The importance of end-to-end encryption of digital messages is getting new attention with the announcement that Meta Platforms Inc.’s Facebook will partly add the feature to its Messenger product now, and eventually for all use cases such as group chats by year-end.

It’s an important step, since E2EE, as it’s known for short, is a critical method of providing secure communication that keeps outside parties from accessing data while it’s transferred between systems or devices. But the announcement isn’t the whole story, either, because Facebook is playing catch-up with many of its competitors, such as Signal and Telegram, which have offered E2EE messaging products for years now.

The announcement was made by Timothy Buck, a Messenger product manager, in this Aug. 22 blog. He admits that when the company began thinking about the notion, “transitioning our services to E2EE would be an incredibly complex and challenging engineering puzzle. We would have to rewrite almost the entire messaging and calling code base from scratch.” That turned out to be the case.

Part of the problem was the original software didn’t encrypt messages on Facebook’s servers (pictured adjacent), a major loophole that essentially made any encryption moot. Another issue was Messenger runs on multiple desktops, mobile and browser platforms. All that code was no good and had to be rewritten.

Another complicating factor is that users are much more demanding about their messaging requirements. It isn’t just a simple one-to-one text message anymore: There are group texts, shared multimedia content, emojis and stickers and even voice calling that is part of our daily messaging requirements. In addition, there are shared file attachments, web links and links to social media conversations.

Often messaging is used as a prelude to an online purchase, or a postscript once the purchase is received. There is also a lot of messaging going on in the corporate context as well, and these messages are happening with people all over the world.

Messaging has exploded as a communications mechanism ever since AOL came on the scene in the 1980s and started mailing out CDs with its software. Since then businesses got interested in messaging as a critical communications tool, as I wrote for the New York Times back in 2006.

Today there are dozens of business-oriented messaging providers, including both Microsoft Corp.’s Teams and Salesforce Inc.’s Slack, to tie together a far-flung workforce.

Although I commend Facebook for attempting this wholesale E2EE upgrade, it shows how far behind it has been in this particular area. These are not new issues. For years businesses — and some privacy-sensitive consumers — have had particular concerns about the security of their messaging apps.

They don’t want any user data collected, including the message metadata that isn’t directly involved in message delivery. They don’t want any residue remaining on the messaging vendor’s servers after the message has been delivered.

That was a tall order for Facebook, which got itself into trouble back in 2020 and 2021, when it started messing around with WhatsApp’s data sharing policies. That story from The Verge cites Facebook’s “reputation for obfuscating changes to its various terms of service agreements,” a nice way of saying that the company has had a spotty record when it comes to protecting its users’ privacy. The changes set off a massive exodus of 25 million users, according to the New York Times, and they instead signed up for Signal and Telegram accounts.

WeChat hasn’t been a picnic either: SiliconANGLE reviewed its own subpar privacy policies earlier this summer and found them wanting.

How to encrypt message traffic

But let’s move on to the specifics of encryption, which is perhaps the most important aspect of any messaging app. The details are critical and the best source to understand the scope of the problem is a report released earlier this month by Iria Puyosa, a researcher at Digital Forensic Research Lab and published by the Atlantic Council. She looked at 40 of these messaging apps and focused on the nitty-gritty of Telegram, WeChat and WhatsApp.

There are two specific security protocols that are involved: E2EE and transport layer security, or TLS, which involves encrypting messaging data and metadata as this all moves across the vendor’s infrastructure.

The report has this detailed breakdown of privacy and security features of 15 commonly used messaging apps in the U.S. Shown in the chart (below) are whether an app totally or partially uses these encryption technologies.

There are a lot of caveats in this chart, even among the few vendors that offer the total E2EE promise. For example, Apple Inc.’s iMessage does employ E2EE between any of its iPhone users, but not when one party is using an Android phone or some other non-Apple endpoint. Another loophole is having encrypted iCloud backups: It took Apple until December 2022 to offer this feature.

There is another issue that relates to business use of messaging, as Puyosa writes in her report: “Large business organizations may provide third parties in their supply chains with access to their conversation logs and in some cases may even delegate the complete operation of their messaging communication to a third party.” That could mean unencrypted message traffic, including server log data, could be shared without the users’ knowledge.

“Telegram has a permissive content policy, but the platform has been adding restrictions in recent years following pressure from law enforcement in different countries,” she added. “WhatsApp has a growing list of unacceptable content considered harmful or illegal. WeChat is the most restrictive messaging app regarding acceptable content, banning even political content.”

The future of messaging security

This background is helpful for corporate information technology managers, especially those who are concerned about how their data is being stored and transmitted using these messaging networks, or who want to protect their users if they are operating in trouble spots around the world. There are several issues.

First, messaging security, especially when mobile devices are used, is literally in the hands of the individual user. Gone for the most part are those days of corporate managed phones that could be centrally pre-set for stringent security policies.

With unmanaged phones, each user has to take the time to set up the dozens of privacy and security parameters, and to take more time after every phone OS update to ensure that something new hasn’t slipped into the mix. IT managers should post regular bulletins when these do change and suggest how to stay on top of things.

Second, companies should consider adopting a policy about not using SMS texts for corporate conversations. Certainly, the potential phishing threats are almost a weekly certainty these days. Although it’s impossible to police, firms should at least spell out the issues and why using a preferred E2EE service is better.

Third, it should be made clear that those networks offer only partial encryption and that those boundaries are communicated as well to users. A careful review of the Atlantic Council report will be helpful as well.

Finally, there is the issue that because of its inherent immediacy, messaging traffic often includes harmful content, misinformation or disinformation that is hard to parse and vet in the moment. Corporate policies should cover these abuses and offer suggestions on what to do when confronted with them.

Photo: Randy Faris/Corbis; images: DFIR