{"id":615,"date":"2022-07-28T16:00:19","date_gmt":"2022-07-28T16:00:19","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2022\/07\/28\/five-security-principles-for-billions-of-messages-across-metas-apps\/"},"modified":"2022-07-28T16:00:19","modified_gmt":"2022-07-28T16:00:19","slug":"five-security-principles-for-billions-of-messages-across-metas-apps","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2022\/07\/28\/five-security-principles-for-billions-of-messages-across-metas-apps\/","title":{"rendered":"Five security principles for billions of messages across Meta\u2019s apps"},"content":{"rendered":"<p><span>At Meta, our messaging apps help billions of people around the world stay connected to those who matter most to them. This scale brings potential threats from criminals and hackers, so we have a responsibility to keep people and their data safe. We\u2019re sharing a set of principles to ensure that security is central to the design of our messaging apps.\u00a0<\/span><\/p>\n<p><span>These are our <a href=\"https:\/\/engineering.fb.com\/wp-content\/uploads\/2022\/07\/Meta-Security-Principles-for-Private-Messaging-White-Paper-July-2022-2.pdf\">five core security principles<\/a> that guide us in developing secure private messaging\u00a0 apps for people:\u00a0<\/span><\/p>\n<p><span>Build secure services for all<\/span><br \/>\n<span>Security by design and defense in depth<\/span><br \/>\n<span>Reduce the attack surface<\/span><br \/>\n<span>Be transparent and invite scrutiny\u00a0<\/span><br \/>\n<span>Build for the future<\/span><\/p>\n<p><span>These principles serve as reference points for private messaging design decisions and complement our broader enterprise-wide information security practices. These principles do not live in isolation, and in many cases, we are considering all five of them simultaneously as we <\/span><span>develop our messaging apps<\/span><span>.\u00a0<\/span><\/p>\n<h2><span>Build secure services for all<\/span><\/h2>\n<p>These services are built for wide-scale use among those who use our technologies. We strive to provide intimate, feature-rich, and user-friendly services that provide secure messaging for billions of users, where only the intended recipients can access end-to-end encrypted messages.<\/p>\n<p><span>People all over the world use our messaging apps, so we strive to make them easy to use while also highly secure. Some people use our apps in low-connectivity areas, using unreliable networks and infrastructure, or only have access to devices with limited functionality, so it is important that our apps work effectively in those environments to keep everyone\u2019s private messaging secure.\u00a0<\/span><\/p>\n<p><span>Additionally, people rightfully expect control over their private communications, so we provide them with\u00a0 the ability to validate their security where possible. At the same time, we aim to\u00a0 be transparent and ensure that people using our apps can hold us accountable. Finally, we work hard to give people control over how they use our apps and make it easy for them to use our security tools to help protect their accounts.\u00a0<\/span><\/p>\n<h2><span>Security by design and defense in depth<\/span><\/h2>\n<p><span>Private messaging apps should be secure by design. Security should be at the forefront of how we develop the services and be layered throughout our designs \u2014 not just an afterthought.<\/span><\/p>\n<p><span>While no system can provide absolute security, we incorporate multiple layers of protection to sustain confidentiality and integrity. It is also important for us to understand our apps end-to-end, meaning we take into account each layer of the service when building security into our products \u2013\u00a0 in particular points where data could be stored. When designing our apps, we use secure-by-default frameworks so that security is incorporated from the outset. These frameworks make it harder to adopt unsafe approaches that might inadvertently undermine security and privacy.<\/span><\/p>\n<h2><span>Reduce the attack surface\u00a0<\/span><\/h2>\n<p><span>We want to minimize the opportunities for unauthorized access to peoples\u2019 data, including by us. We work to limit the data we collect and reduce the risk of vulnerabilities by limiting complexity in our designs.<\/span><\/p>\n<p><span>Where we do need to collect data to deliver services, we anonymize or pseudonymize it wherever appropriate. <\/span><span>We also strive to limit complexity for our engineers to reduce the likelihood of introducing bugs that may impact privacy or security.<\/span><\/p>\n<h2><span>Be transparent and invite scrutiny\u00a0<\/span><\/h2>\n<p><span>We work to build transparency into our services and, where possible, give people the ability to validate their security. We continually share challenges and plans, and empower the wider security community to help critique, develop, and protect our services.<\/span><\/p>\n<p><span>Our goal is to build transparency into our technologies. We aim to give experts the ability to discuss our security tools and processes, share challenges and plans, and empower the wider security community to help critique, develop, and protect our community. <\/span><span>We\u2019ll continue to engage directly with stakeholders on these issues through roundtables with privacy experts, responding to external papers on what we do, and publishing our own whitepapers.\u00a0<\/span><\/p>\n<p><span>We also encourage and reward independent researchers for finding any impactful security vulnerabilities through our <\/span><a href=\"https:\/\/about.fb.com\/news\/2021\/12\/expanding-bug-bounty-program-to-address-scraping\/\" target=\"_blank\" rel=\"noopener\"><span>bug bounty program<\/span><\/a><span>.\u00a0<\/span><\/p>\n<h2><span>Build for the future<\/span><\/h2>\n<p><span>Developing secure services is an evolution. We must build our services with the ability to move quickly to remediate attacks (or other vulnerabilities), incorporate new technological developments, and address upcoming threats.<\/span><\/p>\n<p><span>We want everyone who uses our messaging apps to feel comfortable and secure. By sharing the five principles that ensure security is always top of mind, we hope to create transparency and clarity on our process for developing our private messaging apps while innovating and improving our security. Our dedication to finding and dealing with security issues has allowed us to support billions of people and their messages globally.<\/span><\/p>\n<h2><span>Learn more about our security principles<\/span><\/h2>\n<p><span>You can read more about our security principles in our <a href=\"https:\/\/engineering.fb.com\/wp-content\/uploads\/2022\/07\/Meta-Security-Principles-for-Private-Messaging-White-Paper-July-2022-2.pdf\" target=\"_blank\" rel=\"noopener\">whitepaper<\/a>.<\/span><\/p>\n<p>The post <a href=\"https:\/\/engineering.fb.com\/2022\/07\/28\/security\/five-security-principles-for-billions-of-messages-across-metas-apps\/\">Five security principles for billions of messages across Meta\u2019s apps<\/a> appeared first on <a href=\"https:\/\/engineering.fb.com\/\">Engineering at Meta<\/a>.<\/p>\n<p>Engineering at Meta<\/p>","protected":false},"excerpt":{"rendered":"<p>At Meta, our messaging apps help billions of people around the world stay connected to those who matter most to them. This scale brings potential threats from criminals and hackers, so we have a responsibility to keep people and their data safe. We\u2019re sharing a set of principles to ensure that security is central to&hellip; <a class=\"more-link\" href=\"https:\/\/fde.cat\/index.php\/2022\/07\/28\/five-security-principles-for-billions-of-messages-across-metas-apps\/\">Continue reading <span class=\"screen-reader-text\">Five security principles for billions of messages across Meta\u2019s apps<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-615","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":800,"url":"https:\/\/fde.cat\/index.php\/2023\/12\/07\/building-end-to-end-security-for-messenger\/","url_meta":{"origin":615,"position":0},"title":"Building end-to-end security for Messenger","date":"December 7, 2023","format":false,"excerpt":"We are beginning to upgrade people\u2019s personal conversations on Messenger to use end-to-end encryption (E2EE) by default Meta is publishing two technical white papers on end-to-end encryption: Our Messenger end-to-end encryption whitepaper describes the core cryptographic protocol for transmitting messages between clients. The Labyrinth encrypted storage protocol whitepaper explains our\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":701,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/deploying-key-transparency-at-whatsapp\/","url_meta":{"origin":615,"position":1},"title":"Deploying key transparency at WhatsApp","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new cryptographic security feature to automatically verify a secured connection based on key transparency.\u00a0 The feature requires no additional actions or steps from users and helps ensure that a conversation is secure.\u00a0 Key transparency solutions help strengthen the guarantee that end-to-end encryption provides to private, personal\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":833,"url":"https:\/\/fde.cat\/index.php\/2024\/03\/06\/making-messaging-interoperability-with-third-parties-safe-for-users-in-europe\/","url_meta":{"origin":615,"position":2},"title":"Making messaging interoperability with third parties safe for users in Europe","date":"March 6, 2024","format":false,"excerpt":"To comply with a new EU law, the Digital Markets Act (DMA), which comes into force on March 7th, we\u2019ve made major changes to WhatsApp and Messenger to enable interoperability with third-party messaging services.\u00a0 We\u2019re sharing how we enabled third-party interoperability (interop) while maintaining end-to-end encryption (E2EE) and other privacy\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":613,"url":"https:\/\/fde.cat\/index.php\/2022\/07\/26\/launching-instagram-messaging-on-desktop\/","url_meta":{"origin":615,"position":3},"title":"Launching Instagram Messaging on desktop","date":"July 26, 2022","format":false,"excerpt":"In 2020 we launched Instagram Messaging (referred to in this post simply as \u201cMessaging\u201d) for personal desktop computers. We believe that this feature will improve everyday experiences and enable new use cases for all of our desktop web users. In this post, we go through some of our overall learnings\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":644,"url":"https:\/\/fde.cat\/index.php\/2022\/10\/24\/how-salesforce-built-a-cloud-native-task-execution-service\/","url_meta":{"origin":615,"position":4},"title":"How Salesforce Built a Cloud-Native Task Execution Service","date":"October 24, 2022","format":false,"excerpt":"If you\u2019re paying attention to Salesforce technology, you\u2019ve no doubt heard about\u00a0Hyperforce, our new approach to deploying Salesforce on public cloud providers. Start with\u00a0a look at Hyperforce\u2019s architecture. There are many compelling reasons to move to Hyperforce, both for us and our customers. We\u2019re excited to do it in the\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":280,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/sre-weekly-issue-260\/","url_meta":{"origin":615,"position":5},"title":"SRE Weekly Issue #260","date":"August 31, 2021","format":false,"excerpt":"View on sreweekly.com A message from our sponsor, StackHawk: Check out this guide to modern dynamic application security testing to learn how it works and what to look for in tooling. http:\/\/sthwk.com\/dynamic-appsec-overview Articles [Increment: Reliability] Interview: Dr. David D. Woods People throw around \u201cresiliency\u201d quite often when they mean \u201creliability\u201d\u2026","rel":"","context":"In &quot;SRE&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=615"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/615\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}