/ security

E2E Encryption, Facebook Messenger, and a Whole Bunch of Problems

Tech blogs were awash with news today that Facebook, a world leader in exploiting user data for profit, is introducing end to end encryption to Facebook Messenger. The new feature, called Secret Conversations, is an opt-in (booo) conversation mode that utilizes Open Whisper Systems' Signal Protocol (yayyy) for complete end to end encryption (meaning facebook cannot read the data exchanged). Facebook added a few bonus features such as self destructing messages and suggests that this tech would be excellent for communicating private information like health issues or financial info.

That's where most of the articles ended, just enough info to give a nice bit of PR to Facebook in exchange for a few clicks, but lets dig a little deeper.

Let's start with what Facebook has done right. The Signal Protocol which they have opted to use (and which creators Open Whisper Systems have verified was integrated correctly) is the state of the art for end to end encryption. The code has been widely analyzed and appears to be free of exploits while maintaining excellent cryptographic security. This fact, along with the expertise of the chief designer and crypto hero Moxie Marlinspike has led to the protocols spread from Signal (OWS own messaging app) to WhatsApp, Google Allo (which we still think is fucking stupid), and now Facebook Messenger. This is a huge win for the mass adoption of end to end encryption and the efforts of OWS and Moxie himself are largely responsible for that.

That's about where the good things end.

There are a lot of puzzling choices implemented by the Facebook team and some outright concerning facts. First, Secret Conversations limits you to messaging from a single device to a single individual. This is perplexing as the Signal Protocol allows both multiple devices and group chats. Facebook's own whitepaper on the implementation does not comment on this decision. Further, Moxie has specifically noted that Signal Protocol supports this feature and Facebook could have implemented it without modification to the protocol. As it stands, the implementation is extremely limiting and makes it a pain to use actively discouraging users with more than a single device (read: everyone) from initiating secret chats and returning to them at a later time.

Second, the implementation is opt-in unlike Facebook's own WhatsApp which has enabled E2E to be on by default (complete with multiple devices and group chat support). This decision is almost certainly due to the fact that the current implementation is crippled compared to standard Facebook chat (did I mention it's limited to a single device?) with no support for superfluous features like GIFs, videos, or sending money (if people use that). Opt-in is often worse than no encryption as the initiation of an encrypted chat acts as a flag that someone is exchanging information they believe should be private making the conversation a prime target for surveillance (even if only metadata can be collected in a best case scenario).

Metadata is still an issue (obviously) and while the contents of your messages are encrypted from Facebook's servers, who you are messaging, when, how much, if they're reading, and if they respond are not. All of this data is valuable when constructing networks and understanding how people may be connected to each other and constructing narratives about individuals, events, and relationships. Further, the app still supports stickers, but does so by sending what Facebook calls a "sticker identifier" which triggers the app to report a request for the sticker to Facebook prompting both communicating devices to download the file. This notifies Facebook that a sticker (and what sticker) was used by whom when. However, if that sticker is cached on both devices, this information is not sent and the cached version is used.

Now for the really troubling parts.

Facebook has added new "abuse reporting" functionality which functionally breaks any semblance of privacy a secret chat may offer. Let's pause here and take a moment to talk about the analog hole. The analog hole is mostly used to refer to copy protections in terms of DRM and copyright, but also applies to encryption. The basic gist is that for someone to be able to see/hear/whatever a digital file, that person will also be able to copy it, whether with a screenshot, a camera, a microphone, transcription, or whatever other non digital technique they can come up with. Some apps try to make this more difficult by blocking or notifying people about screenshots (Snapchat for example), but can't do anything about workarounds or people photographing their screens. This all comes back to encryption in that while you can send a mathematically secure message to someone else (and they can be the only people who can read it), once you have physical access to that device or access to a copy of the text, then the encryption is rendered useless.

Now how does this tie into Facebook's Secret Conversations? In Facebook's defense, they have implemented a timer functionality that limits how long a post appears (similar to Snapchat) in order to shrink the size of the hole for analog capture (which shows they are thinking of the problem). With that in mind, Facebook has chosen to implement an option to report abuse that sends an entire plain text copy of the conversation to Facebook's servers complete with cryptographic verification of everything and everyone involved. It only takes one person to press report and send this data to Facebook.

I understand the need to retain a methodology to report abuse and cryptographic verification of content is actually pretty cool (bad actors won't be able to fake messages and get otherwise innocent individuals in trouble thanks to Facebook's thorough mathematical franking), but having an option of rendering an entire private conversation pointless in a few button clicks within the app seems ridiculous. The chats are already a pain to set up, all Facebook needed to do if they decided they don't want to enable encryption by default is prompt users if they want to accept an encrypted chat and notify them that Facebook can't monitor or enforce site policies within them. If you're concerned about abuse from an unknown individual, it's trivial to ignore the chat. If you're concerned with abuse from a known individual, you can always document info (though it lacks the strong cryptographic proof with this method and is thus vulnerable to forgery) and manually report. I have zero doubt in my mind that this was a requirement put down on the initial feature list at the insistence of legal teams that didn't want to have to deal with unregulated chat. Unfortunately, there is no good engineering solution to this request and the Facebook team did the best they could in the circumstances, but it still makes much of the point of the encrypted mode, well, pointless.

Message storage is also an issue. As long as you are logged into Facebook, the messages are stored unencrypted on your device (whether that's your phone or computer). Only iOS devices encrypt this data at rest (provided you use a PIN, password, or fingerprint), meaning secret conversations on your laptop or on your Android device are stored unencrypted when the device is on (locked or unlocked). This is primarily a problem with Android and web browsers, but other apps have solved it by requiring a password to unlock encrypted messages after a timeout period, a feature Secret Conversations lacks.

Finally, like all Facebook products, Secret Conversations is closed source and while we'd like to think that the engineers behind the app have the best intentions, we can't independently audit that the code they say is in there is actually the code that is shipped. This means the app could sport backdoors (government mandated or otherwise) or be vulnerable to other unknown exploits people analyzing the code would otherwise be able to report. Encrypted messaging is only as good as the trust you have in the app and the team behind it and independent verification is a large part of that trust. Without it (and along with Facebook's less than stellar history regarding privacy) we can't in good faith trust Secret Conversations.

All of this information and further details on the specifics of the crypto implementation can be found on the Messenger Secret Conversations Technical Whitepaper.

Better Options

As always, the best encrypted messaging available is Open Whisper Systems' Signal (iOS, Android, Chrome). The app is open source and uses the same encrypted protocol that Facebook has implemented. Further, Signal encrypts by default and also supports encrypted voice calls. This is the only popular encrypted messaging app you should use.