Instagram tests Direct Messaging on web where encryption fails

Instagram will finally let you chat from your web browser, but the launch contradicts Facebook’s plan for end-to-end encryption in all its messaging apps. Today Instagram began testing Direct Messages on the web for a small percentage of users around the globe, a year after TechCrunch reported it was testing web DMs.

When fully rolled out, Instagram tells us its website users will be able to see when they’ve received new DMs, view their whole inbox, start new message threads or group chats, send photos (but not capture them), double click to Like and share posts from their feed via Direct so they can gossip or blast friends with memes. You won’t be able to send videos, but can view non-disappearing ones. Instagram’s CEO Adam Mosseri tweeted that he hopes to “bring this to everyone soon” once the kinks are worked out.

Web DMs could help office workers, students and others stuck on a full-size computer all day or who don’t have room on their phone for another app to spend more time and stay better connected on Instagram. Direct is crucial to Instagram’s efforts to stay ahead of Snapchat, which has seen its Stories product mercilessly copied by Facebook but is still growing thanks to its rapid fire visual messaging feature that’s popular with teens.

But as Facebook’s former Chief Security Officer Alex Stamos tweeted, “This is fascinating, as it cuts directly against the announced goal of E2E encrypted compatibility between FB/IG/WA. Nobody has ever built a trustworthy web-based E2EE messenger, and I was expecting them to drop web support in FB Messenger. Right hand versus left?”

A year ago Facebook announced it planned to eventually unify Facebook Messenger, WhatsApp and Instagram Direct so users could chat with each other across apps. It also said it would extend end-to-end encryption from WhatsApp to include Instagram Direct and all of Facebook Messenger, though it could take years to complete. That security protocol means that only the sender and recipient would be able to view the contents of a message, while Facebook, governments and hackers wouldn’t know what was being shared.

Yet Stamos explains that historically, security researchers haven’t been able to store cryptographic secrets in JavaScript, which is how the Instagram website runs, though he admits this could be solved in the future. More problematically, Stamos writes that “the model by which code on the web is distributed, which is directly from the vendor in a customizable fashion. This means that inserting a backdoor for one specific user is much much easier than in the mobile app paradigm,” where attackers would have to compromise both Facebook/Instagram and either Apple or Google’s app stores.

“Fixing this problem is extremely hard and would require fundamental changes to how the WWW [world wide web] works” says Stamos. At least we know Instagram has been preparing for today’s launch since at least February when mobile researcher Jane Manchun Wong alerted us. We’ve asked Instagram for more details on how it plans to cover web DMs with end-to-end encryption or whether they’ll be exempt from the plan. [Update: An Instagram spokesperson tells me that as with Instagram Direct on mobile, messages currently are not encrypted. The company is working on making its messaging products end-to-end encrypted, and it continues to consider ways to accomplish this.]

Critics have called the messaging unification a blatant attempt to stifle regulators and prevent Facebook, Instagram and WhatsApp from being broken up. Yet Facebook has stayed the course on the plan while weathering a $5 billion fine plus a slew of privacy and transparency changes mandated by an FTC settlement for its past offenses.

Personally, I’m excited, because it will make DMing sources via Instagram easier, and mean I spend less time opening my phone and potentially being distracted by other apps while working. Almost 10 years after Instagram’s launch and six years since adding Direct, the app seems to finally be embracing its position as a utility, not just entertainment.