The danger behind Meta killing end-to-end encryption of Instagram direct messages

As law enforcement Agencies are scrambling to confront the threats of terrorism, child sexual abuse, and human trafficking — and repressive governments around the world are looking to massively expand their surveillance capabilities — and researchers fear that Meta’s retreat from its commitments to protect user privacy through end-to-end encryption on Instagram chat could create a problematic precedent in big tech.

Meta has spent the better part of a decade working to roll out end-to-end encryption by default across all of its chat apps. It has been an odyssey full of technical and political obstacles. But in December 2023, the company declared victory, announcing the default end-to-end encryption for Messenger, and promising that it was testing its rollout of Instagram Direct Messaging as well. Ultimately, though, end-to-end encryption came to Instagram chat only as an opt-in feature in stagnant waters. And with threats to end-to-end encryption from governments around the world growing greater than ever, Meta quietly announced last week that it intends to remove the feature from Instagram chat entirely on May 8.

Most importantly, few companies have the scale and stability necessary to gain an influential position in favor of end-to-end cryptography. A smaller group – Meta and Apple – have made this a priority. Meta’s decision on Instagram chat could give other companies, or even simply other departments within Meta, permission to do less, too, experts say.

“Publishing meta-cryptography was a public obligation, and they were taking a lot of pressure from various governments to do it,” says Matt Green, a cryptographer at Johns Hopkins University, who has consulted Meta-company over the years on rolling out end-to-end encryption as an unpaid consultant and paid reviewer. “Public commitments to support privacy features are the only thing we the public have. If they are worthless, why assume we will continue with end-to-end encryption in Messenger and WhatsApp?”

Meta’s decision to scrap end-to-end encryption for Instagram chat appears to have been particularly troubling to researchers and privacy advocates because of the company’s stated reason for the change: decreased user adoption.

“Very few people were opting for end-to-end encrypted messaging in direct messages, so we will be removing this option from Instagram in the coming months,” a Meta spokesperson told WIRED and other outlets. “Anyone who wants to continue messaging with end-to-end encryption can easily do so on WhatsApp.”

The statement struck many as disingenuous given that Meta had maintained for years that it was specifically committed to default end-to-end encryption, and not the subscription version that eventually emerged for Instagram chat buried behind layers of menus.

“I designed the feature so that no one could find it, and I turned it off because it’s not easy to find and therefore unpopular,” says Davey Ottenheimer, a longtime security executive and creator of the Post-Quantum Cryptography Evaluation Tool. “It’s very ridiculous.”

Johns Hopkins’ Green also adds that Meta originally introduced optional encryption for Messenger and appears to have learned its lesson about the need for default implementation from the low adoption in that experience.

“This is an introductory post where they publicly commit to default encryption in Instagram chat. Then, apparently, without looking back, they add an update to the top that implies it was optional encryption, and blames opting out as the reason they needed to remove the feature,” Green says. “Nothing about this is honest. They know what they promised.”

WIRED gave Meta multiple opportunities to comment on this story, but the company ultimately declined.

In key “I understand that many people don’t believe Facebook can or even wants to build this kind of privacy-focused platform — because frankly, we don’t currently have a strong reputation for building privacy-protecting services, and we’ve historically focused on tools for more open sharing,” Meta CEO Mark Zuckerberg wrote in a 2019 thesis outlining his vision for privacy and security across Meta properties. But he added: “We’ve shown time and time again that we can evolve to build services that people really want, including private messaging and Stories.”