Expanding Testing for End-to-end Encryption on Messenger

Starting today, millions more people’s chats on Messenger will be upgraded to stronger encryption standards as part of our ongoing end-to-end encryption (E2EE) testing. We remain on track to launch default E2EE for one-to-one friends and family chats on Messenger by the end of the year. And as we increase the scale of testing, we wanted to provide an update on how we’ve approached this large and complex engineering challenge.

Background

Since 2019, a team of Meta’s engineers, cryptographers, designers and policy experts have been working on the challenge of bringing additional encryption to Messenger and Instagram DMs. The goal is to enhance the security we already provide and give people additional confidence that their personal messages will remain private. 

However, it quickly became apparent that transitioning our services to E2EE would be an incredibly complex and challenging engineering puzzle. We would have to rewrite almost the entire messaging and calling code base from scratch. 

There has been a lot of work at Meta to answer important policy questions about encryption, such as how we continue to provide people with a safe and secure experience. But, until now, we haven’t explained all of the engineering challenges involved. 

Changing the role of the server

Like many messaging services, Messenger and Instagram DMs were originally designed to function via servers. Meta’s servers act as the gateway between the message sender and receiver, what we call the clients. The servers process message content between the two people, acting as a central source of truth and ensuring clients who were communicating saw the same thing, whether it was a text, emoji or video. 

However, with E2EE, we couldn’t rely on servers to process and validate message content. We needed to redesign the entire system so that it would work without Meta’s servers seeing the message content. 

Since we needed to avoid using servers to process message content, we had to rethink how we would scale on the new infrastructure. This means upgrading trillions of active conversations with E2EE, without disrupting people’s expectations of the speed in which they can communicate or the reliability of their messages being delivered. We also had to develop new ways for people to manage their message history, like setting up a PIN. To maintain E2EE with this PIN approach, we also built out a new infrastructure of Hardware Security Modules (HSM).  

Lessons learned from Messenger and WhatsApp

This isn’t the first time we’ve done something like this. A few years ago, we updated Messenger with what we call Lightspeed code to make it faster and lighter. However, building E2EE is much harder. We not only needed to transition to a new server architecture, but to rewrite our code base to work on multiple different devices, rather than just the server. 

In addition, we are learning lessons from the WhatsApp engineering team on how to deliver messages on a huge scale and at high speed in an E2EE environment. A valuable lesson we’ve learned is it needs to be scalable and reliable, and be as simple and lightweight as possible. We think about this in a similar way to how airplane designers think about aerodynamics. Streamlining the complexity of our messaging service creates a better outcome, particularly for people who have low connectivity.

Rebuilding features

As we’ve developed E2EE, we have had to rebuild over 100 features in this client-centric way. Messenger is one of the richest chat experiences available. We know that people want encryption, but they also want the same fun and ability to express themselves they’ve come to expect on Messenger. 

One example of how we rebuilt Messenger is when people share external links like Youtube videos. We know people want to see rich previews, so they have some idea what the links shared by their friends are before they click on them. In the old model, the server would go and retrieve that information from Youtube, and show you an image of the video as a preview. That’s why it sometimes takes a brief second to load. In an E2EE chat, however, the app on your phone will go to Youtube. It will get the rich preview for you, and when you hit send, your app encrypts the whole package and sends it to the recipient. 

Keep the conversations going

We also needed to build E2EE while we kept the conversations on Messenger going. We’ve had to rebuild all the features and experiences – from sending a message, to our most expressive features like stickers. All of this was done to ensure Messenger works the way people expect it to, but now with the additional privacy and security provided by E2EE. As we continue to increase the scale of our tests, and prepare to roll out the upgraded service, people will need to update their app to a recent build to access default E2EE. This is why it will take longer than we first anticipated to transition all messages to E2EE. However, as people update their app to the latest version of Messenger, we will be able to upgrade those conversations with the additional privacy and security of E2EE. 

Ultimately, the expanded testing we are starting today will give us the clearest picture of our work to implement E2EE. We will keep you updated as we continue to test and improve this service.

To help personalize content, tailor and measure ads and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy