Secret conversations will only be available to a limited number of users at first, with a wider roll out planned for later this summer. The feature name “secret conversations” first surfaced in March.
Messenger’s secret conversations won’t be like WhatsApp, which offers complete E2EE for all messages when all users in the conversation have a compatible version of the app. Instead, secret conversations will allow Messenger users to encrypt one-on-one conversations on the fly. Group messaging will not be covered.
When encrypted, the messages will only be accessible to the two conversation participants. While the message is in transit from one device to the other it won’t be possible for third parties—including Facebook—to decipher the message.
Facebook is also adding a Snapchat-like self-destruct setting that allows secret conversations to disappear after a predetermined amount of time. Rumors about Facebook’s plans for a Snapchat-like feature for Messenger first surfaced in May.
Each secret conversation will also exist in its own section of the app for each Messenger contact. Secret conversations will not be integrated with the main conversation thread for that person.
The biggest limitation of secret conversations is that new feature will only work on one device. Facebook told Wired it doesn’t have a system in place to distribute encryption keys (bits of information that encrypt and decrypt messages) across multiple devices.
Secret conversations will also start with a slimmed down feature set, leaving out support for animated GIFs, video, Facebook’s payments system, and other features.
For the encryption protocol, Facebook plans to use Open Whisper Systems’ Signal, which is also used by WhatsApp and Allo.
The story behind the story: Facebook hasn’t said whether it plans to move towards a fully-encrypted Messenger or only offer the option for people who need it. As more features get added to secret conversations, and if Facebook lifts the one device limit, the E2EE feature could become a standard part of the massive messaging platform.
If going full E2EE is indeed the final plan it wouldn’t be the first time Facebook took a piecemeal approach to encryption. Facebook’s move to make all parts of the social network’s website SSL/TLS-compatible took several years. At first, users had to enable SSL/TSL encryption manually, and many features of the site didn’t work when early versions of the security measure were turned on.