Meta, Twitter, Apple, Google urged to up encryption game in post-Roe America

Facebook, Twitter, Google, Apple, and others today faced renewed pressure to protect the privacy of messaging app users seeking healthcare treatment.

Now that America has entered its post-Roe era, in which more than a dozen states have banned abortion, digital rights advocacy group Fight for the Future has called on tech companies to implement strong on-by-default end-to-end encryption (E2EE) across their messaging services to secure users' communications, and prevent conversations from being shared with police and others.

Crucially, campaigners want to ensure that people's chats discussing procedures outlawed at the state level can't be obtained by the cops and used to build a criminal case against them.

"When our messages are protected from interlopers, we can communicate freely, without the fear of being watched," said Caitlin Seeley George, Fight for the Future's campaigns and managing director, in a statement.

Tech companies are throwing their users to the wolves by allowing company employees, cops, and other third parties to access unprotected messages

"After the reversal of Roe v. Wade and with more rights cutbacks on the way, tech companies are throwing their users to the wolves by allowing company employees, cops, and other third parties to access unprotected messages."

In theory, E2EE should prevent anyone other than the two (or more) people involved in the private conversation from accessing its contents. This means that, for example, if the Facebook chats between a Nebraska teen daughter and her mom about an abortion had instead happened on a service like Signal or Meta's WhatsApp, both of which use E2EE by default, then Meta, even when served with a subpoena to turn over the private conversations, would not have been able to access their contents.

Meta, for its part, has committed to enabling default E2EE on both Messenger and Instagram "sometime in 2023," according to Meta spokesperson Alex Dziedzan. 

Right now, customers have the option to enable the optional feature on both services, he added.

"The challenge for us is twofold," Dziedzan told The Register. "It's a technical one as well as a human-rights one."

Meta delivers 160 billion messages everyday across its Messenger, Instagram, and WhatsApp services, he said. "Considering the size and scale, we can't afford to create a situation where messages get lost or the system falls down," Dziedzan said. 

The second element, he added, addresses human rights. "How do we build end-to-end encryption in a thoughtful, critical manner? Are we building tools with enough safety for people, so they have the ability to block people? It's a massive engineering task — it's not just flipping a switch," Dziedzan said.

Massive engineering task is right: Facebook staff aren't even sure where exactly people's data is stored, due to the sprawling distributed nature of the social network, which is used by billions of people every month.

• Amazon expands end-to-end video encryption to battery-powered Ring devices
• Facebook hands over chats to cops in post-Roe abortion case
• Amazon gave Ring video to cops without consent or warrant 11 times so far in 2022
• Twitter whistleblower Zatko disses bird site as dysfunctional data dump

Aside from Meta, none of the other messaging services responded to The Register's inquiries about their plans for E2EE.

This includes Twitter, which hasn't announced plans to implement encryption. This year it emerged that Twitter had suffered a security snafu that exposed Twitter account IDs linked to phone numbers and email addresses of a reported 5.4 million users. And, more recently, its former security boss alleged that about half of Twitter's roughly 10,000 staff have access to live production systems and user data, and that some staff quietly installed spyware on their computers on behalf of foreign intelligence.

Apple also did not respond to The Register's questions. While iMessage texts are end-to-end encrypted by default when sent between iPhones, messages between iPhone and Android devices don't use E2EE. 

Google has called on Apple to "fix texting" by adopting Rich Communications Services (RCS), a protocol used by most mobile industry vendors but not the iPhone maker. So far that campaign hasn't worked.

RCS originally did not include E2EE, but Google Messages added support in late 2020; Group messages got E2E encryption this year. Google Chat, however, is not end-to-end encrypted.

Discord, which also does not use E2EE for messaging, did not respond to The Register's unencrypted requests for comments, either.

A Slack spokesperson, in an email to The Register, noted that while not E2EE, it does encrypt data at rest and data in transit.

"We also offer EKM (Enterprise Key Management), a security add-on for Slack Enterprise Grid that allows organizations to manage their own encryption keys using Amazon Key Management Service (KMS)," the spokesperson wrote.

"Slack will not share customer data with government entities or third parties unless we're legally obligated to do so — and we make it our practice to challenge any unclear, overbroad, or inappropriate requests." ®