No, you’re not reading it wrong: Meta says it’s worried about the future of privacy.
The company, formerly known as Facebook, made that uncharacteristic pronouncement Monday in response to a lengthy independent report the company itself commissioned to examine its end-to-end encryption (E2EE) plans for Messenger and Instagram direct messages (reportedly rolling out as default end-to-end encryption in 2023). In the document, Meta specifically came out against client-side scanning — an approach favored by law enforcement that would make it theoretically feasible for companies to scan the contents of users’ devices while still claiming those devices employed end-to-end encryption.
In what perhaps can be read as a refreshing concession to reality by the tech giant, Meta says it views client-side scanning as a nonstarter (at least for now).
“Meta believes that any form of client-side scanning that exposes information about the content of a message without the consent and control of the sender or intended recipients is fundamentally incompatible with an E2EE messaging service,” the company wrote in response to the report. “People who use E2EE messaging services rely on a basic promise: that only the sender and intended recipients of a message can know or infer the contents of that message.”
Client-side scanning, by its very nature, would undermine that promise.
Most privacy and security experts have declared client-side scanning and end-to-end encryption fundamentally incompatible, and decried attempts to meld the two as a regulator’s fantasy.
“While it may technically maintain some properties of end-to-end encryption, client-side scanning would render the user privacy and security guarantees of encryption hollow,” explained Erica Portnoy, the Electronic Frontier Foundation’s senior staff technologist, in 2019.
Portnoy went on to argue that, despite the best intentions of child-safety advocates pushing for client-side scanning capabilities, it is impossible to build a client-side scanning system that only searches for material related to child exploitation imagery. In other words, once the technical ability to scan the contents of peoples’ encrypted devices and messages is built, there’s no way to control who will eventually get access to those tools — think: hackers, corrupt law enforcement, or malicious government actors — or what will ultimately be done with them.
Once the client-side scanning cat is out of the bag, there’s no putting it back. Monday’s announcement from Meta appears to, refreshingly, acknowledge that reality.
“Privacy is a fundamental human right,” reads an accompanying Meta blogpost published Monday. “End-to-end encryption is a widely-used technology that protects the privacy and many other human rights of billions of people every day.”
Of course, Meta has made sweeping pro-privacy claims before. In April of 2019, Mark Zuckerberg told developers gathered at the annual F8 conference that “privacy gives us the freedom to be ourselves,” adding “that’s why I believe that the future is private.”
Meta hasn’t exactly been free of privacy (and non-privacy specific) scandals, deceptive half measures, and policy backtracks since then, and it’s unclear if this newfound dedication to the fundamental principles underlying encryption technology are here to stay.
But even a pro-privacy half measure is better than what we’ve come to expect from Meta.