Instagram tests Direct Messaging on web where encryption fails – TechCrunch


Instagram will finally let you chat from your web browser, but the launch contradicts Facebook’s plan for end-to-end encryption in all its messaging apps. Today Instagram began testing Direct Messages on the web for a small percentage of users around the globe, a year after TechCrunch reported it was testing web DMs.

When fully rolled out, Instagram tells us its website users will be able to see when they’ve received new DMs, view their whole inbox, start new message threads or group chats, send photos (but not capture them), double click to Like, and share posts from your feed via Direct so you can gossip or blast friends with memes. You won’t be able to send videos but can view non-disappearing ones. Instagram’s CEO Adam Mosseri tweeted that he hopes to “bring this to everyone soon” once the kinks are worked out.

Web DMs could help office workers, students, and others stuck on a full-size computer all day or who don’t have room on their phone for another app to spend more time and stay better connected on Instagram. Direct is crucial to Instagram’s efforts to stay ahead of Snapchat, which has seen its Stories product mercilessly copied by Facebook but is still growing thanks to its rapid fire visual messaging feature that’s popular with teens.

But as Facebook’s former Chief Security Officer Alex Stamos tweeted, “This is fascinating, as it cuts directly against the announced goal of E2E encrypted compatibility between FB/IG/WA. Nobody has ever built a trustworthy web-based E2EE messenger, and I was expecting them to drop web support in FB Messenger. Right hand versus left?”

A year ago Facebook announced it planned to eventually unify Facebook Messenger, WhatsApp, and Instagram Direct so users could chat with each other across apps. It also said it would extend end-to-end encryption from WhatsApp to include Instagram Direct and all of Facebook Messenger, though it could take years to complete. That security protocol means that only the sender and recipient would be able to view the contents of a message, while Facebook, governments, and hackers wouldn’t know what was being shared.

Yet Stamos explains that historically, security researchers haven’t been able to store cryptographic secrets in JavaScript, which is how the Instagram website runs, though he admits this could be solved in the future. More probematically, Stamos writes that “the model by which code on the web is distributed, which is directly from the vendor in a customizable fashion. This means that inserting a backdoor for one specific user is much much easier than in the mobile app paradigm” where attackers would have to compromise both Facebook/Instagram and either Apple or Google’s app stores.

“Fixing this problem is extremely hard and would require fundamental changes to how the WWW [world wide web] works” says Stamos. At least we know Instagram has been preparing for today’s launch since at least February when mobile researcher Jane Manchun Wong. We’ve asked Instagram for more details on how it plans to cover web DMs with end-to-end encryption or whether they’ll be exempt from the plan. [Update: An Instagram spokesperson tells me that as with Instagram Direct on mobile, messages currently are not encypted. The company is working on making its messaging products end-to-end encrypted, and it continues to consider ways to accomplish this.”

On encryption, on background, as with Instagram Direct on mobile, messages on web are not encrypted. We are working on making our messaging products end-to-end encrypted, and continue to consider and think through ways to do this.

Critics have called the messaging unification a blatant attempt to stifle regulators and prevent Facebook, Instagram, and WhatsApp from being broken up. Yet Facebook has stayed the course on the plan while weathering a $5 billion fine plus a slew of privacy and transparency changes mandated by an FTC settlement for its past offenses.

Personally I’m excited because it will make DMing sources via Instagram easier, and mean I spend less time opening my phone and potentially being distracted by other apps while working. Almost 10 years after Instagram’s launch and 6 years since adding Direct, the app seems to finally be embracing its position as a utility, not just entertainment.


Like it? Share with your friends!

872
22164 shares, 872 points

What's Your Reaction?

Fake Fake
0
Fake
Epic Epic
0
Epic
Dislike
0
Dislike
Like Like
0
Like

Instagram tests Direct Messaging on web where encryption fails – TechCrunch

MainStreet Econ

Join the MSE Community

reset password

Back to
MainStreet Econ
Choose A Format
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Open List
Open List
Ranked List
Ranked List
Video
Youtube, Vimeo or Vine Embeds
Image
Photo or GIF
Gif
GIF format

Send this to a friend