption plans. But Millican notes that Facebook doesn't use message contents for ad targeting. He declined to talk about the political opposition to encryption, citing his role on the technical side of the operation.
If Facebook's delayed rollout is in fact due technical hangups, that may be because the company hasn't applied enough of its bountiful research and development resources to the problem, says Matthew Green, a cryptographer at Johns Hopkins who served as a paid consultant to Facebook in 2016 on Messenger's Secret Conversations rollout. "If this is taking several years, maybe they’re not putting their money where their mouth is," says Green.
Green argues that the hurdles to fully encrypting Messenger likely are more technical than political. He confirmed Millican's assessment of the intimidating scale of the problem, given all of Messenger's features. "The engineering is really hard," Green says. As for the political pressure, Green suggests that Facebook already took that hit when it made the announcement in the first place. "Why get everyone ticked off at you if you’re not going to get the benefit of deploying encryption?" he asks. "They're already getting all the flak. They might as well do it."
But Millican says Facebook will take its time, consulting with not only the cryptography academics at conferences like Real World Crypto but also members of "civil society" like journalists and activists, asking how best to build an encrypted Messenger for their specific needs. He ended his conference talk with a not-altogether-reassuring pledge that, despite the long horizon, the fully privacy-preserving future of Messenger is not vaporware.
"We’re going to ship this," Millican said. "It’s going to take time to build and time to get right, but nonetheless: This is happening."
This story has been updated with context on interoperable messaging from Facebook.