Instagram messages on the web could pose an encryption challenge
It’s a relatively slow week on the platforms-and-democracy beat, so let’s talk about something small but fascinating in its own way: the arrival of Instagram messages on the web.
An unfortunate thing about being a xennial who grew up using (and loving) the world wide web is that most developers no longer build for it. Over the past 15 years, mobile phones became more popular than desktop computers ever were, and the result is that web development has entered a slow but seemingly inexorable decline. At the same time, like most journalists, I spent all day working on that same web. And with each passing year, the place where I do most of my work seems a little less vital.
This all feels particularly true when it comes to communications tools. Once, every messaging kingdom was united with a common API, allowing us to gather our conversations into a single place. (Shout out to Adium.) But today, our messages are often scattered across a dozen or more corporate inboxes, and accessing them typically requires picking up your phone and navigating to a separate app.
As a result, I spend a lot of time typing on a glass screen, where I am slow and typo-prone, rather than on a physical keyboard, where I’m lightning-quick. And each time I pick up my phone to respond to a message on WhatsApp, or Snapchat, or Signal, I inevitably find a notification for some other app, and the next thing I know 20 minutes have passed.
All of which is to say, I was extremely excited today to see Instagram’s announcement that it had begun rolling out direct messages on the web. (The company gave me access to the feature, and it’s glorious.) Here’s Ashley Carman at The Verge:
Starting today, a “small percentage” of the platform’s global users will be able to access their DMs from Instagram’s website, which should be useful for businesses, influencers, and anyone else who sends lots of DMs, while also helping to round out the app’s experience across devices. Today’s rollout is only a test, the company says, and more details on a potential wide-scale rollout will come in the future.
The direct messaging experience will be essentially the same through the browser as it is on mobile. You can create new groups or start a chat with someone either from the DM screen or a profile page; you can also double-tap to like a message, share photos from the desktop, and see the total number of unread messages you have. You’ll be able to receive desktop DM notifications if you enable notifications for the entire Instagram site in your browser.
Instagram didn’t state a strategic rationale for the move, but it makes sense in a world that is already moving toward small groups and private communication. Messengers win in part by being ubiquitous, and even if deskbound users like myself are in the minority, Facebook can only grab market share from rivals if it’s everywhere those rivals can be found. (iMessage and Signal, for example, have long been usable on desktop as well as mobile devices.)
Now, thanks to this move, I can make greater use of Instagram as both a social and reporting tool, and the web itself feels just a bit more vital. All of which is good news — but, asks former Facebook security chief Alex Stamos, is it secure? After all, Facebook is in the midst of a significant shift toward private, end-to-end encrypted messaging, with plans to create a single, encrypted backend for all of its messaging apps.
This is fascinating, as it cuts directly against the announced goal of E2E encrypted compatibility between FB/IG/WA. Nobody has ever built a trustworthy web-based E2EE messenger, and I was expecting them to drop web support in FB Messenger. Right hand versus left?265:28 PM – Jan 14, 2020Twitter Ads info and privacySee Alex Stamos’s other Tweets
Stamos went on to highlight two core challenges in making web-based communications secure. One is securely storing cryptographic information in JavaScript, the lingua franca of the web. (This problem is being actively worked on, Stamos notes.) The second is that the nature of the web would allow a company to create a custom backdoor targeting an individual user — if compelled by a government, say. For that, there are few obvious workarounds.
One alternative is to take the approach that Signal and Facebook-owned WhatsApp have, and create native or web-based apps. As security researcher Saleem Rashid told me, the web version of WhatsApp generates a public key in the browser using JavaScript, then encodes it in a QR code that a users scans with their phone. This creates an encrypted tunnel between the web and the smartphone, and so long as the JavaScript involved in generating the key is not malicious, WhatsApp should not be able to encrypt any of the messages.
When I asked Instagram about how it plans to square the circle between desktop messages and encryption, the company declined to comment. I’m told that it still plans to build encryption into its products, and is still working through exactly how to accomplish this.
“We have always maintained there is no such thing as a backdoor just for the good guys,” the company explained. “Backdoors can also be exploited by those who threaten our national security and the data security of our customers. … We feel strongly encryption is vital to protecting our country and our users’ data.”
On one level, today’s Instagram news is a small story about a niche feature. But in the background, questions about the security of our private communications are swirling. Which should give us all reason to watch Facebook’s next moves here very closely.
THE RATIO
Today in news that could affect public perception of the big tech platforms.
In the wake of the failure during the UK elections, Facebook said it had launched a review of how to prevent these issues, as well as how to communicate them more clearly.
But the events of Dec. 10 are not the first time Facebook’s Ad Library has failed since its launch in May 2018. The API, which is supposed to give researchers greater access to data than the library website, went live in March 2019 and ran into trouble within weeks of the European Parliament election in May. Researchers have been documenting a myriad of issues ever since.
The platform also drew the ire of researchers when it failed to deliver the data it promised as part of a partnership with the nonprofit Social Science Research Council and Social Science One, a for-profit initiative run by researchers — a project that was funded by several large US foundations. Facebook said it remains committed to providing data to researchers, but the SSRC and funders have begun withdrawing from the project due to the company’s delays.
The breadth of Facebook’s patent growth, said Larry Cady, a senior analyst with IFI, resembled that of intellectual-property heavyweights Amazon.com Inc. and Apple Inc., which were No. 9 and No. 7, respectively, with each winning more than twice as many patents as the social media titan. Facebook’s largest numbers were in categories typical of Internet-based computer companies — data processing and digital transmission, for example — but its areas of greatest growth were in more novel categories that may suggest where the company sees its future.
Facebook’s 169 patents in the Optical Elements category marked a nearly six-fold jump. Most of that growth stems from the Heads-Up Displays sub-category, which Cady said probably is related to virtual-reality headsets. Facebook owns the VR company Oculus and in November acquired the Prague-based gaming studio behind the popular Beat Saber game. One such patent, granted Nov. 5, is titled “Compact head-mounted display for artificial reality.”
Popular “e-boys” on TikTok are nabbing fashion and entertainment deals. They’re known mostly for making irony-steeped videos of themselves in their bedrooms wearing tragically hip outfits composed of thrifted clothes. Some observers predict that top e-boys will have success reminiscent of the boy bands of yore. (Rebecca Jennings / Vox)