top | item 32412901

(no title)

Is there a good (for the end user) reason that Messenger does not have E2EE enabled by default?

From The Verge's article[1]:

> However, campaigners note that Meta always has to comply with legal requests for data, and that the company can only change this if it stops collecting that data in the first place. In the case of Celeste and Jessica Burgess, this would have meant making end-to-end encryption (E2EE) the default in Facebook Messenger. This would have meant that police would have had to gain access to the pair’s phones directly to read their chats. (E2EE is available in Messenger but has to be toggled on manually. It’s on by default in WhatsApp.)

[1]: https://www.theverge.com/2022/8/10/23299502/facebook-chat-me...

discuss

btown|3 years ago

From Meta's perspective, in all the ways that matter, the advertiser is the end user. Non-advertisers' impressions and data are simply inventory that can be sold to end users. And it would be bad for the "end user" if that inventory was stored by default in a form that could not be easily indexed for cost-efficient packaging and delivery.

(Lest you think I'm exaggerating, inventory is literally an industry term: https://smallbusiness.chron.com/advertising-inventory-mean-3...)

skoskie|3 years ago

It doesn't matter whether end (you) to end (facebook) encryption is enabled or not. That only protects data "in transit". The information is still accessible in to facebook "at rest". Enabling E2EE should give you absolutely no sense of privacy from Facebook because it doesn't exist.

aposm|3 years ago

This is contrary to the universally understood meaning of E2EE (as in, end to end between the two participants in the conversation). I'm not one to blindly take Facebook's PR statements at face value, but if you're making the claim that Facebook is deliberately advertising E2EE while secretly redefining the term to mean non-E2EE, you should have some strong evidence. Those sorts of linguistic gotchas don't work in real life or in a courtroom.

upbeat_general|3 years ago

Is this assuming they build in client-side reporting functionality? In this case it’s not E2EE anyway.

Or are you saying it’s not E2EE unless the clients are auditable?

ahahahahah|3 years ago

It's mostly not enabled by default due to uproar from politicians and organizations like NCMEC on how it would protect child abusers. I expect that they are currently working on features to help address that and will enable it by default when those are ready.

harshitaneja|3 years ago

How would you implement E2EE on a web application?

Miraste|3 years ago

Drop the web app, make a native one like Signal does if they even bother with desktop. They clearly don't want people to use it anyway, they've been implementing dark patterns to push the phone version of Messenger for years.

btown|3 years ago

Encryption keys could themselves be encrypted with a password that the user would type, that is only ever saved in browser local storage, or even only in memory and needs to be retyped on each pageload.

There's nothing preventing the government from forcing Meta to implement a backdoor that exfiltrates the unencrypted key, of course, but that's true of non-web-based systems as well.

tomuli38|3 years ago

If you think it is a good thing to obey the state's abortion laws, then yes it is a good for violating messages to be reported to law enforcement.

The question I think you meant to ask if it is a good thing for companies to obey the state.

jakelazaroff|3 years ago

No, the question is whether Facebook should have access to those messages at all.