The company formerly known as Facebook is delaying a rollout of end-to-end encryption across all its services until "sometime in 2023", according to Meta's global head of safety, Antigone Davis, penning an op-ed in the British newspaper, the Telegraph this weekend.

While Facebook-owned WhatsApp has had E2EE everywhere since 2016, most of the tech giant’s services do not ensure only the user holds keys for decrypting messaging data. Meaning those services can be subpoenaed or hit with a warrant to provide messaging data to public authorities.

But in 2019 — in the aftermath of global attention to the Cambridge Analytica data misuse scandal — founder Mark Zuckerberg announced the company would work toward universally implementing end-to-end encryption across all its services as part of a claimed "pivot to privacy".

Zuckerberg didn't give a firm timeline for completing the rollout but earlier this year, Facebook said it would finish the rollout during 2022.

Now the tech giant is saying it won't get this done until "sometime" the following year. Which sounds distinctly like a can being kicked down the road.

According to Davis, the delay is due to the social media giant wanting to take its time to ensure it can implement the technology safely — in the sense of being able to retain the ability to be able to pass information to law enforcement to assist in child safety investigations.

As we do that, there's a lively debate as to how tech companies will keep combating abuse and enable all-important work of law enforcement if we cannot read your messages. We believe that people should not have to choose between privacy and safety, which is why we are building robust safety measures into our plans and engaging with privacy and safety experts, civil society and governments to make sure we get this right," she writes, saying it will use "proactive detection technology" to ID suspicious patterns of activity, along with enhanced controls for users and the ability for users to report problems.

Since announcing that it intends to "e2ee all the things" two years ago, western governments, including the UK, have leaned very hard on Facebook to postpone or scrap its plan of "blanket services with the strongest level of encryption, altogether.

The U.K. has been an especially vocal critic of Facebook on this front, with Home Secretary Priti Patel very publicly — and repeatedly — warning Facebook that its plan to expand E2EE would hamper efforts to combat online child abuse — casting the tech giant as an irresponsible villain in the fight against the production and distribution of child sexual abuse material (CSAM).

Thus Meta's op-ed appearing in the favored newspaper of the British government looks no accident.

"From roll out of end to end encryption, we will use non encrypted data spread across our apps account information, and reports from the user to keep them in safe privacy-protected manner assisting public safety efforts," writes Davis in the Telegraph as adding: "This work already lets us make vital reports to child safety authorities from WhatsApp.

She continues by saying that Meta/Facebook has reviewed several historic cases — and determined that it "would still have been able to provide critical information to the authorities, even if those services had been end-to-end encrypted" — adding: "While no systems are perfect, this shows that we can continue to stop criminals and support law enforcement."

How precisely would Facebook be able to share data about users even if it ensured that all communications on its services were end-to-end encrypted?

Users aren't let in on the exact detail of how Facebook/Meta joins the dots of their activity across its social empire-but while Facebook's application of E2EE on WhatsApp covers messaging/comms content, for instance, it doesn't extend to metadata, which can provide plenty of intel on its own.

The tech giant also routinely links accounts and account activity across its social media empire — sending data like a WhatsApp user's mobile phone number to its eponymous service, following a controversial privacy U-turn back in 2016. This links a user's (public) social media activity on Facebook — if they have or have had an account there — with the more bounded form of socializing that characterizes activity on WhatsApp (i.e. one-to-one comms, or group chats in a private E2EE channel).

Facebook can thus leverage its vast scale (and historical profiling of users) to flesh out a WhatsApp user’s social graph and interests — based on things like who they are speaking to; who they’re connected to; what they’ve liked and done across all its services (most of which aren’t yet E2EE) — despite WhatsApp messaging/comms content itself being end-to-end encrypted.

(Or as Davis' op-ed puts it: "As we roll out end-to-end encryption we will use a combination of non-encrypted data across our apps, account information and reports from users to keep them safe in a privacy-protected way while assisting public safety efforts. This kind of work already enables us to make vital reports to child safety authorities from WhatsApp.")

Earlier this fall, Facebook was stung with a major fine in the European Union related to WhatsApp transparency obligations — with DPAs finding it had failed to properly inform users what it was doing with their data, including in relation to how it passes information between WhatsApp and Facebook.

Facebook is appealing the GDPR fine but today it unveiled one change to the language of the privacy choices presented to WhatsApp users in the EU as a result of the regulatory action — which it said it had no intention of making anyway with regard to how it treated user data.

Last month Facebook whistleblower Frances Haugen made a worrying revelation that, while being specific about the application of E2EE in the technology giant- claiming that as the code has proprietary status instead of having an open source implementation-the user needs to rely solely upon what the security features claim when such code can't be validated by an independent third-party agent.

She also said that no one knows how Facebook interprets E2EE, adding that she is worried about the expansion of E2EE on the platform "because we have no idea what they're going to do", as she put it.
"We don't know what it means, we don't know if people's privacy is actually protected," Haugen told lawmakers in the U.K. parliament, further warning: "It's super nuanced and it's also a different context. On the open source end-to-end encryption product that I like to use there is no directory where you can find 14-year-olds, there is no directory where you can go and find the Uighur community in Bangkok. On Facebook it is trivially easy to access vulnerable populations and there are national state actors that are doing this."

https://twitter.com/elegant_wallaby/status/1462845345319161860

Haugen was careful to speak up in support of E2EE — saying she's a supporter of open source implementations of the security technology, i.e. where external experts can robustly interrogate code and claims.

But in the case of Facebook, where its E2EE implementation is not open to anyone to verify, she suggested that regulatory oversight is needed to avoid the risk of the tech giant making misleading claims about how much privacy (and therefore safety from potentially harmful surveillance, such as by an authoritarian state) users actually have.

Davis’ op-ed — which is headlined “we’ll protect privacy and prevent harm” — sounds intended to soothe U.K. policymakers that they can “have their cake and eat it”; concluding with a promise that Meta will “continue engaging with outside experts and developing effective solutions to combat abuse”.

"We're taking our time to get this right and we don't plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023," Davis adds, wrapping up with another vague soundbite that it is "determined to protect people's private communications and keep people safe online".

While the UK government is sure to be pleased by the line-toeing quality of Facebook's latest public pronouncements on a very prickly subject, its decision to delay E2EE to "get this right" — in the wake of continued ministerial pressure from individuals like Patel — can only heighten concerns over what "right" might mean in such a privacy-sensitive environment.

No doubt the larger community of digital rights advocates and security experts will be watching closely what Meta does here.

The U.K. Government has splashed almost half a million of taxpayer's money on five projects to develop scanning/filtering technologies, applicable to E2EE services, to detect report, or block the creation of CSAM after ministers said that they wanted to encourage the development of "alternative solutions", or in other words those that would not involve making the platforms not make use of E2EE, but rather embed, on their encrypted systems a type of scanning/filtering technology, to detect the said CSAM.

So, the preferred approach of the U.K. appears to be using the political cudgel of concern for child safety, which it's also legislating for in the Online Safety Bill, to push platforms to implement spyware that allows for encrypted content to be scanned on users' devices regardless of any claim of E2EE.

Whether such baked-in scanner systems essentially add up to a backdoor in the security of robust encryption (despite ministers claims otherwise) will surely be the topic of close scrutiny and debate in the months/years ahead.

Here it's interesting to follow Apple's new proposal: to create an added system of detection for CSAM in its mobile OS — at which stage it was scheduled to scan information uploaded from the user device onto its service of the cloud storage service, iCloud.

As initial reports of the issue presented Apple's stance — upbeat about such a proactive action by claiming they had now built "the technology that can balance strong child safety and user privacy.".

However, after a storm of concern from privacy and security experts — as well as those warning that such systems, once established, would inexorably face "feature creep" (whether from commercial interests to scan for copyrighted content; or from hostile states to target political dissidents living under authoritarian regimes) — Apple backtracked, saying after less than a month that it would delay implementing the system.

Not clear when-or if-Apple might reboot the in-camera scanner.

While the iPhone maker has established itself-and a pretty profitable enterprise-as a company that really, really, really cares about user privacy, Facebook's ad empire is the exact opposite: The Golden Age of surveillance capitalism. So expecting the social media behemoth — whose founder (and all-powerful potentate) has presided over a string of scandals attached to systematically privacy-hostile decisions — to hold the line in the face of sustained political pressure to bake spyware into its products would be for Facebook to deny its own DNA.

Its recent corporate rebranding to Meta looks a whole lot more superficial than that.