With the news that WhatsApp and Instagram are to merge 'under the hood' with Facebook Messenger to create a unified messaging platform, the focus is quickly switching to what this means for user privacy. Mark Zuckerberg has stated that he wants the new platform that integrates WhatsApp, Facebook and Instagram messaging to be end-to-end encrypted but that may well not be as easy to implement as he thinks, if possible at all. Indeed, I have my doubts as to whether it is something that Facebook really wants given how important data visibility is to the business model of the social network.
Of the three messaging services, currently only WhatsApp supports end-to-end encryption by default while Facebook Messenger users need to switch the 'secret conversations' feature on and Instagram users get no such option at all. Here's the thing then: what happens if, for example, an Instagram user (or a Facebook Messenger user with secret conversations toggled off) messages a WhatsApp user? There will be an expectation from the WhatsApp user that all their messages are encrypted across the entire communication process, but Instagram messages aren't encrypted at the moment. Will the new platform impose default end-to-end encryption for all users regardless of which service they are actually using?
This is harder to achieve, at least in a way that could be thought of as being secure, than it sounds. Or at least it will be unless the plan is to completely re-engineer all three messaging services from the ground up. This is not just a case of bolting the Signal protocol (as used by both WhatsApp and Facebook Messenger) onto Instagram. All three implementations of the Signal protocol would need to be identical to ensure seamless and secure end-to-end encrypted messages. Yet the two services that already have the open-source protocol in place implement it differently; WhatsApp by default, Facebook Messenger as an option.
Why is this so problematical? You only have to look at the car-crash that security of Internet of Things devices is for the answer: security that is bolted on as an afterthought is notoriously flakey and will never be as solid as that which is built in by design. OK, so the answer is adding end-to-end encryption to both Facebook Messenger and Instagram by default which would make securely delivering a unified communications platform much easier, right? Well, sort of. It's certainly the most logical step, but far from being straightforward. I'm pretty sure that the software engineering team working on the cross-platform integration would be able to address the technical issues but the bigger roadblock might be in the boardroom.
Facebook CEO, Mark Zuckerberg, wrote an op-ed for the Wall Street Journal last Thursday which defended the social network data collection and advertising model. "People consistently tell us that if they're going to see ads, they want them to be relevant" Zuckerberg insisted, before adding that when users were asked for permission to collect data to improve the relevancy of adverts as part of the EU General Data Protection Regulation (GDPR) compliance process "the vast majority agreed because they prefer more relevant ads." What has this got to do with end-to-end encryption and the planned unified messaging platform? Only everything, that's all.
You only have to look back to April last year when WhatsApp co-founder and CEO, Jan Koum, quit and it was widely reported that disagreements over privacy and encryption issues with Zuckerberg were at the heart of that decision. His WhatsApp co-founder, Brian Acton, left Facebook the previous year and later tweeted that it was time to '#deletefacebook.' For Facebook to effectively give the old heave-ho to the ability to have visibility into messaging data, data which is then used to target advertising, seems something of a big ask to me.
Of course, it's not just solving the end-to-end encryption problem that could sound the privacy bells ringing; there's also the small matter of user registration. This is another area where Facebook Messenger and WhatsApp clash regarding data collection. WhatsApp needs your telephone number, Facebook demands your actual identity. I am, it has to be said, more than a little concerned about how metadata from the unified messaging platform will be collected, analyzed and used by Facebook. Respectfully, I would suggest you should be too.
And I'm not the only one who has concerns over the privacy implications that are now starting to coagulate from the Facebook acquisitions of Instagram and WhatsApp. "How Herculean will the task become when blame is diffused, architecture can be blamed and no one is looking out for the sins committed across inter-company APIs?" asks Sam Curry, chief security officer at Cybereason. "Architecting early is easier than bolting features on artificially and messily later" Curry continues, concluding that "at the very least, Mr. Zuckerberg should take advantage of the situation by leaning forward with a plan for privacy and be a hero instead of later suffering the consequences."
I will finish by echoing the words of the highly-respected cryptographer, Matthew Green, who tweeted: "This move could potentially be good or bad for security/privacy. But given recent history and financial motivations of Facebook, I wouldn't bet my lunch money on good."
