New Mexico’s Meta Ruling and Encryption

Source: Schneier on Security

Background

Mike Masnick points out that the recent New Mexico court ruling against Meta has troubling implications for end‑to‑end encryption and security in general. The “design choices create liability” framework sounds worrisome in the abstract, and the New Mexico case provides a concrete example of where it leads in practice.

Encryption as Evidence of Negligence

One of the key pieces of evidence the New Mexico attorney general used against Meta was the company’s 2023 decision to add end‑to‑end encryption to Facebook Messenger. The argument was:

• Predators used Messenger to groom minors and exchange child sexual abuse material.
• By encrypting those messages, Meta made it harder for law enforcement to access evidence of those crimes.
• Therefore, the encryption was a design choice that enabled harm.

The state is now seeking court‑mandated changes, including “protecting minors from encrypted communications that shield bad actors.” The end result could be that Meta is ordered to make everyone’s communications less secure—a terrifying prospect for all users, even those who supported the verdict.

Why Encryption Matters

End‑to‑end encryption protects billions of people from surveillance, data breaches, authoritarian governments, stalkers, and domestic abusers. It is one of the most important privacy and security tools ordinary people have. Every major security expert and civil‑liberties organization in the world has argued for stronger encryption, not weaker.

Under the “design liability” theory, implementing encryption becomes evidence of negligence because a small number of bad actors also use encrypted communications. The logic could apply to literally every communication tool ever invented. Predators also use the postal service, telephones, and in‑person conversation. The encryption itself harms no one; like infinite scroll and autoplay, it is inert without the choices of bad actors—choices made by people, not by the platform’s design.

Broader Legal Incentives

The incentive this creates goes far beyond encryption, and it’s harmful:

• If any product improvement that protects the majority of users can be held against a company because a tiny fraction of bad actors exploit it, companies will stop making those improvements.
• Why add encryption if it becomes Exhibit A in a future lawsuit?
• Why implement any privacy‑protective feature if a plaintiff’s lawyer will characterize it as “shielding bad actors”?

Impact on Corporate Practices

Some of the most damaging evidence in both trials came from internal company documents where employees raised concerns about safety risks and discussed trade‑offs. These documents were highlighted in the media and courtroom as “smoking guns.” The consequence is that companies may stop allowing anyone to raise concerns ever again—a very bad outcome.

In a sane legal environment, companies should encourage internal debates. Engineers and safety teams need to flag potential risks, wrestle with difficult trade‑offs, and document their reasoning. However, when good‑faith deliberations become plaintiff exhibits presented to a jury as proof that “they knew and did it anyway,” the rational corporate response is to stop putting anything in writing, cease risk assessments, and avoid asking hard questions internally.

Conclusion

The lesson every general counsel in Silicon Valley is learning right now: ignorance is perceived as safer than inquiry. That makes everyone less safe, not more.

The essay has a lot more: about Section 230, competition in this space, and the myopic nature of the ruling. Go read it.