Skip to main content

Instagram messages on the web could pose an encryption challenge

Instagram messages on the web could pose an encryption challenge


Facebook is building end-to-end encryption for all its messaging apps — and that’s a very tall order on the web

Share this story

Illustration by Alex Castro / The Verge

It’s a relatively slow week on the platforms-and-democracy beat, so let’s talk about something small but fascinating in its own way: the arrival of Instagram messages on the web.

An unfortunate thing about being a xennial who grew up using (and loving) the world wide web is that most developers no longer build for it. Over the past 15 years, mobile phones became more popular than desktop computers ever were, and the result is that web development has entered a slow but seemingly inexorable decline. At the same time, like most journalists, I spent all day working on that same web. And with each passing year, the place where I do most of my work seems a little less vital.

This all feels particularly true when it comes to communications tools. Once, every messaging kingdom was united with a common API, allowing us to gather our conversations into a single place. (Shout out to Adium.) But today, our messages are often scattered across a dozen or more corporate inboxes, and accessing them typically requires picking up your phone and navigating to a separate app.

As a result, I spend a lot of time typing on a glass screen, where I am slow and typo-prone, rather than on a physical keyboard, where I’m lightning-quick. And each time I pick up my phone to respond to a message on WhatsApp, or Snapchat, or Signal, I inevitably find a notification for some other app, and the next thing I know 20 minutes have passed.

All of which is to say, I was extremely excited today to see Instagram’s announcement that it had begun rolling out direct messages on the web. (The company gave me access to the feature, and it’s glorious.) Here’s Ashley Carman at The Verge:

Starting today, a “small percentage” of the platform’s global users will be able to access their DMs from Instagram’s website, which should be useful for businesses, influencers, and anyone else who sends lots of DMs, while also helping to round out the app’s experience across devices. Today’s rollout is only a test, the company says, and more details on a potential wide-scale rollout will come in the future.

The direct messaging experience will be essentially the same through the browser as it is on mobile. You can create new groups or start a chat with someone either from the DM screen or a profile page; you can also double-tap to like a message, share photos from the desktop, and see the total number of unread messages you have. You’ll be able to receive desktop DM notifications if you enable notifications for the entire Instagram site in your browser.

Instagram didn’t state a strategic rationale for the move, but it makes sense in a world that is already moving toward small groups and private communication. Messengers win in part by being ubiquitous, and even if deskbound users like myself are in the minority, Facebook can only grab market share from rivals if it’s everywhere those rivals can be found. (iMessage and Signal, for example, have long been usable on desktop as well as mobile devices.)

Now, thanks to this move, I can make greater use of Instagram as both a social and reporting tool, and the web itself feels just a bit more vital. All of which is good news — but, asks former Facebook security chief Alex Stamos, is it secure? After all, Facebook is in the midst of a significant shift toward private, end-to-end encrypted messaging, with plans to create a single, encrypted backend for all of its messaging apps.

Stamos went on to highlight two core challenges in making web-based communications secure. One is securely storing cryptographic information in JavaScript, the lingua franca of the web. (This problem is being actively worked on, Stamos notes.) The second is that the nature of the web would allow a company to create a custom backdoor targeting an individual user — if compelled by a government, say. For that, there are few obvious workarounds.

One alternative is to take the approach that Signal and Facebook-owned WhatsApp have, and create native or web-based apps. As security researcher Saleem Rashid told me, the web version of WhatsApp generates a public key in the browser using JavaScript, then encodes it in a QR code that a users scans with their phone. This creates an encrypted tunnel between the web and the smartphone, and so long as the JavaScript involved in generating the key is not malicious, WhatsApp should not be able to encrypt any of the messages.

When I asked Instagram about how it plans to square the circle between desktop messages and encryption, the company declined to comment. I’m told that it still plans to build encryption into its products, and is still working through exactly how to accomplish this.

Granted, when I think of the tasks that I hope Facebook accomplishes this year, encrypted Instagram DMs are low on the list. But with our authoritarian president browbeating Apple today for failing to unlock a suspected criminal’s phone, the stakes for all this are relatively clear. We will either have good encrypted messaging backed by US corporations, or we won’t. As Apple put it this week:

“We have always maintained there is no such thing as a backdoor just for the good guys,” the company explained. “Backdoors can also be exploited by those who threaten our national security and the data security of our customers. ... We feel strongly encryption is vital to protecting our country and our users’ data.”

On one level, today’s Instagram news is a small story about a niche feature. But in the background, questions about the security of our private communications are swirling. Which should give us all reason to watch Facebook’s next moves here very closely.

The Ratio

Today in news that could affect public perception of the big tech platforms.

🔽 Trending down: Facebook said it doesn’t need to change its web-tracking services to comply with California’s new consumer-privacy law. The company’s rationale is that routine data transfers about consumers don’t fit the law’s definition of “selling” data. The move puts it at odds with Google, which is taking the opposite tack.

🔽 Trending down: Grindr, OkCupid and Tinder are sharing sensitive user data like dating choices and precise location to advertisers in ways that may violate privacy laws, according to a new report. I don’t want to downplay that, but if you think that data is sensitive, you should see the average Grindr user’s DMs.


Two days before the UK election in December, some 74,000 political advertisements vanished from Facebook’s Ad Library, a website that serves as an archive of political and issue ads run on the platform. The company said a bug wiped 40 percent of all political Facebook ads in the UK from the public record. Rory Smith at BuzzFeed has the story:

In the wake of the failure during the UK elections, Facebook said it had launched a review of how to prevent these issues, as well as how to communicate them more clearly.

But the events of Dec. 10 are not the first time Facebook’s Ad Library has failed since its launch in May 2018. The API, which is supposed to give researchers greater access to data than the library website, went live in March 2019 and ran into trouble within weeks of the European Parliament election in May. Researchers have been documenting a myriad of issues ever since.

The platform also drew the ire of researchers when it failed to deliver the data it promised as part of a partnership with the nonprofit Social Science Research Council and Social Science One, a for-profit initiative run by researchers — a project that was funded by several large US foundations. Facebook said it remains committed to providing data to researchers, but the SSRC and funders have begun withdrawing from the project due to the company’s delays.

Russian military hackers may have been boring into the Ukrainian gas company at the center of the impeachment inquiry, where Hunter Biden served on the board. Experts say the timing and scale of the attacks suggest that the Russians could be searching for potentially embarrassing material on the Bidens, similar to what Trump was looking for. On Twitter, security experts like Facebook’s Nathaniel Gleicher have urged caution when writing about this story, arguing that the case for attribution to Russia is thin. (Nicole Perlroth and Matthew Rosenberg / The New York Times)

There’s been an explosion of online disinformation, including the use of doctored images, from politicians. They do it for a simple reason: It’s effective at spreading their messages, and so far none have paid a price for trafficking in bogus memes. (Drew Harwell / The Washington Post)

Artificial personas, in the form of AI-driven text generation and social-media chatbots, could drown out actual human discussions on the internet, experts warn. They say the issue could manifest itself in particularly frightening ways during an election. (Bruce Schneier / The Atlantic)

The Treasury Department unveiled new rules designed to increase scrutiny of foreign investors whose potential stakes in US companies could pose a national security threat. The rules are focused on businesses that handle personal data, and come after the United States has heightened scrutiny of foreign involvement in apps such as Grindr and TikTok. (Katy Stech Ferek / The Wall Street Journal)

The Harvard Law Review just floated the idea of adding 127 more states to the union. These states would add enough votes in Congress to rewrite the Constitution by passing amendments aimed at making every vote count equally. Worth a read.(Ian Millhiser / Vox)

The New York Times editorial board interviewed Bernie Sanders on how he plans carry out his ambitious policy ideas if faced with the Republican-led Senate that stymied so many of President Barack Obama’s proposals. Notably, he says he’s not an Amazon Prime customer and tries never to use any apps.

Workers for grocery delivery platform Instacart are organizing a national boycott of the company next week to push for the reinstatement of a 10 percent default tip on all orders. One of 2020’s big stories is going to be tech-focused labor movements; this is but the latest example. (Kim Lyons  / The Verge)

Microsoft CEO Satya Nadella strongly criticized a new citizenship law that the Indian government passed last month. The law, known as the Citizenship Amendment Act, fast-tracks Indian citizenship for immigrants from most major South Asian religions except Islam. India is Nadella’s birthplace, and one of Microsoft’s largest markets, making his comments all the more notable. (Pranav Dixit / BuzzFeed)


Facebook’s push into virtual reality has resulted in a slew of new patents, mostly for heads-up displays. The company won 64 percent more patents in 2019 than in 2018. Christopher Yasiejko and Sarah Frier at Bloomberg explain what this might mean:

The breadth of Facebook’s patent growth, said Larry Cady, a senior analyst with IFI, resembled that of intellectual-property heavyweights Inc. and Apple Inc., which were No. 9 and No. 7, respectively, with each winning more than twice as many patents as the social media titan. Facebook’s largest numbers were in categories typical of Internet-based computer companies -- data processing and digital transmission, for example -- but its areas of greatest growth were in more novel categories that may suggest where the company sees its future.

Facebook’s 169 patents in the Optical Elements category marked a nearly six-fold jump. Most of that growth stems from the Heads-Up Displays sub-category, which Cady said probably is related to virtual-reality headsets. Facebook owns the VR company Oculus and in November acquired the Prague-based gaming studio behind the popular Beat Saber game. One such patent, granted Nov. 5, is titled “Compact head-mounted display for artificial reality.”

Popular “e-boys” on TikTok are nabbing fashion and entertainment deals. They’re known mostly for making irony-steeped videos of themselves in their bedrooms wearing tragically hip outfits composed of thrifted clothes. Some observers predict that top e-boys will have success reminiscent of the boy bands of yore. (Rebecca Jennings / Vox)

YouTube signed three video stars — Lannan “LazarBeam” Eacott, Elliott “Muselk” Watkins and Rachell “Valkyrae” Hofstetter — to combat Amazon’s Twitch and Facebook. Exclusive deals for top video game streamers have been one of the big tech stories of the year so far. (Salvador Rodriguez / CNBC)

Uncanny Valley, Anna Wiener’s beautiful memoir about life working at San Francisco tech companies, is out today. Kaitlyn Tiffany has a great interview with Wiener in the Atlantic. Read this book and stay tuned for news about an Interface Live event with Wiener in San Francisco next month!

Mark Bergen, friend of The Interface and a journalist at Bloomberg, is writing a book about YouTube titled Like, Comment, Subscribe. Bergen is a former Recode colleague and ace YouTube reporter, and this book will be a must-read in our world. (Kia Kokalitcheva / Axios)

The Information published a Twitter org chart that identifies the company’s 66 top executives, including the nine people who report directly to CEO Jack Dorsey. (Alex Heath / The Information)

A new app called Doublicat allows users to put any face on a GIFs in seconds, essentially allowing them to create deepfakes. The app launches just as prominent tech companies like Facebook and Reddit ban deepfakes almost completely. (Matthew Wille / Input)

And finally...

Wired got Jack Dorsey to do 11 minutes of Twitter tech support on video. Enjoy!

Talk to us

Send us tips, comments, questions, and web-based DMs: and