E2E encrypted messaging on Instagram will no longer be supported after 8 May (opens in new tab)

one thing to consider is how just the optics of major players using e2e was an overall benefit.

people who otherwise would have gone their entire lives without ever hearing about encryption were exposed to the term and the marketing convinced them that encryption and privacy was a valuable thing, even if they didnt fully understand the mechanisms or why e2e might not necessarily be very effective in specific circumstances.

later, when presented between option a and option b, where one has encryption and the other doesnt, they are more likely to choose the one with it ("well, if instagram and facebook use it and say it is good...")

This happened to my girlfriend and me twice on Messenger. On two consecutive nights, we heard a male voice with an American accent speaking as if he were talking to someone else, almost like they were conducting some kind of operation. It seemed as though he suddenly realized that we could hear him, after which the voice abruptly disappeared. The following night, it happened again, but this time the voice sounded like that of an African American woman. The situation was similar to the previous night. From that night, we have not used it to communicate and used Signal instead.

I don't disagree, but I think there is a distinction between "everything is e2ee, but specific conversations may be MiTM without detection" and "nothing is e2ee and can be retrospectively inspected at will" that goes a little beyond security theatre - makes it more analogous to old fashioned wiretaps in my mind.

Obviously it involves trust that it isn't actually "we say it's e2ee but actually we also MiTM every conversation"

E2E encryption lets Meta turn down government subpoenas because they can say they truly don't have access to the unencrypted data.

I can't say I really mind this change by Meta that much overall though. Anyone who's serious about privacy probably knew better than to pick "Instagram chat" as their secure channel. And on the other hand having the chats available helps protect minors.

One of the scary things is that not even this really works. Ignoring supply chain attacks, most people treat any client as effectively black box. When was the last time you read through the code of a messaging app? How do you know its safe? Maybe _you_ read through it, but 99% of people don't.

wouldn't signal fall under this category (same entity control the client and server in between) but they have no way of peaking inside any envelopes?

It's all about trust at the end of the day. And given that it was exposed that Apple, Microsoft, Meta, Google etc all collaborated with the US government to provide surveillance (PRISM) by Edward Snowden, how we can trust them ever again?

>Any e2e encryption provided by the same entity who fully controls both the blackbox clients, and the server in between, is just a security theatre that they can selectively bypass anytime with very little risk of detection. Not really much better than simple client to server encryption.

You are no more capable of spotting a deliberately concealed backdoor in a binary than in source code, there's simply no meaningful difference.

the purpose of this move is to feed your private conversations to ai

It's around the same time they announced their Applied AI org under Boz, which is responsible for data for Avocado/Mango/Watermelon training now. The timing certainly doesn't help.

Protecting kids and Terrorism, always the reason why nobody is allowed to have privacy on the internet.

The sad part is, Instagram is exceptionally damaging to kids for a disjoint set of reasons.

It certainly is unsafe for their AI training corpus. Win / win if they can also lie about protecting children as a motivation.

It's bad for EVERYONE's health. Try to limit your usage and you'll feel better. I promise you'll feel better.

Protect your kids from whom? Surely not Meta, which is my main concern.

More like excuse

How these protections are working when I get served literal porn every couple of shorts on Instagram?

It was for plausible deniability because of regulatory scrutiny. Regulator's dead now, so now there's no downside and only upsides to spying on your users.

i am guessing that they just dont really need to pretend to care anymore. e2e messaging was a big marketing push, not ever an ideological thing. i assume they no longer believe the marketing benefits outweigh the downsides.

Because they realized they need the data for AI

PR. They wanted to seem like the good guys, but they get your messages through backdoors like the automatic backup.

To me, Instagram is a public platform at its core, where people publish things for the whole world to see. Private messages are just a secondary feature. It is like having a conversation in a restaurant, where the guy at the next table can listen to everything, but usually doesn't. Good enough for planning a surprise party, not for truly sensitive information. Kind of like private messages in Reddit, Discord, etc... a convenient feature, but don't expect real privacy.

Messenger has a higher expectation of privacy, Facebook is more at the "group of friends" level. While Instagram is a public restaurant, Facebook is more like a house party. WhatsApp has the highest expectation of privacy as it is designed for private, often one-to-one conversations first.

WhatsApp and Messenger are pure messaging apps. For Instagram, DMs are just a tiny part of the overall experience.

The US is building out the infrastructure for a police state. The people who control the consolidated tech platforms are either spearheading or collaborating with that process. Privacy as a concept isn't even in the cards.

You need to be prepared to avoid saying naughty things on the internet. Otherwise, perhaps someone will figure out that you great-great grandfather didn't sign in the right spot in 1897 and you're presence in the United States is void, retroactive to your birth. Off to El Salvador with you, enemy of the people.

> I'm not sure if anyone in HN has any useful advice in this regard.

Self host. It's still possible to buy computer hardware and install FOSS replacements for most/all of the services you need, and plumb it all through to your mobile devices using wireguard/tailscale. If you're behind a CGNAT you can proxy it through a cheap VPS that won't fuck you on bandwidth costs. Thanks to Proxmox, I probably have better uptime on my services than e.g. Github these days.

When it becomes impossible to get open PC hardware, I don't know. I like to think I will just stop using the internet for anything besides the bare minimum NPC type activities that are required to engage with the institutions of society.

I wonder if promoting open-source tooling and best practices could make it easier for new apps to adopt security features like E2E encryption. For example, someone building a chat app might not add E2E encryption unless they have access to user-friendly tools and are encouraged to do so.

Startups that initially choose the more private implementation version often face a disadvantage. They may not see immediate benefits and instead experience drawbacks, such as caring a bit more than their competitors. For example, an AI plugin using local large language models for privacy might not be rewarded as much as a competitor who fully embraces cloud-based solutions.

If you’re a good boy then you have nothing to hide right? Not even your passwords…

I sometimes feel a bit weird about this. In the 90s it felt like "we" won the crypto wars: PGP, the fight over export controls, the Clipper Chip, etc. There was a strong sense that privacy and strong crypto had become settled questions.

As a California resident I request to download my personal data from every service I can, and I’m constantly surprised. We each have scores for all kinds of things. The local power company keeps a “Green Ideology” score on me.

> I feel like I don't know what to do about the internet for the next 5-10 years.

Switch to decentralized, e2ee alternatives, support https://eff.org

unfortunately, since the messaging/trend isnt "we are against privacy" (it is "we are protecting children, which reluctantly means we all have to sacrifice a wee bit of privacy"), it is really hard to fight back without being labelled as someone who is against protecting children.

but the advice is basically the same as it always has been:

- talk to your friends and family about it. do it with passion, but without hyperbole or conspiracy or aggression. any person you can convince to care is a win. organize with like-minded people.

- talk to your representatives in government. vote for representatives that are pro-privacy (when possible). convince your like-minded friends and family to do the same.

- to the greatest extent possible, dont purchase/use products/services which are facilitating the trend. (but, you also need to be realistic or you will burn out! and that is a bigger loss overall).

- if you are a decision-maker at work, or have any sort of input, leverage it as best as you can to make pro-privacy business decisions. however, similar to the above point, recognize that you still need to be realistic and dont get yourself fired arguing some decision. it is better to make 1,000 nudges in the right direction than it is to be fired/burn out trying to make 1 big nudge.

- support organizations that align with your beliefs. this can be monetarily, or by volunteering, or by spreading awareness of the organization itself. for example, many people have never heard of the electronic frontier foundation and have no idea what they do. lots of people dont know of the ACLU either (or, maybe they have heard the name, but dont know what they do or why it matters).

You're on a site with a surprisingly high amount of support among commenters for trading privacy and freedom for convenience and comfort where it aligns with their religion/other biases or desired consumer experiences. I don't know if this the best place to ask for advice.

You could try becoming a privacy advocate. https://www.privacyguides.org/en/activism/

E2EE on Instagram was never real, trustable E2EE. No open-source client, no way to verify that private key is never sent to server, and encryption of a key with a low-entropy PIN is effectively plaintext.

I’m truly on the fence about all of this.

On one hand, I think a lot of the larger issues and divisions we’ve seen in society over the last 20 years are a direct result of our primary means of communication, entertainment and information being one that allows such ease of impersonation. While most of us here understand just how much Internet content is created with influence as a goal, and the posted by accounts with false identities, a majority of people still don’t. (And many who do don’t understand just how prevalent it is). I also think that sadly we’ve demonstrated that when people feel they are anonymous and beyond consequence, they’re willing to say and advocate for some terrible things which they might otherwise not have, and seeing others say those things reinforces their willingness to say and do them. If social media and internet norms of today had held the original Facebook model of requiring verification of your actual identity (back in the day .edu email days), I truly think we would live in a much different and in many ways better world.

On the other hand, I fully acknowledge that many of the people pushing for the removal of privacy and encryption are not doing so for altruistic reasons, but so that they have a more data to mine and monetize, or have the ability to monitor to a frightening degree, and that these tools once available will be available to any regime or government, so even if the ones currently pushing do have naively good intentions, the next ones very well may not.

But, I also struggle with the knowledge that for sophisticated parties, the privacy that most people think they have is a sham to begin with. There are already many tools available to piece together information sources and build a horrifyingly complex and accurate picture of individuals activities and identities. So I wonder if the illusion of privacy isn’t worse than the public at least being forced to confront the fact that they have none in the first place, and therefore being able to truly see and address the issue, while the security minded and technical individuals will always find a way obfuscate their identity and activity, just as they always have.

In this specific case you can avoid Meta. In general, if you're in the US, you probably have a primary election coming up soon and certainly have a general election in November. Ask your politicians what their thoughts are on these topics and make an informed vote. Continue to pressure the incumbents as well.

i don't understand this doomer mentality regarding the internet.

internet is a service that you choose what to engage and how. don't like a platform? find another, build it or stop using it altogether.

personally, i find these things really great has it helps nudge people into the more decentralized web. a few years ago those who were pushing for privacy respecting apps and platforms were deemed too paranoid.

It's depressing to think that after the abuses people suffered during the lockdowns the response has been to embrace authoritarianism even more. It makes me fear how far this could go before people realize how bad it is.

Fundamentally I think that liberal democracy won't be able to survive compute, communication, and storage being cheap, combined with asymmetric encryption. I really think there should be an article illustrating just how much that last one is fundamental to making the apparatus of control cheap and effective in a way that 20th century regimes could only dream of.

Some are. See simplex.chat, anytype.io.

I can think of a few reasons why a company built on profiling (and advertising to) user interests might be interested in the private conversations of their users

There is a product reason - AI features are fundamentally incompatible with E2EE. If they want to bring more AI generated experiences and content into Instagram then the data needs to be accessible by them.

I can think of some. Less code complexity to support a feature that didn't work properly and nobody was using? More ability to detect spam?

Except instead of sending through post offices, it'd probably be through "runners" like on Mirror's Edge.

Wouldn't bye bye meta be hello privacy into your life?

Probably a one off? Instagram’s e2ee was opt-in from the start- and meanwhile Facebook Messenger is now “e2ee for everyone” and none of this is affecting the main e2ee messaging apps people use - WhatsApp, Signal, and iMessage

TikTok replied recently it wouldn't encrypt its messages either, citing user security as reason.

And maybe to also have a better relationship with the government?

People catch the spooks and their exploits all the time though.

It is possible to defend against them. Maybe not on your phone though.

Unless you're actually a spy, there's no reason to do this. Just use your secure solution all the time with those conversation partners who are willing to use it.

Facebook were at both ends, the encryption was between the ends.