International Association
for Cryptologic Research

Meta has recently begun rolling out default end-to-end encryption to their billions of Messenger users. We announced the project in 2019, and it has involved a long process of development and iteration in order to enable the migration to succeed. Messenger operates within a number of product constraints that increase the complexity of end-to-end encryption from standard approaches described elsewhere, all stemming from users’ expectations that a rich Messenger experience is available across all their devices. For example, we support: * multiple devices for each user, including ephemeral web sessions low-end devices with limited local storage or processing capacity; * message history; which has historically been available to all devices logged in to a Messenger account; * a number of rich features such as social integrations (e.g. sharing posts, previews, sticker search). The underlying architecture can dramatically impact the challenges faced in encrypting messages. Some challenges included: * data was sometimes structured in our backend such that there weren’t clear payloads to encrypt; * our surfaces, such as Facebook Lite, which have historically achieved a lightweight app by rendering the user’s entire screen server-side. Alongside Messenger’s product challenges, it’s helpful to actually be clear about the actual intention of end-to-end encryption. Specifically, in the non-cryptographic privacy goals that it implies around confidentiality and authenticity of messages. To put these into practice within the organisation, we required a more comprehensive approach, which - in retrospect - breaks down into a series of sub-requirements: * Confidential & authentic message transmission & storage. * Private feature implementations. * Limitations on what can be logged. * Application security. * Process to determine what we’re protecting. * A level of verifiability. We learned some general lessons from rolling out end-to-end encryption; including the challenge of communicating such changes to a global audience, as well as in testing and rolling out an inherent shift in product model and architecture in-place within an existing product. This included findings, such as: * Communicating end-to-end encryption with padlock icons in the user interface was at times interpreted differently in different contexts - with interpretations ranging from Meta having locked the chat to implying that the chat itself was subversive. * Replacing a product in-place makes testing especially challenging, as many factors end up being tested simultaneously, with outcomes which are difficult to disentangle. Our approach to message history raised a number of difficulties, including a fundamental tension that exists for storing end-to-end encrypted data; that forces the implementer to choose between sacrificing guaranteed message history availability, guaranteed messaging availability, and the ability to login to Facebook without introducing user-managed keys. To store e2ee messages, we designed a new cryptographic protocol which provides indexed storage, key rotation, and a diversity of recovery methods. The rollout of this created significant product challenges, as users had to make a choice around whether to use this solution, and - if so - how they should manage their recovery codes. This was particularly difficult because many users did not have a good understanding of the changes, we didn’t necessarily have the ability to interrupt the user at an appropriate time for them to think it through, nor did many of them want to engage with these prompts in the first place - despite the importance of making the right choice. Finally, we will look at some of the product features which presented particular challenges for us, and how we addressed making them work. These features include: * Sharing posts from Facebook into messages; which typically provides the user a preview of the post content, but for which the previewed content may be audience-controlled. * Sticker search; for which we wanted to protect the search terms from association with the user. End-to-end encryption for Messenger was a larger change than we had initially anticipated, which introduced complexity in most places that it touched. We learned a lot from addressing this new set of challenges, and we hope that these lessons can apply more broadly in future to help end-to-end encryption gain wider spread adoption.